Web lists-archives.com

Re: [Samba] Samba v3 works with LDAP, but not Samba v4




Hi Andrew!

Really appreciate the clarification and help. Understood about the
password. I have attached the log.127.0.0.1 with the "correct" password
being used. I do see entries in that log for the Primary Group of 0. Not
sure where I would need to make the change. Any guidance would be really
appreciated. Have been fighting this for the last 3 weeks. :-(

Thanks.

On Tue, Oct 16, 2018 at 8:36 PM Andrew Bartlett <abartlet@xxxxxxxxx> wrote:

> On Tue, 2018-10-16 at 20:20 -0700, Emil Henry wrote:
> > Hi Andrew!
> >
> > I am not 100% sure that the password is correct. I was told that it
> > was changed to the one I am testing. But, when I try the old
> > password, I get a different error message (NT_STATUS_INVALID_SID). I
> > will attached the output.
>
> Then it is the old password, and you have other issues you need to sort
> out.
>
> Again, the server-side log will show more about what is wrong, but look
> up the error message, it typically means your primary group ID is
> mapped incorrectly in idmap.
>
> > I added the 'ntlm auth = yes' to the smb.conf. How would I change the
> client?
>
> The client uses the smb.conf on the host it runs on.  But the above
> suggests that the issue was just a wrong password.
>
> > The version of Samba that we are running is 4.7.1, which is the latest
> version that is available in the yum repository.
>
> OK, I must have mis-read that.
>
> Sorry,
>
> Andrew Bartlett
>
> > Thanks.
> >
> > [root@SMBServer ~]# smbclient //localhost/share -U johndoe -d 10
> > INFO: Current debug levels:
> >   all: 10
> >   tdb: 10
> >   printdrivers: 10
> >   lanman: 10
> >   smb: 10
> >   rpc_parse: 10
> >   rpc_srv: 10
> >   rpc_cli: 10
> >   passdb: 10
> >   sam: 10
> >   auth: 10
> >   winbind: 10
> >   vfs: 10
> >   idmap: 10
> >   quota: 10
> >   acls: 10
> >   locking: 10
> >   msdfs: 10
> >   dmapi: 10
> >   registry: 10
> >   scavenger: 10
> >   dns: 10
> >   ldb: 10
> >   tevent: 10
> >   auth_audit: 10
> >   auth_json_audit: 10
> >   kerberos: 10
> >   drs_repl: 10
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > INFO: Current debug levels:
> >   all: 10
> >   tdb: 10
> >   printdrivers: 10
> >   lanman: 10
> >   smb: 10
> >   rpc_parse: 10
> >   rpc_srv: 10
> >   rpc_cli: 10
> >   passdb: 10
> >   sam: 10
> >   auth: 10
> >   winbind: 10
> >   vfs: 10
> >   idmap: 10
> >   quota: 10
> >   acls: 10
> >   locking: 10
> >   msdfs: 10
> >   dmapi: 10
> >   registry: 10
> >   scavenger: 10
> >   dns: 10
> >   ldb: 10
> >   tevent: 10
> >   auth_audit: 10
> >   auth_json_audit: 10
> >   kerberos: 10
> >   drs_repl: 10
> > Processing section "[global]"
> > doing parameter security = user
> > doing parameter ldap user suffix = ou=people
> > doing parameter ldap group suffix = ou=groups
> > doing parameter ldap ssl = off
> > doing parameter ldap passwd sync = yes
> > doing parameter ldap delete dn = no
> > doing parameter workgroup = example.com
> > doing parameter server string = "Samba Drives"
> > doing parameter netbios name = SMBServer
> > doing parameter log file = /var/log/samba/log.%m
> > doing parameter log level = 5
> > doing parameter max log size = 50
> > doing parameter ldap suffix = "o=EXAMPLE"
> > doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE"
> > doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
> > doing parameter ntlm auth = yes
> > pm_process() returned Yes
> > lp_servicenumber: couldn't find homes
> > added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255
> netmask=255.255.255.0
> > added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
> netmask=255.255.255.0
> > Netbios name list:-
> > my_netbios_names[0]="SMBServer"
> > Client started (version 4.7.1).
> > Opening cache file at /var/lib/samba/gencache.tdb
> > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> > Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec
> 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past)
> > sitename_fetch: No stored sitename for realm ''
> > internal_resolve_name: looking up localhost#20 (sitename (null))
> > name localhost#20 found.
> > remove_duplicate_addrs2: looking for duplicate address/port pairs
> > Connecting to 127.0.0.1 at port 445
> > Socket options:
> >         SO_KEEPALIVE = 0
> >         SO_REUSEADDR = 0
> >         SO_BROADCAST = 0
> >         TCP_NODELAY = 1
> >         TCP_KEEPCNT = 9
> >         TCP_KEEPIDLE = 7200
> >         TCP_KEEPINTVL = 75
> >         IPTOS_LOWDELAY = 0
> >         IPTOS_THROUGHPUT = 0
> >         SO_REUSEPORT = 0
> >         SO_SNDBUF = 2626560
> >         SO_RCVBUF = 1061296
> >         SO_SNDLOWAT = 1
> >         SO_RCVLOWAT = 1
> >         SO_SNDTIMEO = 0
> >         SO_RCVTIMEO = 0
> >         TCP_QUICKACK = 1
> >         TCP_DEFER_ACCEPT = 0
> >  session request ok
