[Samba] Samba 4.14.5 NTLMv1
Perttu Aaltonen
perttu.aaltonen at mac.com
Tue Jan 18 14:34:22 UTC 2022
> On 18. Jan 2022, at 16.18, Eric Lehmann via samba <samba at lists.samba.org> wrote:
>
> Hello
>
> After updating my machine to samba 4.14.5 it is not possible to
> authenticate using NLTMv1. The clients are proprietary control / PLC units
> where I am not able to change anything.
>
> I figured out that there must be something with a missing domain /
> workgroup during the authentication process.
>
> Example, workgroup before DOMAIN-USER is empty:
>
> check_ntlm_password: Checking password for unmapped user []\[ DOMAIN-USER
> ]@[m194940] with the new password interface
>
> I can connect the same user from the machines smbclient: smbclient //xx/xx
> -mNT1 -U DOMAIN-USER
>
> The smbclient attempts to connect with "passwordType": "NTLMv2". This
> works, but NTLMv1 fails.
>
> Also, wbinfo succeeded: wbinfo -a DOMAINUSER%password --ntlmv1
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> Is there any way to tell samba using the domain/workgroup as a default?
>
> Some smb.conf:
>
> [global]
> kerberos method = secrets and keytab
> template homedir = /home/%U@%D
> workgroup = WORKGROUP
> server min protocol = NT1
> client min protocol = NT1
> template shell = /bin/bash
> template homedir = /home/%U
> security = ads
> realm = WORKGROUP.INTERN
> ntlm auth = yes
> lanman auth = yes
>
> Some Log for the NTLMv1 attempt:
>
> [2022/01/18 14:16:10.852289, 3]
> ../../source3/auth/check_samsec.c:399(check_sam_security)
> check_sam_security: Couldn't find user 'DOMAIN-USER' in passdb.
> [2022/01/18 14:16:10.852301, 5]
> ../../source3/auth/auth.c:264(auth_check_ntlm_password)
> auth_check_ntlm_password: sam authentication for user [DOMAIN-USER]
> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> [2022/01/18 14:16:10.852320, 2]
> ../../source3/auth/auth.c:348(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [DOMAIN-USER] ->
> [DOMAIN-USER] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> [2022/01/18 14:16:10.852347, 2]
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Auth: [SMB,(null)] user []\[DOMAIN-USER] at [Tue, 18 Jan 2022
> 14:16:10.852330 CET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER]
> workstation [m194940] remote host [ipv4:xxx:1024] mapped to
> []\[DOMAIN-USER]. local host [ipv4:xxx:139]
> {"timestamp": "2022-01-18T14:16:10.852396+0100", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor": 2},
> "eventId": 4625, "logonId": "0", "logonType": 3, "status":
> "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:xxx:139", "remoteAddress":
> "ipv4:xxx:1024", "serviceDescription": "SMB", "authDescription": null,
> "clientDomain": "", "clientAccount": "DOMAIN-USER", "workstation":
> "m194940", "becameAccount": null, "becameDomain": null, "becameSid": null,
> "mappedAccount": "DOMAIN-USER", "mappedDomain": "", "netlogonComputer":
> null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": "NTLMv1", "duration": 2274}}
> [2022/01/18 14:16:10.852435, 5]
> ../../source3/auth/auth_ntlmssp.c:215(auth3_check_password_send)
> auth3_check_password_send: Checking NTLMSSP password for \DOMAIN-USER
> failed: NT_STATUS_NO_SUCH_USER, authoritative=1
> [2022/01/18 14:16:10.852456, 3]
> ../../source3/smbd/error.c:82(error_packet_set)
> NT error packet at ../../source3/smbd/sesssetup.c(956) cmd=115
> (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> --
I had this same problem a while back when connecting from Supermicro IPMI interface. The workaround was to use UPN in the form of user.account at domain.com. Is this possible in your clients? You can find my posts from last March in the list archives.
I never found any smb.conf setting that would make this work again. Did you upgrade your base OS as well? In my testing this stopped working after upgrading from Ubuntu 18 to 20. Perhaps the packages are compiled differently or there’s some incompatibility between later Samba and Ubuntu builds.
-Perttu
More information about the samba
mailing list