[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon

Havany havany at asalluhi.fr
Tue Jun 4 10:48:07 UTC 2024 

Hi samba list,

I work on an classicupgrade of our NT4/ldap domain.

On my tests (DC and filer are on FreeBSD and zfs file system, client is 
a Windows 10 22H2):

-> I'm able to do this classicupgrade and keep all users able to connect 
on computers with their domain account.

-> In a second step I configure samba DC to improve security and by the 
way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to 2016 
(commented line below are uncommented at this step):

smb.conf :
[global]
	netbios name = <DC NAME>
	realm = <realm>
	server role = active directory domain controller
	workgroup = <workgroup>
         idmap_ldb:use rfc2307 = yes
	dns forwarder = <resolvers>
	#ldap server require strong auth = yes
	#tls enabled = yes
	winbind enum users = yes
	ad dc functional level = 2016
	#server min protocol = SMB2_02
	restrict anonymous = 2
	#disable netbios = yes
	#smb ports = 445
	#printcap name = /dev/null
	#load printers = no
	#disable spoolss = yes
	#printing = bsd
	#ntlm auth = mschapv2-and-ntlmv2-only
	ntlm auth = yes
	#rpc server dynamic port range = 50000-55000
	#machine password timeout = 604800
	tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
	tls certfile = tls/<crt>
	tls keyfile = tls/<key>
	tls cafile = <ca>
	username map = /usr/local/etc/user.map

krb5.conf
[libdefaults]
	default_realm = <Realm>
	dns_lookup_realm = false
	dns_lookup_kdc = true
	#default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
	#default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
	#permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
<Realm> = {
	default_domain = <fqdn = realm>
}
[domain_realm]
	<DC Name> = <Realm>


-> After a while (~2-3 days):
* I'm unable to logon with an AD account on the Win10 client, on the DC 
I have nothing in the logs files
* I'm able to access to a share on the filer from W10 client and on the 
DC (sysvol), and on the DC log I can see entry about NTLM2 success log-in :

[2024/06/04 11:20:16.375698,  3] 
../../auth/auth_log.c:876(log_authentication_event_human_readable)
   Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024 
11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation 
[<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>]. local 
host [ipv6<IP>:445]

* If I rejoin the Win10 to the domain nothing change
* If I change the user password, I'm able to open session on the W10 and 
I see logs about kerberos authentication on DC.
* If on the DC I do "kinit" of on user that have not is password changed 
I'm able to take a

I suspect that my problem have a link with the FL upgrade to 2012_R2 and 
DC to 2016.

My questions :

1 - Do you think this problem come from the FL upgrade ?
2 - Why user without password changed can get a kerberos ticket on the 
DC but seems not to get it on Win10 client ?
3 - Is there a way to allow fallback to ntlm2 when a session is opened 
on the client if kerberos doesn't work ?

PS: I have also this error in DC's winbind logs:
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

Content of /usr/local/etc/user.map :
!root = <short DOMAIN>\Administrator

Regards,


-- 
Havany

More information about the samba mailing list