[Samba] Authenticating a user on domain member
Gopal Raman
graman at nilesecure.com
Fri Jan 24 00:14:43 UTC 2025
Hi
I have a Samba AD-DC (on ubuntu) and I've created a user on it the DC
called nileadmin.
On the DC, 'pdbedit -w nileadmin' finds the entry and returns
nileadmin:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:6590718693B2E602D30F67B848E08AE9:[U
]:LCT-678A9897:
I've joined a member (also a ubuntu host running samba) to the domain. The
join is successful. But when I run the pdbedit command on the member it
says "Username not found!"
Also on the member, pdbedit -L returns no output
Based on this I assume that the DC is the only place where the user
database is stored. This implies that if the member gets an authentication
request for a user, it needs to contact the DC.
But I think the member is trying to locally authenticate the user
credentials.
Reason I say this is when I run the command below
ntlm_auth --request-nt-key --username=nileadmin
--challenge=eaea1458abf1a0b7
--nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
ON THE DC: it succeeds and I get the expected answer.
ON MEMBER: It fails saying "The attempted logon is invalid.". I see the
following lines in the member's log.winbind
Any idea what I'm doing wrong ?
_wbint_PamAuthCrap: [78791]: pam auth crap domain: CN user: nileadmin
attempting to make a user_info for nileadmin (nileadmin)
making strings for nileadmin's user_info struct
making blobs for nileadmin's user_info struct
Attempting to register auth backend anonymous
Successfully added auth method 'anonymous'
Attempting to register auth backend sam
Successfully added auth method 'sam'
Attempting to register auth backend sam_ignoredomain
Successfully added auth method 'sam_ignoredomain'
Attempting to register auth backend sam_netlogon3
Successfully added auth method 'sam_netlogon3'
Attempting to register auth backend winbind
Successfully added auth method 'winbind'
Attempting to register auth backend unix
Successfully added auth method 'unix'
Attempting to register auth backend samba4
Successfully added auth method 'samba4'
load_auth_module: Attempting to find an auth method to match sam
load_auth_module: auth method sam has a valid init
auth_check_ntlm_password: check_ntlm_password: Checking password for
unmapped user [CN]\[nileadmin]@[CN] with the new password interface
auth_check_ntlm_password: check_ntlm_password: mapped user is:
[CN]\[nileadmin]@[CN]
[0000] EA EA 14 58 AB F1 A0 B7 ...X....
tdbsam_open: successfully opened /usr/local/samba/private/passdb.tdb
pdb_getsampwnam (TDB): error fetching database.
Key: USER_nileadmin
check_sam_security: Couldn't find user 'nileadmin' in passdb.
auth_check_ntlm_password: sam authentication for user [nileadmin] FAILED
with error NT_STATUS_NO_SUCH_USER, authoritative=1
check_ntlm_password: Authentication for user [nileadmin] -> [nileadmin]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
Auth: [winbind,PASSDB, ntlm_auth, 78791] user [CN]\[nileadmin] at [Thu, 23
Jan 2025 15:49:30.160927 PST] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER]
workstation [CN] remote host [unix:] mapped to [CN]\[nileadmin]. local host
[unix:]
{"timestamp": "2025-01-23T15:49:30.161123-0800", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4625,
"logonId": "b5d86feebac48054", "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind", "authDescription": "PASSDB,
ntlm_auth, 78791", "clientDomain": "CN", "clientAccount": "nileadmin",
"workstation": "CN", "becameAccount": null, "becameDomain": null,
"becameSid": null, "mappedAccount": "nileadmin", "mappedDomain": "CN",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv1",
"clientPolicyAccessCheck": null, "serverPolicyAccessCheck": null,
"duration": 562}}
NTLM CRAP authentication for user [CN]\[nileadmin] returned
NT_STATUS_NO_SUCH_USER
Auth: [winbind,NTLM_AUTH, ntlm_auth, 78791] user [CN]\[nileadmin] at [Thu,
23 Jan 2025 15:49:30.161233 PST] with [NTLMv1] status
[NT_STATUS_LOGON_FAILURE] workstation [CN] remote host [unix:] mapped to
[(null)]\[(null)]. local host [unix:]
{"timestamp": "2025-01-23T15:49:30.161273-0800", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4625,
"logonId": "b5d86feebac48054", "logonType": 3, "status":
"NT_STATUS_LOGON_FAILURE", "localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH,
ntlm_auth, 78791", "clientDomain": "CN", "clientAccount": "nileadmin",
"workstation": "CN", "becameAccount": "", "becameDomain": "", "becameSid":
null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv1", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 842}}
Finished processing child request 54
process_request_done: [ntlm_auth(78791):PAM_AUTH_CRAP]:
NT_STATUS_LOGON_FAILURE
More information about the samba
mailing list