[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13
Curtis Spencer
curtis.spencer at emsibg.com
Fri Aug 5 17:15:01 UTC 2022
> You didn't upgrade far enough, you need to (in my opinion) upgrade to
> AD, Samba is working hard on removing SMBv1 and your setup requires it.
> It was turned off by default at 4.11.0, so you could try adding these
> lines to your smb.conf:
>
> client min protocol = NT1
> server min protocol = NT1
>
> You may also have to add:
> ntlm auth = yes
>
> Also ensure that winbind is running.
Thanks. I tried adding all three lines as well as just the first two. I
restarted smbd and winbind each time and ensured they were both running.
However, I still see this in `/var/log/samba/log.smbd` (the log is the same
with and without `ntlm auth = yes`):
```
[2022/08/05 10:08:28.032980, 0]
../../source3/auth/auth_util.c:1913(check_account)
check_account: Failed to convert SID
S-1-5-21-1165166887-308749777-1031590606-13278 to a UID
(dom_user[EXAMPLE\<test_user>])
[2022/08/05 10:08:28.033122, 2]
../../source3/auth/auth.c:344(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [<test_user>] ->
[<test_user>] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/08/05 10:08:28.033206, 2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [WORKGROUP]\[<test_user>] at [Fri, 05 Aug 2022
10:08:28.033183 PDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [<***computer_name***>] remote host [ipv4:192.168.144.137:48258]
mapped to [WORKGROUP]\[<test_user>]. local host [ipv4:192.168.5.17:445]
{"timestamp": "2022-08-05T10:08:28.033344-0700", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor": 2},
"eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.5.17:445",
"remoteAddress": "ipv4:192.168.144.137:48258", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "WORKGROUP",
"clientAccount": "<test_user>", "workstation": "<***computer_name***>",
"becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "<test_user>", "mappedDomain": "WORKGROUP",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":
32274}}
```
You didn't mention anything about `map untrusted to domain = yes`. Does
that mean you don't think that is a factor here?
Thanks,
Curtis
More information about the samba
mailing list