[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
Havany
havany at asalluhi.fr
Tue Jun 4 10:48:07 UTC 2024
Hi samba list,
I work on an classicupgrade of our NT4/ldap domain.
On my tests (DC and filer are on FreeBSD and zfs file system, client is
a Windows 10 22H2):
-> I'm able to do this classicupgrade and keep all users able to connect
on computers with their domain account.
-> In a second step I configure samba DC to improve security and by the
way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to 2016
(commented line below are uncommented at this step):
smb.conf :
[global]
netbios name = <DC NAME>
realm = <realm>
server role = active directory domain controller
workgroup = <workgroup>
idmap_ldb:use rfc2307 = yes
dns forwarder = <resolvers>
#ldap server require strong auth = yes
#tls enabled = yes
winbind enum users = yes
ad dc functional level = 2016
#server min protocol = SMB2_02
restrict anonymous = 2
#disable netbios = yes
#smb ports = 445
#printcap name = /dev/null
#load printers = no
#disable spoolss = yes
#printing = bsd
#ntlm auth = mschapv2-and-ntlmv2-only
ntlm auth = yes
#rpc server dynamic port range = 50000-55000
#machine password timeout = 604800
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
tls certfile = tls/<crt>
tls keyfile = tls/<key>
tls cafile = <ca>
username map = /usr/local/etc/user.map
krb5.conf
[libdefaults]
default_realm = <Realm>
dns_lookup_realm = false
dns_lookup_kdc = true
#default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
#default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
#permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
<Realm> = {
default_domain = <fqdn = realm>
}
[domain_realm]
<DC Name> = <Realm>
-> After a while (~2-3 days):
* I'm unable to logon with an AD account on the Win10 client, on the DC
I have nothing in the logs files
* I'm able to access to a share on the filer from W10 client and on the
DC (sysvol), and on the DC log I can see entry about NTLM2 success log-in :
[2024/06/04 11:20:16.375698, 3]
../../auth/auth_log.c:876(log_authentication_event_human_readable)
Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024
11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
[<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>]. local
host [ipv6<IP>:445]
* If I rejoin the Win10 to the domain nothing change
* If I change the user password, I'm able to open session on the W10 and
I see logs about kerberos authentication on DC.
* If on the DC I do "kinit" of on user that have not is password changed
I'm able to take a
I suspect that my problem have a link with the FL upgrade to 2012_R2 and
DC to 2016.
My questions :
1 - Do you think this problem come from the FL upgrade ?
2 - Why user without password changed can get a kerberos ticket on the
DC but seems not to get it on Win10 client ?
3 - Is there a way to allow fallback to ntlm2 when a session is opened
on the client if kerberos doesn't work ?
PS: I have also this error in DC's winbind logs:
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
Content of /usr/local/etc/user.map :
!root = <short DOMAIN>\Administrator
Regards,
--
Havany
More information about the samba
mailing list