> >  negotiated dialect[SMB3_11] against server[localhost]
> > got OID=1.3.6.1.4.1.311.2.2.10
> > Enter EXAMPLE.COM\johndoe's password:
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism ntlmssp
> >      negotiate: struct NEGOTIATE_MESSAGE
> >         Signature                : 'NTLMSSP'
> >         MessageType              : NtLmNegotiate (1)
> >         NegotiateFlags           : 0x62088215 (1644724757)
> >                1: NTLMSSP_NEGOTIATE_UNICODE
> >                0: NTLMSSP_NEGOTIATE_OEM
> >                1: NTLMSSP_REQUEST_TARGET
> >                1: NTLMSSP_NEGOTIATE_SIGN
> >                0: NTLMSSP_NEGOTIATE_SEAL
> >                0: NTLMSSP_NEGOTIATE_DATAGRAM
> >                0: NTLMSSP_NEGOTIATE_LM_KEY
> >                0: NTLMSSP_NEGOTIATE_NETWARE
> >                1: NTLMSSP_NEGOTIATE_NTLM
> >                0: NTLMSSP_NEGOTIATE_NT_ONLY
> >                0: NTLMSSP_ANONYMOUS
> >                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
> >                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
> >                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
> >                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >                0: NTLMSSP_TARGET_TYPE_DOMAIN
> >                0: NTLMSSP_TARGET_TYPE_SERVER
> >                0: NTLMSSP_TARGET_TYPE_SHARE
> >                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >                0: NTLMSSP_NEGOTIATE_IDENTIFY
> >                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
> >                0: NTLMSSP_NEGOTIATE_TARGET_INFO
> >                1: NTLMSSP_NEGOTIATE_VERSION
> >                1: NTLMSSP_NEGOTIATE_128
> >                1: NTLMSSP_NEGOTIATE_KEY_EXCH
> >                0: NTLMSSP_NEGOTIATE_56
> >         DomainNameLen            : 0x0000 (0)
> >         DomainNameMaxLen         : 0x0000 (0)
> >         DomainName               : *
> >             DomainName               : ''
> >         WorkstationLen           : 0x0000 (0)
> >         WorkstationMaxLen        : 0x0000 (0)
> >         Workstation              : *
> >             Workstation              : ''
> >         Version: struct ntlmssp_VERSION
> >             ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6
> (6)
> >             ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1
> (1)
> >             ProductBuild             : 0x0000 (0)
> >             Reserved: ARRAY(3)
> >                 [0]                      : 0x00 (0)
> >                 [1]                      : 0x00 (0)
> >                 [2]                      : 0x00 (0)
> >             NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x628a8215
> >   NTLMSSP_NEGOTIATE_UNICODE
> >   NTLMSSP_REQUEST_TARGET
> >   NTLMSSP_NEGOTIATE_SIGN
> >   NTLMSSP_NEGOTIATE_NTLM
> >   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >   NTLMSSP_TARGET_TYPE_SERVER
> >   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >   NTLMSSP_NEGOTIATE_TARGET_INFO
> >   NTLMSSP_NEGOTIATE_VERSION
> >   NTLMSSP_NEGOTIATE_128
> >   NTLMSSP_NEGOTIATE_KEY_EXCH
> > short string '', sent with NULL termination despite NOTERM flag in IDL
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088215
> >   NTLMSSP_NEGOTIATE_UNICODE
> >   NTLMSSP_REQUEST_TARGET
> >   NTLMSSP_NEGOTIATE_SIGN
> >   NTLMSSP_NEGOTIATE_NTLM
> >   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >   NTLMSSP_NEGOTIATE_VERSION
> >   NTLMSSP_NEGOTIATE_128
> >   NTLMSSP_NEGOTIATE_KEY_EXCH
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088215
> >   NTLMSSP_NEGOTIATE_UNICODE
> >   NTLMSSP_REQUEST_TARGET
> >   NTLMSSP_NEGOTIATE_SIGN
> >   NTLMSSP_NEGOTIATE_NTLM
> >   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> >   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> >   NTLMSSP_NEGOTIATE_VERSION
> >   NTLMSSP_NEGOTIATE_128
> >   NTLMSSP_NEGOTIATE_KEY_EXCH
> > SPNEGO login failed: Indicates the SID structure is not valid.
> > session setup failed: NT_STATUS_INVALID_SID
> >
> >
> > On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet@xxxxxxxxx>
> wrote:
> > > On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote:
> > > > Hi Andrew!
> > > >
> > > > I included it in one response, but may have not done a Reply All. Am
> resending it.
> > > >
> > > > Thanks.
> > >
> > > It is reading the hashes, so it looks like it is working.  Dumb
> > > question, but are you really sure the password is right?
> > >
> > > Otherwise, it might be some very odd NTLMv2 thing.  Try (on the client)
> > > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to
> > > rule that out.
> > >
> > > Also please try with Samba 4.9, Samba 4.1 is very old and there may be
> > > something else we have fixed.
> > >
> > > Thanks,
> > >
> > > Andrew Bartlett
> > >
> > >
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba