Bug 11054 - Cannot login from windows workstation to windows workstation share with local user accounts in samba domain
Summary: Cannot login from windows workstation to windows workstation share with local...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.6
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-15 06:39 UTC by Alexey
Modified: 2020-08-19 06:01 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey 2015-01-15 06:39:59 UTC
Description:

In windows workstations (xp or windows 7) joined to samba domain controller cannot login to workstation shares using local user accounts.

Steps to Reproduce:

- We have two configured ubuntu servers as samba active directory controllers (PDC and BDC) all by default.
- Joined two windows 7 machines named ws-test1 and ws-test2 to the domain "DOMAIN.LAN".
- If I login as local administrator (not domain administrator) to ws-test1, then connect to "windows share" from ws-test1 to \\ws-test2\c$ (which has already the same local administrator account with the same password) it tells STATUS_LOGON_FAILED.

Actual Results:

ws-test1 starts smb2 session with NTLMSSP_AUTH with ws-test2, then ws-test2 starts DCERPC session with samba domain controller, and after response ws-test2 sends me STATUS_LOGON_FAILURE.

Expected Results:

It should log me in successfully, like in the same setup with WINDOWS domain controllers.

Build Date & Hardware:

Dec 8 19:35:06 UTC 2014, Ubuntu 14.04.1 LTS, VMWARE

Additional Information:

I searched a little bit and discovered that samba is mapping every context to domain name:
before: WS-TEST1\administrator
now: DOMAIN\administrator

before: RANDOM_CONTEXT\administrator
now: DOMAIN\administrator

And it wants only domain administrator password. So EVERYTHING_IN_THIS_CONTEXT\administrator with domain password will login successefully.

Log:
[2015/01/14 14:36:08.854338,  3] ../libcli/auth/schannel_state_tdb.c:112(schannel_store_session_key_tdb)schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/WS-TEST2
[2015/01/14 14:36:08.854422,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)auth_check_password_send: Checking password for unmapped user [WS-TEST1]\[administrator]@[WS-TEST1]
[2015/01/14 14:36:08.854490,  5] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)map_user_info_cracknames: Mapping user [WS-TEST1]\[administrator] from workstation [WS-TEST1]auth_check_password_send: mapped user is: [DOMAIN]\[administrator]@[WS-TEST1]
[2015/01/14 14:36:08.854990,  5] ../source4/auth/ntlm/auth.c:66(auth_get_challenge)auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[2015/01/14 14:36:08.855058,  5] ../lib/util/util.c:556(dump_data)[0000] 9c 32 26 6A B1 E7 87 CF                            .3%n..G.
[2015/01/14 14:36:08.855589,  4] ../libcli/auth/ntlm_check.c:405(ntlm_password_check)ntlm_password_check: Checking NT MD4 password
[2015/01/14 14:36:08.855716,  3] ../libcli/auth/ntlm_check.c:419(ntlm_password_check)ntlm_password_check: NT MD4 password check failed for user administrator
[2015/01/14 14:36:08.855790,  2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv)auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
Comment 1 Douglas Bagnall 2020-08-19 06:01:40 UTC
Not test infrastructure.