[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

Curtis Spencer curtis.spencer at emsibg.com
Fri Aug 5 17:15:01 UTC 2022

> You didn't upgrade far enough, you need to (in my opinion) upgrade to
> AD, Samba is working hard on removing SMBv1 and your setup requires it.
> It was turned off by default at 4.11.0, so you could try adding these
> lines to your smb.conf:
> client min protocol = NT1
> server min protocol = NT1
> You may also have to add:
> ntlm auth = yes
> Also ensure that winbind is running.

Thanks. I tried adding all three lines as well as just the first two. I
restarted smbd and winbind each time and ensured they were both running.
However, I still see this in `/var/log/samba/log.smbd` (the log is the same
with and without `ntlm auth = yes`):

[2022/08/05 10:08:28.032980,  0]
  check_account: Failed to convert SID
S-1-5-21-1165166887-308749777-1031590606-13278 to a UID
[2022/08/05 10:08:28.033122,  2]
  check_ntlm_password:  Authentication for user [<test_user>] ->
[<test_user>] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/08/05 10:08:28.033206,  2]
  Auth: [SMB2,(null)] user [WORKGROUP]\[<test_user>] at [Fri, 05 Aug 2022
10:08:28.033183 PDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [<***computer_name***>] remote host [ipv4:]
mapped to [WORKGROUP]\[<test_user>]. local host [ipv4:]
  {"timestamp": "2022-08-05T10:08:28.033344-0700", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor": 2},
"eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:",
"remoteAddress": "ipv4:", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "WORKGROUP",
"clientAccount": "<test_user>", "workstation": "<***computer_name***>",
"becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "<test_user>", "mappedDomain": "WORKGROUP",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":

You didn't mention anything about `map untrusted to domain = yes`. Does
that mean you don't think that is a factor here?



More information about the samba mailing list