Web lists-archives.com

[Samba] smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3




Hello,

I am attempting to debug an issue with my Samba configuration. It has been
working fine, but we recently updated Samba from 4.6.x to 4.8.3 and are now
seeing some issues authenticating.

Most of our servers are still working fine after the upgrade, but one
server is giving us issues. A little more environment info: The server is
running Centos 7.1. Windows clients can connect OK. We are using sssd
server-side to connect to Active Directory for Windows auth. Linux and OS X
clients are encountering issues mounting the smb share directly, although
this was working correctly prior to updating sssd and samba.

I am working on a Fedora 28 workstation. When I attempt to connect to the
share with smbclient using this command:

`smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith`

I enter my password, it works and appears to auth with kerberos:

```
[2019/01/22 13:23:53.850746,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2019/01/22 13:23:53.850783,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2019/01/22 13:23:53.850808,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2019/01/22 13:23:53.850819,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'spnego' registered
[2019/01/22 13:23:53.850836,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'schannel' registered
[2019/01/22 13:23:53.850846,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2019/01/22 13:23:53.850855,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2019/01/22 13:23:53.850870,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2019/01/22 13:23:53.850919,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/01/22 13:23:53.850935,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_basic' registered
[2019/01/22 13:23:53.850953,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2019/01/22 13:23:53.850962,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2019/01/22 13:23:56.488705,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: jsmith [John Smith]
[2019/01/22 13:23:56.488742,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [jsmith@xxxxxxxxxx]
```
When I attempt to mount the share with mount using this command:

`sudo mount -v -t cifs  -o username=jsmith,domain=domain.com //
server.domain.com/SHARED SHARED`

I get hit with 'mount error(13): Permission denied' client-side and see
this output in the server's log:

```
[2019/01/22 13:26:49.466127,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2019/01/22 13:26:49.466161,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2019/01/22 13:26:49.466177,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2019/01/22 13:26:49.466249,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'spnego' registered
[2019/01/22 13:26:49.466274,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'schannel' registered
[2019/01/22 13:26:49.466341,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2019/01/22 13:26:49.466353,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2019/01/22 13:26:49.466403,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2019/01/22 13:26:49.466411,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/01/22 13:26:49.466420,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_basic' registered
[2019/01/22 13:26:49.466430,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2019/01/22 13:26:49.466439,  3]
../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2019/01/22 13:26:49.469535,  3]
../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe0080225
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SEAL
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
    NTLMSSP_NEGOTIATE_56
[2019/01/22 13:26:49.469907,  3]
../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168
[2019/01/22 13:26:49.470215,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[rhome]"
[2019/01/22 13:26:49.470263,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[it_home]"
[2019/01/22 13:26:49.470297,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[vpnhome]"
[2019/01/22 13:26:49.470357,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[shared]"
[2019/01/22 13:26:49.470412,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[dev-share]"
[2019/01/22 13:26:49.470457,  2]
../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[scans]"
[2019/01/22 13:26:49.470528,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[domain.com]\[jsmith]@[]
with the new password interface
[2019/01/22 13:26:49.470538,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [domain.com]\[jsmith]@[]
[2019/01/22 13:26:49.470582,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [jsmith] -> [jsmith] FAILED
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2019/01/22 13:26:49.470619,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019
13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
workstation [] remote host [ipv4:192.168.10.100:55024] mapped to
[domain.com]\[jsmith].
local host [ipv4:192.168.20.200:445]
```
Here is my smb.conf file:

```
[global]
   min protocol = SMB2
   workgroup = DOMAIN
   realm = DOMAIN.COM
   security = ads
   password server = ad1.domain.com ad2.domain.com
   kerberos method = secrets and keytab
   template shell = /bin/bash
   encrypt passwords = yes

   log file = /var/log/samba/log.%U
   log level = 2 auth:4

   idmap config * : backend = tdb
   idmap config * : range = 500-9999999999
   idmap config DOMAIN.COM:default = true
   idmap config DOMAIN.COM:backend = ad
   idmap config DOMAIN.COM:range = 500-9999999999

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
```

In case it helps, sssd.conf:

```
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam

[domain/domain.com]
debug_level = 0x1310
ad_domain = domain.com
ad_server = ad1.domain.com
dyndns_update = false
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
```

Can anyone help me figure out what might be wrong with my config that is
causing a different auth flow for smbclient vs. mounting the share
directly? It appears that mounting it is skipping krb5 auth and/or causing
the username to not be formatted correctly. Would appreciate any insight
anyone can offer.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba