[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6

Girouard, Yvon yvon.girouard at cgi.com
Fri Jan 15 15:58:12 UTC 2021


Hi,

We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD. On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers.

Nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns winbind
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus
sudoers: files ldap


krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FDOM:/var/log/kadmind.log
[libdefaults]
default_realm = DOM.REG.QC.CA
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOM.REG.QC.CA = {
  default_domain = DOM.REG.QC.CA
}
[domain_realm]
.dom.reg.qc.ca = DOM.REG.QC.CA
dom.reg.qc.ca = DOM.REG.QC.CA
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Smb.conf
[global]
   workgroup                    = DOM
   realm                        = DOM.REG.QC.CA
   netbios name                 = SERVER123
   ldap timeout                 = 200
   local master                 = no
   preferred master             = no
   server string                = Samba Server Version %v
   security                     = ADS
   encrypt passwords            = yes
   log level                    = 10
   log file                     = /var/log/samba/%m.log
   max log size                 = 102400
   template shell               = /bin/false
   load printers                = no
   show add printer wizard      = no
   printcap name                = /dev/null
   disable spoolss              = yes
   winbind enum users           = yes
   winbind enum groups          = yes
   winbind use default domain   = yes
   winbind nested groups        = yes
   winbind expand groups        = 3
   winbind separator            = +
   idmap config * : backend     = tdb
   idmap config * : range       = 120000-199999
   idmap config DOM : range     = 20000-99999
   max protocol                 = SMB2
   inherit acls                 = Yes
   store dos attributes         = yes
   winbind cache time              = 3600
[sharefs]
        path = /sharefs
        browseable = yes
        writeable = yes
        inherit permissions = yes
        force group = images-rw
        create mask = 0664
        directory mask = 2775
        valid users         = @shareauth, @shareadmin
        write list          = @shareauth, @shareadmin


Logs on the server that is working

[2021/01/14 14:48:29.804475,  6] param/loadparm.c:7542(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Thu Jan 14 14:36:06 2021

[2021/01/14 14:48:29.804619,  5] auth/auth_util.c:111(make_user_info_map)
  Mapping user [DOM]\[user86] from workstation [WS1108286]
[2021/01/14 14:48:29.805772,  5] auth/user_info.c:59(make_user_info)
  attempting to make a user_info for user86 (user86)
[2021/01/14 14:48:29.805851,  5] auth/user_info.c:70(make_user_info)
  making strings for user86's user_info struct
[2021/01/14 14:48:29.805912,  5] auth/user_info.c:87(make_user_info)
  making blobs for user86's user_info struct
[2021/01/14 14:48:29.805971, 10] auth/user_info.c:123(make_user_info)
  made a user_info for user86 (user86)
[2021/01/14 14:48:29.806029,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [DOM]\[user86]@[WS1108286] with the new password interface
[2021/01/14 14:48:29.806089,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOM]\[user86]@[WS1108286]
[2021/01/14 14:48:29.806147, 10] auth/auth.c:231(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2021/01/14 14:48:29.806205, 10] auth/auth.c:233(check_ntlm_password)
  challenge is:
[2021/01/14 14:48:29.806262,  5] ../lib/util/util.c:415(dump_data)
  [0000] 3C 3F F5 E8 F2 9A A1 2A                            <?.....*
[2021/01/14 14:48:29.806341, 10] auth/auth_builtin.c:44(check_guest_security)
  Check auth for: [user86]
[2021/01/14 14:48:29.806399, 10] auth/auth.c:269(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2021/01/14 14:48:29.806460, 10] auth/auth_sam.c:75(auth_samstrict_auth)
  Check auth for: [user86]
[2021/01/14 14:48:29.806517,  8] lib/util.c:1521(is_myname)
  is_myname("DOM") returns 0
[2021/01/14 14:48:29.806576,  6] auth/auth_sam.c:88(auth_samstrict_auth)
  check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
[2021/01/14 14:48:29.806637, 10] auth/auth.c:269(check_ntlm_password)
  check_ntlm_password: sam had nothing to say
[2021/01/14 14:48:29.806698, 10] auth/auth_winbind.c:50(check_winbind_security)
  Check auth for: [user86]
[2021/01/14 14:48:29.806757,  4] smbd/sec_ctx.c:214(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2021/01/14 14:48:29.806819,  4] smbd/uid.c:460(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2021/01/14 14:48:29.806878,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/01/14 14:48:29.806936,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/01/14 14:48:29.806993,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/01/14 14:48:29.910449,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/01/14 14:48:29.910569,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user DOM+user86
[2021/01/14 14:48:29.910633,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is dom+user86
[2021/01/14 14:48:30.162671,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [DOM+user86]!
[2021/01/14 14:48:30.162775,  3] auth/auth.c:278(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [user86] succeeded

