[Samba] NTLM Authentication failing after DC updated and restarted. Shares are asking for a password constantly.

Anthony asynakie at gmail.com
Fri Jun 4 20:00:33 UTC 2021


Has anyone come across this before or knows what might be going on? I've
tried a variety of fixes including adding and removing things from the
configuration file and restarting services. I rolled the updates back on
the DC and rebooted again. Still nothing.

SMB version 3.6.23-53.el6_10

Windows 2019 Domain Controller

Most of our computers can no longer connect to our SMB shares. This started
happening after I rebooted our DC that Samba points to for ADS. Updates
were installed on the DC before the reboot. The last time this DC was
updated or rebooted was January. (I know..)

Clients try to UNC path to the share and are asked for a username and
password. They're normally let right in. I checked the logs for one of the
clients I was connecting from and here's what I got. Most notably
"NT_STATUS_CONNECTION_RESET" and "NT_STATUS_DOWNGRADE_DETECTED"

[2021/06/04 11:19:02.040739,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[DOMAIN]\[USER]@[CLIENT_COMP] with the new password interface
[2021/06/04 11:19:02.040818,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[USER]@[CLIENT_COMP]
[2021/06/04 11:19:02.128485,  2] auth/auth.c:330(check_ntlm_password)
  check_ntlm_password:  Authentication for user [USER] -> [USER]
FAILED with error NT_STATUS_DOWNGRADE_DETECTED
[2021/06/04 11:19:02.128815,  2]
smbd/smb2_server.c:2631(smbd_smb2_request_incoming)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2021/06/04 11:19:02.128950,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

Here's what my smb.conf file looks like.

[global]
        workgroup = DOMAIN
        realm = DOMAIN.COM <http://domain.com/>
        netbios name = SHARENAME
        server string = SMB on ServerName
        interfaces = 10.x.x.x/24, 127.0.0.1/8
        bind interfaces only = Yes
        security = ADS
        client schannel = No
        server schannel = No
        map to guest = Bad Password
        password server = IP_Of_DC
        passdb backend = tdbsam
        log level = 3
        log file = /var/log/sharename/log.%m
        max log size = 1000
        max protocol = SMB2
        load printers = No
        show add printer wizard = No
        preferred master = No
        ldap ssl = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        smb ports = 139 445
        client schannel = yes

[Certs]
        path = /data/cert
        read only = No
        directory mask = 0777
        guest ok = Yes

[Data]
        path = /data/userfiles
        read only = No
        create mask = 0666
        directory mask = 0666
        guest ok = Yes


More information about the samba mailing list