[Samba] Cross-domain share access via same user+password doesn't work anymore
freebsd at tango.lu
freebsd at tango.lu
Sat Sep 5 15:30:27 UTC 2020
On 2020-09-03 20:59, Rowland penny via samba wrote:
> On 03/09/2020 19:09, freebsd--- via samba wrote:
>> I having the same issue like:
>>
>> https://forge.univention.org/bugzilla/show_bug.cgi?id=47314
>>
>> I have 2 samba servers running with nearly identical configs:
>>
>> ii samba 2:3.6.6-6+deb7u15
>> ii samba-common 2:4.9.5+dfsg-5+deb10u1
>>
>> The problem is that for old os-es like Win9X the username cannot be
>> changed, it will just use USERNAME or WORKGROUP\USERNAME for the user.
>>
>> With the old samba version this works well because if it accepts only
>> the username for authentication with the new one I just cannot make it
>> accept it so only:
>>
>> smbclient -U "SAMBASERVERNAME\user%password" \\1.2.3.4\share
>>
>> works and as I noted older Win9X clients cant do this type of
>> authentication.
>>
>> The desired would be:
>>
>> smbclient -U "user%password" \\1.2.3.4\share
>>
>>
>> First I found this option in the old samba (regardless it is set to No
>> by default it just works):
>>
>> map untrusted to domain = No
>>
>> This option is no longer available in the new samba.
>>
>>
>> Another suggested solution, also not available in the new samba:
>>
>> As a workaround the following option can be set on all Samba AD/DCs of
>> the domain:
>>
>> auth methods = anonymous sam winbind_rodc sam_failtrusts
>> sam_ignoredomain
>>
>>
>> Is there any way I can get this work with the new version or am I
>> forced to compile 3.x to get this feature back?
>>
>>
> I don't think that is your problem, it is more likely to be the
> password, try adding these lines:
>
> lanman auth = Yes
> client lanman auth = Yes
> client plaintext auth = Yes
>
> But be aware, your Samba is now very insecure.
>
> Rowland
Hello,
I already had those in both samba server and I don't care about security
with this setup. Here is what happens:
[2020/09/05 17:19:36.046568, 3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[WG1]\[USER]@[winbox] with the new password interface
[2020/09/05 17:19:36.046648, 3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [WG1]\[USER]@[winbox]
[2020/09/05 17:19:36.046726, 1]
../source3/auth/auth.c:128(check_domain_match)
check_domain_match: Attempt to connect as user USER from domain WG1
denied.
[2020/09/05 17:19:36.046802, 2]
../source3/auth/auth.c:334(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [USER] -> [USER] FAILED
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2020/09/05 17:19:36.046945, 2]
../auth/auth_log.c:610(log_authentication_event_human_readable)
Auth: [SMB,(null)] user [WG1]\[USER] at [Sat, 05 Sep 2020
17:19:36.046895 CEST] with [LANMan] status [NT_STATUS_LOGON_FAILURE]
workstation [winbox] remote host [ipv4:172.16.2.5:1025] mapped to
[WG1]\[USER]. local host [ipv4:172.16.2.1:139]
{"timestamp": "2020-09-05T17:19:36.047105+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
0}, "status": "NT_STATUS_LOGON_FAILURE", "localAddress":
"ipv4:172.16.2.1:139", "remoteAddress": "ipv4:172.16.2.5:1025",
"serviceDescription": "SMB", "authDescription": null, "clientDomain":
"WG1", "clientAccount": "USER", "workstation": "winbox",
"becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "USER", "mappedDomain": "WG1", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "LANMan", "duration": 18476}}
[2020/09/05 17:19:36.047362, 3]
../source3/smbd/error.c:104(error_packet_set)
DOS error packet at ../source3/smbd/sesssetup.c(965) cmd=115
(SMBsesssetupX) eclass=1 ecode=5
[2020/09/05 17:19:36.573052, 3]
../source3/smbd/server_exit.c:237(exit_server_common)
Server exit (failed to receive smb request)
WG1 is a workgroup the old windows machines are in, they are also in
another subnet going through a router where the 2 other samba server
are. The 2 other samba servers are in another different workgroup, they
both have a local account for USER with the same password and as I said
their configuration is also nearly identical. The 3.6 auth works fine
the 4.x fails.
More information about the samba
mailing list