[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6

Girouard, Yvon yvon.girouard at cgi.com
Fri Jan 15 19:15:41 UTC 2021 

Hi,

The customer plans the complete update of his environment. But for now he wanted to go to the version closest to the current version and which has SMB2 support
Y.
________________________________________
De : samba [samba-bounces at lists.samba.org] de la part de Rowland penny via samba [samba at lists.samba.org]
Envoyé : 15 janvier 2021 13:27
À : samba at lists.samba.org
Objet : Re: [Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6

EXTERNAL SENDER:   Do not click any links or open any attachments unless you trust the sender and know the content is safe.
EXPÉDITEUR EXTERNE:    Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre.

On 15/01/2021 15:58, Girouard, Yvon via samba wrote:
> Hi,
>
> We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD.

Is there some reason why you upgraded to a dead version of Samba ? On a
dead OS ?


>   On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers.
>
> Nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> hosts:      files dns winbind
'winbind' should only be in the passwd & group lines.
> Smb.conf
> [global]
>     workgroup                    = DOM
>     realm                        = DOM.REG.QC.CA
>     netbios name                 = SERVER123
>     ldap timeout                 = 200
>     local master                 = no
>     preferred master             = no
>     server string                = Samba Server Version %v
>     security                     = ADS
>     encrypt passwords            = yes
>     log level                    = 10
>     log file                     = /var/log/samba/%m.log
>     max log size                 = 102400
>     template shell               = /bin/false
>     load printers                = no
>     show add printer wizard      = no
>     printcap name                = /dev/null
>     disable spoolss              = yes
>     winbind enum users           = yes
>     winbind enum groups          = yes
>     winbind use default domain   = yes
>     winbind nested groups        = yes
>     winbind expand groups        = 3
>     winbind separator            = +
>     idmap config * : backend     = tdb
>     idmap config * : range       = 120000-199999
>     idmap config DOM : range     = 20000-99999

There appears to be a line missing 'idmap config DOM : backend = rid'

Though the 'rid' part could be 'ad' if you have rfc2307 attributes in AD.

>     max protocol                 = SMB2
>     inherit acls                 = Yes
>     store dos attributes         = yes
>     winbind cache time              = 3600
> [sharefs]
>          path = /sharefs
>          browseable = yes
>          writeable = yes
>          inherit permissions = yes
>          force group = images-rw
>          create mask = 0664
>          directory mask = 2775
>          valid users         = @shareauth, @shareadmin
>          write list          = @shareauth, @shareadmin
>
>
>
> Log on server that is not working
>
> [2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security)
>    Check auth for: [user86]
> [2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password)
>    check_ntlm_password: guest had nothing to say
> [2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth)
>    Check auth for: [user86]
> [2020/12/21 18:10:52.085691,  8] lib/util.c:1521(is_myname)
>    is_myname("DOM") returns 0
> [2020/12/21 18:10:52.086250,  6] auth/auth_sam.c:88(auth_samstrict_auth)
>    check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
> [2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password)
>    check_ntlm_password: sam had nothing to say
> [2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security)
>    Check auth for: [user86]
> [2020/12/21 18:10:52.087977,  4] smbd/sec_ctx.c:214(push_sec_ctx)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2020/12/21 18:10:52.088565,  4] smbd/uid.c:460(push_conn_ctx)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2020/12/21 18:10:52.089129,  4] smbd/sec_ctx.c:314(set_sec_ctx)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2020/12/21 18:10:52.089682,  5] ../libcli/security/security_token.c:53(security_token_debug)
>    Security token: (NULL)
> [2020/12/21 18:10:52.090235,  5] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2020/12/21 18:10:52.154608,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2020/12/21 18:10:52.155917,  5] lib/username.c:171(Get_Pwnam_alloc)
>    Finding user DOM+user86
> [2020/12/21 18:10:52.157044,  5] lib/username.c:116(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as lowercase is dom+user86
> [2020/12/21 18:10:52.159178,  5] lib/username.c:124(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as given is DOM+user86
> [2020/12/21 18:10:52.161287,  5] lib/username.c:134(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86
Why did 'user86' change to 'UDUB086' ??????

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!AaIhyw!9r800NpCDqQmyaVCAjA855cKT41PXfXuGLyXJmZjFbCpnwTVV2mGaa3iKOMyO2j1aQ$

More information about the samba mailing list