Log on server that is not working

[2020/12/21 18:10:52.075178,  6] param/loadparm.c:7542(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Mon Dec 21 18:01:24 2020

[2020/12/21 18:10:52.076322,  5] auth/auth_util.c:111(make_user_info_map)
  Mapping user [DOM]\[user86] from workstation [WS1108286]
[2020/12/21 18:10:52.078983,  5] auth/user_info.c:59(make_user_info)
  attempting to make a user_info for user86 (user86)
[2020/12/21 18:10:52.079546,  5] auth/user_info.c:70(make_user_info)
  making strings for user86's user_info struct
[2020/12/21 18:10:52.080100,  5] auth/user_info.c:87(make_user_info)
  making blobs for user86's user_info struct
[2020/12/21 18:10:52.080676, 10] auth/user_info.c:123(make_user_info)
  made a user_info for user86 (user86)
[2020/12/21 18:10:52.081229,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [DOM]\[user86]@[WS1108286] with the new password interface
[2020/12/21 18:10:52.081795,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOM]\[user86]@[WS1108286]
[2020/12/21 18:10:52.082348, 10] auth/auth.c:231(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2020/12/21 18:10:52.082903, 10] auth/auth.c:233(check_ntlm_password)
  challenge is:
[2020/12/21 18:10:52.083453,  5] ../lib/util/util.c:415(dump_data)
  [0000] 80 1A E7 6C D3 12 AE 23                            ...l...#
[2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security)
  Check auth for: [user86]
[2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth)
  Check auth for: [user86]
[2020/12/21 18:10:52.085691,  8] lib/util.c:1521(is_myname)
  is_myname("DOM") returns 0
[2020/12/21 18:10:52.086250,  6] auth/auth_sam.c:88(auth_samstrict_auth)
  check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
[2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password)
  check_ntlm_password: sam had nothing to say
[2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security)
  Check auth for: [user86]
[2020/12/21 18:10:52.087977,  4] smbd/sec_ctx.c:214(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/12/21 18:10:52.088565,  4] smbd/uid.c:460(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/12/21 18:10:52.089129,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/12/21 18:10:52.089682,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/12/21 18:10:52.090235,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/12/21 18:10:52.154608,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/12/21 18:10:52.155917,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user DOM+user86
[2020/12/21 18:10:52.157044,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is dom+user86
[2020/12/21 18:10:52.159178,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is DOM+user86
[2020/12/21 18:10:52.161287,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86
[2020/12/21 18:10:52.163367,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in dom+user86
[2020/12/21 18:10:52.164553,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [DOM+user86]!
[2020/12/21 18:10:52.165684,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user user86
[2020/12/21 18:10:52.166806,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is user86
[2020/12/21 18:10:52.168885,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is UDUBO86
[2020/12/21 18:10:52.171035,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in user86
[2020/12/21 18:10:52.172165,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [user86]!
[2020/12/21 18:10:52.173804,  3] auth/auth_util.c:1087(check_account)
  Failed to find authenticated user DOM+user86 via getpwnam(), denying access.
[2020/12/21 18:10:52.174950,  5] auth/auth.c:281(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [user86] FAILED with error NT_STATUS_NO_SUCH_USER
[2020/12/21 18:10:52.176084,  2] auth/auth.c:330(check_ntlm_password)
  check_ntlm_password:  Authentication for user [user86] -> [user86] FAILED with error NT_STATUS_NO_SUCH_USER
[2020/12/21 18:10:52.177247, 10] smbd/smb2_server.c:2046(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at smbd/smb2_sesssetup.c:94
[2020/12/21 18:10:52.178376, 10] smbd/smb2_server.c:1949(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at smbd/smb2_server.c:2076


Again both servers were working fine before the upgrade.

Any help would be appreciated.

Thanks,
Y.


More information about the samba mailing list