[Samba] Cross-domain share access via same user+password doesn't work anymore

freebsd at tango.lu freebsd at tango.lu
Sat Sep 5 15:30:27 UTC 2020 

On 2020-09-03 20:59, Rowland penny via samba wrote:
> On 03/09/2020 19:09, freebsd--- via samba wrote:
>> I having the same issue like:
>> 
>> https://forge.univention.org/bugzilla/show_bug.cgi?id=47314
>> 
>> I have 2 samba servers running with nearly identical configs:
>> 
>> ii  samba                                 2:3.6.6-6+deb7u15
>> ii  samba-common                   2:4.9.5+dfsg-5+deb10u1
>> 
>> The problem is that for old os-es like Win9X the username cannot be 
>> changed, it will just use USERNAME or WORKGROUP\USERNAME for the user.
>> 
>> With the old samba version this works well because if it accepts only 
>> the username for authentication with the new one I just cannot make it 
>> accept it so only:
>> 
>> smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share
>> 
>> works and as I noted older Win9X clients cant do this type of 
>> authentication.
>> 
>> The desired would be:
>> 
>> smbclient -U "user%password" \\1.2.3.4\share
>> 
>> 
>> First I found this option in the old samba (regardless it is set to No 
>> by default it just works):
>> 
>>     map untrusted to domain = No
>> 
>> This option is no longer available in the new samba.
>> 
>> 
>> Another suggested solution, also not available in the new samba:
>> 
>> As a workaround the following option can be set on all Samba AD/DCs of 
>> the domain:
>> 
>>  auth methods = anonymous sam winbind_rodc sam_failtrusts 
>> sam_ignoredomain
>> 
>> 
>> Is there any way I can get this work with the new version or am I 
>> forced to compile 3.x to get this feature back?
>> 
>> 
> I don't think that is your problem, it is more likely to be the
> password, try adding these lines:
> 
> lanman auth = Yes
> client lanman auth = Yes
> client plaintext auth = Yes
> 
> But be aware, your Samba is now very insecure.
> 
> Rowland

Hello,

I already had those in both samba server and I don't care about security 
with this setup. Here is what happens:

[2020/09/05 17:19:36.046568,  3] 
../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[WG1]\[USER]@[winbox] with the new password interface
[2020/09/05 17:19:36.046648,  3] 
../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [WG1]\[USER]@[winbox]
[2020/09/05 17:19:36.046726,  1] 
../source3/auth/auth.c:128(check_domain_match)
   check_domain_match: Attempt to connect as user USER from domain WG1 
denied.
[2020/09/05 17:19:36.046802,  2] 
../source3/auth/auth.c:334(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [USER] -> [USER] FAILED 
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2020/09/05 17:19:36.046945,  2] 
../auth/auth_log.c:610(log_authentication_event_human_readable)
   Auth: [SMB,(null)] user [WG1]\[USER] at [Sat, 05 Sep 2020 
17:19:36.046895 CEST] with [LANMan] status [NT_STATUS_LOGON_FAILURE] 
workstation [winbox] remote host [ipv4:172.16.2.5:1025] mapped to 
[WG1]\[USER]. local host [ipv4:172.16.2.1:139]
   {"timestamp": "2020-09-05T17:19:36.047105+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
0}, "status": "NT_STATUS_LOGON_FAILURE", "localAddress": 
"ipv4:172.16.2.1:139", "remoteAddress": "ipv4:172.16.2.5:1025", 
"serviceDescription": "SMB", "authDescription": null, "clientDomain": 
"WG1", "clientAccount": "USER", "workstation": "winbox", 
"becameAccount": null, "becameDomain": null, "becameSid": null, 
"mappedAccount": "USER", "mappedDomain": "WG1", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
null, "passwordType": "LANMan", "duration": 18476}}
[2020/09/05 17:19:36.047362,  3] 
../source3/smbd/error.c:104(error_packet_set)
   DOS error packet at ../source3/smbd/sesssetup.c(965) cmd=115 
(SMBsesssetupX) eclass=1 ecode=5
[2020/09/05 17:19:36.573052,  3] 
../source3/smbd/server_exit.c:237(exit_server_common)
   Server exit (failed to receive smb request)


WG1 is a workgroup the old windows machines are in, they are also in 
another subnet going through a router where the 2 other samba server 
are. The 2 other samba servers are in another different workgroup, they 
both have a local account for USER with the same password and as I said 
their configuration is also nearly identical. The 3.6 auth works fine 
the 4.x fails.

More information about the samba mailing list