[Samba] NTLM Authentication failing after DC updated and restarted. Shares are asking for a password constantly.
Anthony
asynakie at gmail.com
Fri Jun 4 20:00:33 UTC 2021
Has anyone come across this before or knows what might be going on? I've
tried a variety of fixes including adding and removing things from the
configuration file and restarting services. I rolled the updates back on
the DC and rebooted again. Still nothing.
SMB version 3.6.23-53.el6_10
Windows 2019 Domain Controller
Most of our computers can no longer connect to our SMB shares. This started
happening after I rebooted our DC that Samba points to for ADS. Updates
were installed on the DC before the reboot. The last time this DC was
updated or rebooted was January. (I know..)
Clients try to UNC path to the share and are asked for a username and
password. They're normally let right in. I checked the logs for one of the
clients I was connecting from and here's what I got. Most notably
"NT_STATUS_CONNECTION_RESET" and "NT_STATUS_DOWNGRADE_DETECTED"
[2021/06/04 11:19:02.040739, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[USER]@[CLIENT_COMP] with the new password interface
[2021/06/04 11:19:02.040818, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[USER]@[CLIENT_COMP]
[2021/06/04 11:19:02.128485, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [USER] -> [USER]
FAILED with error NT_STATUS_DOWNGRADE_DETECTED
[2021/06/04 11:19:02.128815, 2]
smbd/smb2_server.c:2631(smbd_smb2_request_incoming)
smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2021/06/04 11:19:02.128950, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Here's what my smb.conf file looks like.
[global]
workgroup = DOMAIN
realm = DOMAIN.COM <http://domain.com/>
netbios name = SHARENAME
server string = SMB on ServerName
interfaces = 10.x.x.x/24, 127.0.0.1/8
bind interfaces only = Yes
security = ADS
client schannel = No
server schannel = No
map to guest = Bad Password
password server = IP_Of_DC
passdb backend = tdbsam
log level = 3
log file = /var/log/sharename/log.%m
max log size = 1000
max protocol = SMB2
load printers = No
show add printer wizard = No
preferred master = No
ldap ssl = No
idmap uid = 10000-20000
idmap gid = 10000-20000
smb ports = 139 445
client schannel = yes
[Certs]
path = /data/cert
read only = No
directory mask = 0777
guest ok = Yes
[Data]
path = /data/userfiles
read only = No
create mask = 0666
directory mask = 0666
guest ok = Yes
More information about the samba
mailing list