[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6
Girouard, Yvon
yvon.girouard at cgi.com
Fri Jan 15 15:58:12 UTC 2021
Hi,
We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD. On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers.
Nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns winbind
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
sudoers: files ldap
krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FDOM:/var/log/kadmind.log
[libdefaults]
default_realm = DOM.REG.QC.CA
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOM.REG.QC.CA = {
default_domain = DOM.REG.QC.CA
}
[domain_realm]
.dom.reg.qc.ca = DOM.REG.QC.CA
dom.reg.qc.ca = DOM.REG.QC.CA
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Smb.conf
[global]
workgroup = DOM
realm = DOM.REG.QC.CA
netbios name = SERVER123
ldap timeout = 200
local master = no
preferred master = no
server string = Samba Server Version %v
security = ADS
encrypt passwords = yes
log level = 10
log file = /var/log/samba/%m.log
max log size = 102400
template shell = /bin/false
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind expand groups = 3
winbind separator = +
idmap config * : backend = tdb
idmap config * : range = 120000-199999
idmap config DOM : range = 20000-99999
max protocol = SMB2
inherit acls = Yes
store dos attributes = yes
winbind cache time = 3600
[sharefs]
path = /sharefs
browseable = yes
writeable = yes
inherit permissions = yes
force group = images-rw
create mask = 0664
directory mask = 2775
valid users = @shareauth, @shareadmin
write list = @shareauth, @shareadmin
Logs on the server that is working
[2021/01/14 14:48:29.804475, 6] param/loadparm.c:7542(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Thu Jan 14 14:36:06 2021
[2021/01/14 14:48:29.804619, 5] auth/auth_util.c:111(make_user_info_map)
Mapping user [DOM]\[user86] from workstation [WS1108286]
[2021/01/14 14:48:29.805772, 5] auth/user_info.c:59(make_user_info)
attempting to make a user_info for user86 (user86)
[2021/01/14 14:48:29.805851, 5] auth/user_info.c:70(make_user_info)
making strings for user86's user_info struct
[2021/01/14 14:48:29.805912, 5] auth/user_info.c:87(make_user_info)
making blobs for user86's user_info struct
[2021/01/14 14:48:29.805971, 10] auth/user_info.c:123(make_user_info)
made a user_info for user86 (user86)
[2021/01/14 14:48:29.806029, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOM]\[user86]@[WS1108286] with the new password interface
[2021/01/14 14:48:29.806089, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [DOM]\[user86]@[WS1108286]
[2021/01/14 14:48:29.806147, 10] auth/auth.c:231(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2021/01/14 14:48:29.806205, 10] auth/auth.c:233(check_ntlm_password)
challenge is:
[2021/01/14 14:48:29.806262, 5] ../lib/util/util.c:415(dump_data)
[0000] 3C 3F F5 E8 F2 9A A1 2A <?.....*
[2021/01/14 14:48:29.806341, 10] auth/auth_builtin.c:44(check_guest_security)
Check auth for: [user86]
[2021/01/14 14:48:29.806399, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2021/01/14 14:48:29.806460, 10] auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [user86]
[2021/01/14 14:48:29.806517, 8] lib/util.c:1521(is_myname)
is_myname("DOM") returns 0
[2021/01/14 14:48:29.806576, 6] auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
[2021/01/14 14:48:29.806637, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2021/01/14 14:48:29.806698, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [user86]
[2021/01/14 14:48:29.806757, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2021/01/14 14:48:29.806819, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2021/01/14 14:48:29.806878, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/01/14 14:48:29.806936, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/01/14 14:48:29.806993, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/01/14 14:48:29.910449, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/01/14 14:48:29.910569, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user DOM+user86
[2021/01/14 14:48:29.910633, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is dom+user86
[2021/01/14 14:48:30.162671, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals did find user [DOM+user86]!
[2021/01/14 14:48:30.162775, 3] auth/auth.c:278(check_ntlm_password)
check_ntlm_password: winbind authentication for user [user86] succeeded
Log on server that is not working
[2020/12/21 18:10:52.075178, 6] param/loadparm.c:7542(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Dec 21 18:01:24 2020
[2020/12/21 18:10:52.076322, 5] auth/auth_util.c:111(make_user_info_map)
Mapping user [DOM]\[user86] from workstation [WS1108286]
[2020/12/21 18:10:52.078983, 5] auth/user_info.c:59(make_user_info)
attempting to make a user_info for user86 (user86)
[2020/12/21 18:10:52.079546, 5] auth/user_info.c:70(make_user_info)
making strings for user86's user_info struct
[2020/12/21 18:10:52.080100, 5] auth/user_info.c:87(make_user_info)
making blobs for user86's user_info struct
[2020/12/21 18:10:52.080676, 10] auth/user_info.c:123(make_user_info)
made a user_info for user86 (user86)
[2020/12/21 18:10:52.081229, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOM]\[user86]@[WS1108286] with the new password interface
[2020/12/21 18:10:52.081795, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [DOM]\[user86]@[WS1108286]
[2020/12/21 18:10:52.082348, 10] auth/auth.c:231(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2020/12/21 18:10:52.082903, 10] auth/auth.c:233(check_ntlm_password)
challenge is:
[2020/12/21 18:10:52.083453, 5] ../lib/util/util.c:415(dump_data)
[0000] 80 1A E7 6C D3 12 AE 23 ...l...#
[2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security)
Check auth for: [user86]
[2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [user86]
[2020/12/21 18:10:52.085691, 8] lib/util.c:1521(is_myname)
is_myname("DOM") returns 0
[2020/12/21 18:10:52.086250, 6] auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
[2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [user86]
[2020/12/21 18:10:52.087977, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/12/21 18:10:52.088565, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/12/21 18:10:52.089129, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/12/21 18:10:52.089682, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2020/12/21 18:10:52.090235, 5] auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2020/12/21 18:10:52.154608, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/12/21 18:10:52.155917, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user DOM+user86
[2020/12/21 18:10:52.157044, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is dom+user86
[2020/12/21 18:10:52.159178, 5] lib/username.c:124(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is DOM+user86
[2020/12/21 18:10:52.161287, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86
[2020/12/21 18:10:52.163367, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in dom+user86
[2020/12/21 18:10:52.164553, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DOM+user86]!
[2020/12/21 18:10:52.165684, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user user86
[2020/12/21 18:10:52.166806, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is user86
[2020/12/21 18:10:52.168885, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is UDUBO86
[2020/12/21 18:10:52.171035, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in user86
[2020/12/21 18:10:52.172165, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [user86]!
[2020/12/21 18:10:52.173804, 3] auth/auth_util.c:1087(check_account)
Failed to find authenticated user DOM+user86 via getpwnam(), denying access.
[2020/12/21 18:10:52.174950, 5] auth/auth.c:281(check_ntlm_password)
check_ntlm_password: winbind authentication for user [user86] FAILED with error NT_STATUS_NO_SUCH_USER
[2020/12/21 18:10:52.176084, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [user86] -> [user86] FAILED with error NT_STATUS_NO_SUCH_USER
[2020/12/21 18:10:52.177247, 10] smbd/smb2_server.c:2046(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at smbd/smb2_sesssetup.c:94
[2020/12/21 18:10:52.178376, 10] smbd/smb2_server.c:1949(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at smbd/smb2_server.c:2076
Again both servers were working fine before the upgrade.
Any help would be appreciated.
Thanks,
Y.
More information about the samba
mailing list