Bug 14453 - winbindd/samba ignores include config file
Summary: winbindd/samba ignores include config file
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.7.6
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-01 05:28 UTC by linuxbox
Modified: 2020-08-11 08:31 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description linuxbox 2020-08-01 05:28:50 UTC 
Dear Maintainer,

I wanted to report this issue where winbindd/samba ignores an include
config file.

A configuration with an include statement of a file at the end of
smb.conf is configured:

/etc/samba/smb.conf
############################
...
include = /etc/samba/smb.conf.admin
############################

/etc/samba/smb.conf.admin
############################
[global]
ntlm auth = mschapv2-and-ntlmv2-only
############################

testparm shows the configuration option "ntlm auth":
# testparm -s
############################
...
[global]
	dns forwarder = 10.0.0.254
	ldap server require strong auth = No
	ntlm auth = mschapv2-and-ntlmv2-only
	passdb backend = samba_dsdb
	printcap name = cups
	realm = FZI.LAN
...
############################

I configured WPA2 Enterprise Radius with freeradius and want to
authenticate against AD/Samba users.

This test shows, that the authentication is not
successful(Access-Reject) with the above smb.conf settings:
############################
root@server:~# radtest -t mschap leh1 Tester1 10.0.0.1 0 xxxxx
Sent Access-Request Id 121 from 0.0.0.0:53425 to 10.0.0.1:1812 length 130
	User-Name = "leh1"
	MS-CHAP-Password = "Tester1"
	NAS-IP-Address = 10.0.0.1
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "Tester1"
	MS-CHAP-Challenge = 0xbfcd8fe31d3e0f28
	MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000028dfaf3beb16b16cb696a051487c2942a6bde16cdfdcaee1
Received Access-Reject Id 121 from 10.0.0.1:1812 to 0.0.0.0:0 length 61
	MS-CHAP-Error = "\000E=691 R=1 C=5ed191c90e7fe13a V=2"
(0) -: Expected Access-Accept got Access-Reject
############################

/var/log/samba/log.wb-FZI
############################
[2020/07/31 06:55:09.910525,  3]
../source3/winbindd/winbindd_samr.c:465(sam_name_to_sid)
  sam_name_to_sid
[2020/07/31 06:55:09.912861,  3]
../source3/winbindd/winbindd_rpc.c:272(rpc_name_to_sid)
  name_to_sid: FZI\WIFI for domain FZI
[2020/07/31 06:55:09.913734,  3]
../source3/winbindd/winbindd_pam.c:2138(winbindd_dual_pam_auth_crap)
  [13003]: pam auth crap domain: FZI user: leh1
[2020/07/31 06:55:09.913766,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[FZI]\[leh1]@[SERVER] with the new password interface
[2020/07/31 06:55:09.913777,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [FZI]\[leh1]@[SERVER]
[2020/07/31 06:55:09.914953,  3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user
[FZI]\[leh1]@[SERVER]
  auth_check_password_send: user is: [FZI]\[leh1]@[SERVER]
[2020/07/31 06:55:09.915287,  2]
../libcli/auth/ntlm_check.c:430(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1
[2020/07/31 06:55:09.915301,  3]
../libcli/auth/ntlm_check.c:437(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user leh1
[2020/07/31 06:55:09.915435,  2]
../libcli/auth/ntlm_check.c:430(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1
[2020/07/31 06:55:09.915447,  3]
../libcli/auth/ntlm_check.c:437(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user leh1
[2020/07/31 06:55:09.915820,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [FZI\leh1]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/07/31 06:55:09.915843,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020
06:55:09.915836 CEST] with [MSCHAPv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [SERVER] remote host [ipv4:127.0.0.1:0] mapped to
[FZI]\[leh1]. local host [ipv4:127.0.0.1:0]
[2020/07/31 06:55:09.915880,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2020-07-31T06:55:09.915855+0200",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
"serviceDescription": "winbind", "authDescription": null,
"clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER",
"becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)",
"mappedAccount": "leh1", "mappedDomain": "FZI", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "MSCHAPv2"}}
[2020/07/31 06:55:09.915905,  3]
../auth/auth_log.c:139(get_auth_event_server)
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2020/07/31 06:55:09.915941,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [leh1] -> [leh1] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2020/07/31 06:55:09.915958,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020
06:55:09.915953 CEST] with [MSCHAPv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [SERVER] remote host [ipv4:127.0.0.1:0] mapped to
[FZI]\[leh1]. local host [ipv4:127.0.0.1:0]
[2020/07/31 06:55:09.915984,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2020-07-31T06:55:09.915968+0200",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
"serviceDescription": "winbind", "authDescription": null,
"clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER",
"becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)",
"mappedAccount": "leh1", "mappedDomain": "FZI", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "MSCHAPv2"}}
[2020/07/31 06:55:09.916013,  2]
../source3/winbindd/winbindd_pam.c:2108(winbind_dual_SamLogon)
  NTLM CRAP authentication for user [FZI]\[leh1] returned
NT_STATUS_WRONG_PASSWORD
############################

