Re: [Samba] Can't connect anymore a share in domain A from domain B since

Date: Tue, 29 May 2018 15:06:08 +0200
From: Hénoch Hervé via samba <samba@xxxxxxxxxxxxxxx>
Subject: Re: [Samba] Can't connect anymore a share in domain A from domain B since

It say user %unsername% is unknown !!!

But if i try :

net use z: \\<computer in A.FQDN\<share> /USER:A\username

In samba logs change :

 Kerberos: AS-REQ login0@A from ipv4:<ip XXX>:51583 for krbtgt/A@A
  Kerberos: Looking for PKINIT pa-data -- login0@A
  Kerberos: Looking for ENC-TS pa-data -- login0@A
  Kerberos: Failed to decrypt PA-DATA -- login0@A (enctype arcfour-hmac-md5) error Decrypt integrity check failed
  Kerberos: Failed to decrypt PA-DATA -- login0@A
  Kerberos: AS-REQ login0@A from ipv4:<ip XXX>:51585 for krbtgt/A@A
  Kerberos: Looking for PKINIT pa-data -- login0@A
  Kerberos: Looking for ENC-TS pa-data -- login0@A
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- login0@A
  Kerberos: AS-REQ login0@A from ipv4:<ip XXX>:51586 for krbtgt/A@A
  Kerberos: Looking for PKINIT pa-data -- login0@A
  Kerberos: Looking for ENC-TS pa-data -- login0@A
  Kerberos: ENC-TS Pre-authentication succeeded -- login0@A using aes256-cts-hmac-sha1-96
  Kerberos: TGS-REQ login0@A.LOCAL from ipv4:<ip XXX>:51587 for cifs/<file server in A.FQDN@A.LOCAL [canonicalize, renewable, forwardable]


Note : if i try :

net use z: \\<computer in A.FQDN\<share> /USER:A\username*password*

the password is not asked (twice otherwise)


Le 29/05/2018 à 14:52, L.P.H. van Belle via samba a écrit :

Try it like this.

net use z: \\<computer in A.FQDN\<share> /USER:NTDOM\%username%

Does that work for the samba 4.1, if not, check if you windows disabled smbv1
See:
https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows

Best is, upgrade you systems so you can use samba 4.7+

Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Hénoch Hervé via samba
Verzonden: dinsdag 29 mei 2018 14:44
Aan: Hénoch Hervé via samba
Onderwerp: [Samba] Can't connect anymore a share in domain A
from domain B since

Hi,

In the past (2 months ago) : I have two AD Domain under Samba 4.1 : A
and B. I war able to  connect a share in A from B.

Now (after upgrade) : I have a W2016 domain (B) and a Samba
4.6 domain
(A) but I can't connect a share in A from B. The user from B
which try
to connect the share in A has the same login in the two domains.

So since the upgrade I don't have the same behavior ...

  From a computer named XXX in domain B I've tried  this command : net
use z: \\<computer in A>\<share> /USER:login0@A (where login0 is the
same in A and B for the user).

If I write a wrong password I have the system error 86 but if i write
the good password (must write it twice) i have the system error 5.

In Samba logs are :

    ntlm_password_check: LM password and LMv2 failed for user
login0, and
NT MD4 password in LM field not permitted
    ntlm_password_check: Lanman passwords NOT PERMITTED for user login0
    ntlm_password_check: LM password and LMv2 failed for user
login0, and
NT MD4 password in LM field not permitted
    ntlm_password_check: Lanman passwords NOT PERMITTED for user login0
    ntlm_password_check: LM password and LMv2 failed for user
login0, and
NT MD4 password in LM field not permitted
    auth_check_password_recv: sam_ignoredomain authentication for user
[A\login0] FAILED with error NT_STATUS_WRONG_PASSWORD
    auth_check_password_send: Checking password for unmapped user
[A]\[login0@A]@[\\XXX]
    auth_check_password_send: mapped user is: [A]\[login0]@[\\XXX]

How can I do such a connection ? I've tried "map untrusted to
domain =
yes" but it is not working better ...

Regard

--
		*Hervé* *HÉNOCH*
*Responsable informatique*
Tél. : 0490275744 h.henoch@xxxxxxxxx <mailto:h.henoch@xxxxxxxxx>

/250, chemin de Baigne-Pieds ? 84 000 Avignon/
*/www.institut-sainte-catherine.org/*
<http://www.institut-sainte-catherine.org/>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
		*Hervé* *HÉNOCH*
*Responsable informatique*
Tél. : 0490275744 h.henoch@xxxxxxxxx <mailto:h.henoch@xxxxxxxxx>

/250, chemin de Baigne-Pieds – 84 000 Avignon/

*/www.institut-sainte-catherine.org/*<http://www.institut-sainte-catherine.org/>




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

References:
- [Samba] Can't connect anymore a share in domain A from domain B since
  - From: Hénoch Hervé via samba
- Re: [Samba] Can't connect anymore a share in domain A from domain B since
  - From: L.P.H. van Belle via samba

Prev by Date: Re: [Samba] Samba group duplicated
Next by Date: Re: [Samba] Can't connect anymore a share in domain A from domain B since
Previous by thread: Re: [Samba] Can't connect anymore a share in domain A from domain B since
Next by thread: Re: [Samba] Can't connect anymore a share in domain A from domain B since
Index(es):
- Date
- Thread

lists-archives.com

Re: [Samba] Can't connect anymore a share in domain A from domain B since