[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon

Tue Jun 4 11:48:34 UTC 2024

On Tue, 4 Jun 2024 12:48:07 +0200
Havany via samba <samba at lists.samba.org> wrote:

> Hi samba list,
> 
> I work on an classicupgrade of our NT4/ldap domain.
> 
> On my tests (DC and filer are on FreeBSD and zfs file system, client
> is a Windows 10 22H2):
> 
> -> I'm able to do this classicupgrade and keep all users able to
> connect on computers with their domain account.
> 
> -> In a second step I configure samba DC to improve security and by
> the way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to
> 2016 (commented line below are uncommented at this step):
> 
> smb.conf :
> [global]
> 	netbios name = <DC NAME>
> 	realm = <realm>
> 	server role = active directory domain controller
> 	workgroup = <workgroup>
>          idmap_ldb:use rfc2307 = yes
> 	dns forwarder = <resolvers>

I hope the 'resolvers' are not in the same dns domain as the AD domain

> 	winbind enum users = yes

You do not require the 'winbind enum users' line, in fact, on large
domains, it can slow things down.

> 	ad dc functional level = 2016
> 	restrict anonymous = 2
> 	ntlm auth = yes

What do you need ntlm auth for ?

> 	tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
> 	tls certfile = tls/<crt>
> 	tls keyfile = tls/<key>
> 	tls cafile = <ca>
> 	username map = /usr/local/etc/user.map

Sorry, but you must not use a user.map on a DC, it breaks the mapping
in idmap.ldb, I suggest you remove the 'username map' line.

> 
> krb5.conf
> [libdefaults]
> 	default_realm = <Realm>
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 	#default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 #default_tgs_enctypes =
> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 #permitted_enctypes =
> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms]
> <Realm> = {
> 	default_domain = <fqdn = realm>
> }
> [domain_realm]
> 	<DC Name> = <Realm>
> 
> 
> -> After a while (~2-3 days):
> * I'm unable to logon with an AD account on the Win10 client, on the
> DC I have nothing in the logs files
> * I'm able to access to a share on the filer from W10 client and on
> the DC (sysvol), and on the DC log I can see entry about NTLM2
> success log-in :
> 
> [2024/06/04 11:20:16.375698,  3] 
> ../../auth/auth_log.c:876(log_authentication_event_human_readable)
>    Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024 
> 11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation 
> [<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>].
> local host [ipv6<IP>:445]
> 
> * If I rejoin the Win10 to the domain nothing change
> * If I change the user password, I'm able to open session on the W10
> and I see logs about kerberos authentication on DC.
> * If on the DC I do "kinit" of on user that have not is password
> changed I'm able to take a

I think there probably should be more to that last sentence.

> 
> I suspect that my problem have a link with the FL upgrade to 2012_R2
> and DC to 2016.
> 
> My questions :
> 
> 1 - Do you think this problem come from the FL upgrade ?

Probably not.

> 2 - Why user without password changed can get a kerberos ticket on
> the DC but seems not to get it on Win10 client ?

DNS, when something like this happens, it is usually dns.

> 3 - Is there a way to allow fallback to ntlm2 when a session is
> opened on the client if kerberos doesn't work ?

The problem is, that question should have been the opposite way around,
i.e. how to stop fallback . This is because, that is how it is supposed
to, fall back to NTLM

> 
> PS: I have also this error in DC's winbind logs:
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

That is very probably because of your user.map

> 
> Content of /usr/local/etc/user.map :
> !root = <short DOMAIN>\Administrator

You need to remove it.

Rowland