The same test but with the config option in smb.conf rather then an
additional include file.

/etc/samba/smb.conf
############################
[global]
...
ntlm auth = mschapv2-and-ntlmv2-only
...
include = /etc/samba/smb.conf.admin
############################

/etc/samba/smb.conf.admin
############################

############################

The authentication is now successful(Access-Accept):
############################
root@server:~# radtest -t mschap leh1 Tester1 10.0.0.1 0 xxxxx
Sent Access-Request Id 23 from 0.0.0.0:47270 to 10.0.0.1:1812 length 130
	User-Name = "leh1"
	MS-CHAP-Password = "Tester1"
	NAS-IP-Address = 10.0.0.1
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "Tester1"
	MS-CHAP-Challenge = 0xe18cdecac1c899c6
	MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000cf7cf11a9f554a3cb1227870b69758a6968c9354d11f7f4c
Received Access-Accept Id 23 from 10.0.0.1:1812 to 0.0.0.0:0 length 84
	MS-CHAP-MPPE-Keys = 0x0000000000000000f3a633cc3cbc71f2f3cda7203637260c
	MS-MPPE-Encryption-Policy = Encryption-Allowed
	MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
############################

/var/log/samba/log.wb-FZI
############################
[2020/07/31 06:57:31.863047,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[FZI]\[leh1]@[SERVER] with the new password interface
[2020/07/31 06:57:31.863061,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [FZI]\[leh1]@[SERVER]
[2020/07/31 06:57:31.863174,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'sam' registered
[2020/07/31 06:57:31.863186,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'sam_ignoredomain' registered
[2020/07/31 06:57:31.863195,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'sam_failtrusts' registered
[2020/07/31 06:57:31.863204,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'anonymous' registered
[2020/07/31 06:57:31.863213,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'winbind' registered
[2020/07/31 06:57:31.863226,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'winbind_rodc' registered
[2020/07/31 06:57:31.863234,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'winbind_wbclient' registered
[2020/07/31 06:57:31.863241,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'name_to_ntstatus' registered
[2020/07/31 06:57:31.863249,  3]
../source4/auth/ntlm/auth.c:840(auth_register)
  AUTH backend 'unix' registered
[2020/07/31 06:57:31.865486,  3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user
[FZI]\[leh1]@[SERVER]
  auth_check_password_send: user is: [FZI]\[leh1]@[SERVER]
[2020/07/31 06:57:31.869861,  3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020
06:57:31.869843 CEST] with [MSCHAPv2] status [NT_STATUS_OK] workstation
[SERVER] remote host [ipv4:127.0.0.1:0] became [FZI]\[leh1]
[S-1-5-21-35671526-1933746553-2632869877-1557]. local host
[ipv4:127.0.0.1:0]
[2020/07/31 06:57:31.869939,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2020-07-31T06:57:31.869898+0200",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_OK", "localAddress":
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
"serviceDescription": "winbind", "authDescription": null,
"clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER",
"becameAccount": "leh1", "becameDomain": "FZI", "becameSid":
"S-1-5-21-35671526-1933746553-2632869877-1557", "mappedAccount": "leh1",
"mappedDomain": "FZI", "netlogonComputer": null, "netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "MSCHAPv2"}}
[2020/07/31 06:57:31.869979,  3]
../auth/auth_log.c:139(get_auth_event_server)
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2020/07/31 06:57:31.870036,  3]
../source3/auth/auth.c:256(auth_check_ntlm_password)
  auth_check_ntlm_password: samba4 authentication for user [leh1] succeeded
[2020/07/31 06:57:31.870053,  3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [winbind,(null)] user [FZI]\[leh1] at [Fr, 31 Jul 2020
06:57:31.870048 CEST] with [MSCHAPv2] status [NT_STATUS_OK] workstation
[SERVER] remote host [ipv4:127.0.0.1:0] became [FZI]\[leh1]
[S-1-5-21-35671526-1933746553-2632869877-1557]. local host
[ipv4:127.0.0.1:0]
[2020/07/31 06:57:31.870084,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2020-07-31T06:57:31.870067+0200",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_OK", "localAddress":
"ipv4:127.0.0.1:0", "remoteAddress": "ipv4:127.0.0.1:0",
"serviceDescription": "winbind", "authDescription": null,
"clientDomain": "FZI", "clientAccount": "leh1", "workstation": "SERVER",
"becameAccount": "leh1", "becameDomain": "FZI", "becameSid":
"S-1-5-21-35671526-1933746553-2632869877-1557", "mappedAccount": "leh1",
"mappedDomain": "FZI", "netlogonComputer": null, "netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "MSCHAPv2"}}
[2020/07/31 06:57:31.870110,  2]
../source3/auth/auth.c:314(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [leh1] -> [leh1] ->
[(null)] succeeded
############################

