[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

Curtis Spencer curtis.spencer at emsibg.com
Thu Aug 4 22:52:46 UTC 2022

I had a Debian 9 server running Samba v4.5.16 with the following global
config in `/etc/samba/smb/conf`:

netbios name = TEST
workgroup = EXAMPLE
server string = Member Server
os level = 40
domain master = no
security = domain
map untrusted to domain = yes
preserve case = yes
case sensitive = yes
wins support = no
wins server = dc.ccb
mangling method = hash2
unix extensions = no
interfaces = bond0 lo
bind interfaces only = yes
printcap name   = /dev/null
load printers   = no
log level = 3
We are using OpenLDAP as a backend for authentication.

I recently upgraded that server to Debian 11 and Samba v4.13.13. Following
the upgrade, I am still able to SSH into the server using my OpenLDAP
credentials and I have confirmed that running `getent passwd` returns a
list of both local users and LDAP users.

However, since upgrading, I am encountering authentication problems when
trying to mount a samba share to either a Windows or a Linux laptop using
the same LDAP credentials that work for SSH and that used to work for
mounting Samba shares.

Tailing `/var/log/samba/log.smbd` on the server while trying to
authenticate, I see the following:

[2022/08/04 14:23:25.274315,  2]
[2022/08/04 14:23:25.274714,  3] ../../lib/util/access.c:369(allow_access)
  Allowed connection from (
[2022/08/04 14:23:25.275370,  3]
  init_oplocks: initializing messages.
[2022/08/04 14:23:25.275495,  3]
  Transaction 0 of length 214 (0 toread)
[2022/08/04 14:23:25.275879,  3]
  Selected protocol SMB3_11
[2022/08/04 14:23:25.278158,  3]
  GENSEC backend 'gssapi_spnego' registered
[2022/08/04 14:23:25.278218,  3]
  GENSEC backend 'gssapi_krb5' registered
[2022/08/04 14:23:25.278237,  3]
  GENSEC backend 'gssapi_krb5_sasl' registered
[2022/08/04 14:23:25.278254,  3]
  GENSEC backend 'spnego' registered
[2022/08/04 14:23:25.278270,  3]
  GENSEC backend 'schannel' registered
[2022/08/04 14:23:25.278287,  3]
  GENSEC backend 'naclrpc_as_system' registered
[2022/08/04 14:23:25.278303,  3]
  GENSEC backend 'sasl-EXTERNAL' registered
[2022/08/04 14:23:25.278320,  3]
  GENSEC backend 'ntlmssp' registered
[2022/08/04 14:23:25.278339,  3]
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2022/08/04 14:23:25.278356,  3]
  GENSEC backend 'http_basic' registered
[2022/08/04 14:23:25.278372,  3]
  GENSEC backend 'http_ntlm' registered
[2022/08/04 14:23:25.278389,  3]
  GENSEC backend 'http_negotiate' registered
[2022/08/04 14:23:25.278410,  3]
  GENSEC backend 'krb5' registered
[2022/08/04 14:23:25.278438,  3]
  GENSEC backend 'fake_gssapi_krb5' registered
[2022/08/04 14:23:25.285501,  3]
  Got NTLMSSP neg_flags=0x62088215
[2022/08/04 14:23:25.286556,  3]
  Got user=[test_user] domain=[WORKGROUP]
workstation=[<***computer_name***>] len1=24 len2=230
[2022/08/04 14:23:25.286633,  3]
  check_ntlm_password:  Checking password for unmapped user
[WORKGROUP]\[test_user]@[<***computer_name***>] with the new password
[2022/08/04 14:23:25.286680,  3]
  check_ntlm_password:  mapped user is:
[2022/08/04 14:23:25.300379,  0]
  check_account: Failed to convert SID
S-1-5-21-1165166887-308749777-1031590606-13278 to a UID
[2022/08/04 14:23:25.300479,  2]
  check_ntlm_password:  Authentication for user [test_user] -> [test_user]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/08/04 14:23:25.300535,  2]
  Auth: [SMB2,(null)] user [WORKGROUP]\[test_user] at [Thu, 04 Aug 2022
14:23:25.300519 PDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [<***computer_name***>] remote host [ipv4:]
mapped to [WORKGROUP]\[test_user]. local host [ipv4:]
  {"timestamp": "2022-08-04T14:23:25.300658-0700", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor": 2},
"eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:",
"remoteAddress": "ipv4:", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "WORKGROUP",
"clientAccount": "test_user", "workstation": "<***computer_name***>",
"becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "test_user", "mappedDomain": "WORKGROUP",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":
[2022/08/04 14:23:25.300750,  3]
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
[2022/08/04 14:23:25.300810,  3]
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
[2022/08/04 14:23:25.301672,  3]
  Server exit (NT_STATUS_END_OF_FILE)

When I run `testparm`, I see the following warnings:

# testparm
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "map untrusted to domain"
Ignoring unknown parameter "map untrusted to domain"
Loaded services file OK.
Weak crypto is allowed
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!


Press enter to see a dump of your service definitions

It appears `map untrusted to domain` was removed in v4.8 (
https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed). From
what I can tell, I think this might be related to the problem, though I
have found very little information about what this setting did or how to
replicate the behavior after upgrading to >= v4.8.

I've spent the better part of two days trying to debug this and feel like
I'm spinning my wheels. Any guidance on how to debug this, how to upgrade
from v4.5.8 to 4.13.13, or what config changes need to be made to get
things working in 4.13.13 would be most appreciated!



*Curtis Spencer*
Infrastructure Engineer

232 N. Almon St. | Moscow, ID | 83843

*Emsi Burning Glass is now Lightcast

More information about the samba mailing list