[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon

Andrew Bartlett abartlet at samba.org
Tue Jun 4 20:02:35 UTC 2024 

On Tue, 2024-06-04 at 12:48 +0200, Havany via samba wrote:
> Hi samba list,
> 
> I work on an classicupgrade of our NT4/ldap domain.
> 
> On my tests (DC and filer are on FreeBSD and zfs file system, client
> is 
> a Windows 10 22H2):
> 
> -> I'm able to do this classicupgrade and keep all users able to
> connect 
> on computers with their domain account.
> 
> -> In a second step I configure samba DC to improve security and by
> the 
> way I upgrade our FL to 2012_R2, schema to 69 and ad dc FL to 2016 
> (commented line below are uncommented at this step):


> -> After a while (~2-3 days):
> * I'm unable to logon with an AD account on the Win10 client, on the
> DC 
> I have nothing in the logs files
> * I'm able to access to a share on the filer from W10 client and on
> the 
> DC (sysvol), and on the DC log I can see entry about NTLM2 success
> log-in :
> 
> [2024/06/04 11:20:16.375698,  3] 
> ../../auth/auth_log.c:876(log_authentication_event_human_readable)
>    Auth: [SMB2,NTLMSSP] user [<user>] at [Tue, 04 Jun 2024 
> 11:20:16.375682 CEST] with [NTLMv2] status [NT_STATUS_OK]
> workstation 
> [<hostname>] remote host [ipv6<IP>:30676] became <user> [<SID>].
> local 
> host [ipv6<IP>:445]
> 
> * If I rejoin the Win10 to the domain nothing change
> * If I change the user password, I'm able to open session on the W10
> and 
> I see logs about kerberos authentication on DC.

I think what is happening is that the DC has only the NT hash for users
and computers, but that clients are expecting that the DC has an AES
key given the domain is in such a high FL


> * If on the DC I do "kinit" of on user that have not is password
> changed 
> I'm able to take a

kinit on the DC will be honouring the krb5.conf settings, which may
still allow the AS-REQ with the rc4-hmac key.

> I suspect that my problem have a link with the FL upgrade to 2012_R2
> and 
> DC to 2016.
> 
> My questions :
> 
> 1 - Do you think this problem come from the FL upgrade ?
> 2 - Why user without password changed can get a kerberos ticket on
> the 
> DC but seems not to get it on Win10 client ?
> 3 - Is there a way to allow fallback to ntlm2 when a session is
> opened 
> on the client if kerberos doesn't work ?

That final point (3) would be question about client configuration, but
you really don't want that, you need to get to Kerberos as fast as
possible.

This is a complex situation, I would have expected it would still be
possible to keep user accounts working with just an NT hash (sadly),
but you would need to take network traces to show the clients still
sending that.  Also note that by updating the FL, FAST should now be
used.  This is good, but might make the traces harder to interpret. 

Due to the complexity of the migration (I presume you have a very large
domain otherwise you would have just changed the passwords) I suggest
working closely with your Samba commercial support provider to see if
anything can be done on Samba's side.  Otherwise leave the FL lower and
set all the accounts to 'must change password at next logon' would be
my suggestion. 

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list