This is possible a bug.

# smbd -V
Version 4.7.6-Ubuntu

# uname -a
Linux server.fzi.lan 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9
23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


Kind regards
Klaus
Comment 1 Louis 2020-08-10 14:08:04 UTC 
Hai Klaus, 

 i see:  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1

beside your using old/unmaintained version is : 
ntlm auth = mschapv2-and-ntlmv2-only

Set on the AD-DC and the member server? 
And did you adjust the needed freeradius settings. 

Can you verify it all based on these sites: 
http://deployingradius.com/documents/configuration/active_directory.html
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
Comment 2 linuxbox 2020-08-10 14:35:39 UTC 
Hello Louis,

Am 10.08.20 um 16:08 schrieb samba-bugs@samba.org:
>  i see:  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user leh1

Yes, because mschapv2-and-ntlmv2-only is ignored in
/etc/samba/smb.conf.admin the authentication is not successful.

> beside your using old/unmaintained version is : 
> ntlm auth = mschapv2-and-ntlmv2-only
> 
> Set on the AD-DC and the member server? 

There is no member server in this setup. Freeradius is running on the
same server the Domaincontroller is.

> And did you adjust the needed freeradius settings. 
> 
> Can you verify it all based on these sites: 
> http://deployingradius.com/documents/configuration/active_directory.html
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

Of course. And the setup is working, when "ntlm auth =
mschapv2-and-ntlmv2-only" is written in /etc/smb.conf rather then an
include file. That is the only issue.

Kind regards
Klaus
Comment 3 Louis 2020-08-10 14:46:20 UTC 
Hai, yes, sorry i needed to ask that. 

well, in this case you can only do 2 things. 
i know this works in 4.12.5 at least, because that where im having includes. 

your current samba is unmaintained by samba, so you need to make a bug report at you OS supplier. 
Or upgrade the servers/samba to an supported samba version. 

(sorry to bring the bad news).
Comment 4 linuxbox 2020-08-11 08:31:57 UTC 
Hello,

it is not that include files generally do not work. It is rather the
case that this statement in particular, which is winbindd specific, is
not evaluated.

I have not found any other bug report on this topic. So I assume that
this one exists in the currently supported version and is not specific
to Ubuntu.

Did you really test this option in the current version as I described it?

Kind regards
Klaus