[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
Rowland Penny
rpenny at samba.org
Tue Jun 4 11:48:34 UTC 2024
On Tue, 4 Jun 2024 12:48:07 +0200
Havany via samba <samba at lists.samba.org> wrote:
> Hi samba list,
>
> I work on an classicupgrade of our NT4/ldap domain.
>
> On my tests (DC and filer are on FreeBSD and zfs file system, client
> is a Windows 10 22H2):
>
> -> I'm able to do this classicupgrade and keep all users able to
> connect on computers with their domain account.
>
> -> In a second step I configure samba DC to improve security and by
> the way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to
> 2016 (commented line below are uncommented at this step):
>
> smb.conf :
> [global]
> netbios name = <DC NAME>
> realm = <realm>
> server role = active directory domain controller
> workgroup = <workgroup>
> idmap_ldb:use rfc2307 = yes
> dns forwarder = <resolvers>
I hope the 'resolvers' are not in the same dns domain as the AD domain
> winbind enum users = yes
You do not require the 'winbind enum users' line, in fact, on large
domains, it can slow things down.
> ad dc functional level = 2016
> restrict anonymous = 2
> ntlm auth = yes
What do you need ntlm auth for ?
> tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
> tls certfile = tls/<crt>
> tls keyfile = tls/<key>
> tls cafile = <ca>
> username map = /usr/local/etc/user.map
Sorry, but you must not use a user.map on a DC, it breaks the mapping
in idmap.ldb, I suggest you remove the 'username map' line.
>
> krb5.conf
> [libdefaults]
> default_realm = <Realm>
> dns_lookup_realm = false
> dns_lookup_kdc = true
> #default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 #default_tgs_enctypes =
> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 #permitted_enctypes =
> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms]
> <Realm> = {
> default_domain = <fqdn = realm>
> }
> [domain_realm]
> <DC Name> = <Realm>
>
>
> -> After a while (~2-3 days):
> * I'm unable to logon with an AD account on the Win10 client, on the
> DC I have nothing in the logs files
> * I'm able to access to a share on the filer from W10 client and on
> the DC (sysvol), and on the DC log I can see entry about NTLM2
> success log-in :
>
> [2024/06/04 11:20:16.375698, 3]
> ../../auth/auth_log.c:876(log_authentication_event_human_readable)
> Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024
> 11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
> [<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>].
> local host [ipv6<IP>:445]
>
> * If I rejoin the Win10 to the domain nothing change
> * If I change the user password, I'm able to open session on the W10
> and I see logs about kerberos authentication on DC.
> * If on the DC I do "kinit" of on user that have not is password
> changed I'm able to take a
I think there probably should be more to that last sentence.
>
> I suspect that my problem have a link with the FL upgrade to 2012_R2
> and DC to 2016.
>
> My questions :
>
> 1 - Do you think this problem come from the FL upgrade ?
Probably not.
> 2 - Why user without password changed can get a kerberos ticket on
> the DC but seems not to get it on Win10 client ?
DNS, when something like this happens, it is usually dns.
> 3 - Is there a way to allow fallback to ntlm2 when a session is
> opened on the client if kerberos doesn't work ?
The problem is, that question should have been the opposite way around,
i.e. how to stop fallback . This is because, that is how it is supposed
to, fall back to NTLM
>
> PS: I have also this error in DC's winbind logs:
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
That is very probably because of your user.map
>
> Content of /usr/local/etc/user.map :
> !root = <short DOMAIN>\Administrator
You need to remove it.
Rowland
More information about the samba
mailing list