Bug 2307 - NTLMv2 authentication does not work with Samba server joined as member to a Samba domain
NTLMv2 authentication does not work with Samba server joined as member to a S...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.10
All Windows XP
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-04 10:20 UTC by Jonas Olsson
Modified: 2006-02-03 15:32 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Olsson 2005-02-04 10:20:12 UTC
Our setup:

Two Samba servers: the first one being the PDC. The second one a member of the 
specified domain.

The PDC server uses ldapsam as password backend. The member server has "security 
= domain" set in smb.conf.

When authenticating with the PDC using NTLMv2 authentication no problems are 
reported and users gain access to their shares. However, when authenticating 
with the Samba member server, NT_STATUS_WRONG_PASSWORD is returned.

This only happens when authentication level is set to NTLMv2 on the client 
attempting to log in. This has been verified from the Samba PDC server by 
feeding smbclient an smb.conf with "client ntlmv2 auth" set. While the parameter 
was set to "yes" authentication failed. The same is true when using Windows XP 
with the appropriate settings to connect to the member server.

The logs from the Samba member server follows (names and addresses have been 
changed to protect the innocent):


smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sesssetup.c:
reply_sesssetup_and_X_spnego(566) 
smbd[15374]:   NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] 
smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) 
smbd[15374]:   Got user=[myuser] domain=[MYDOMAIN.NET] workstation=[SAMBA] 
len1=24 len2=148 
smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/namequery_dc.c:rpc_dc_name(145) 
smbd[15374]:   rpc_dc_name: Returning DC SAMBA (10.0.0.186) for domain MYDOMAIN.
NET 
smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/cliconnect.c:
cli_start_connection(1388) 
smbd[15374]:   Connecting to host=SAMBA 
smbd[15374]: [2005/02/04 11:16:59, 3] lib/util_sock.c:open_socket_out(752) 
smbd[15374]:   Connecting to 10.0.0.186 at port 445 
smbd[15374]: [2005/02/04 11:16:59, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181) 
smbd[15374]:   lsa_io_sec_qos: length c does not match size 8 
smbd[15374]: [2005/02/04 11:16:59, 3] auth/auth.c:check_ntlm_password(219) 
smbd[15374]:   check_ntlm_password:  Checking password for unmapped user 
[MYDOMAIN.NET]\[myuser]@[SAMBA] with the new password interface 
smbd[15374]: [2005/02/04 11:16:59, 3] auth/auth.c:check_ntlm_password(222) 
smbd[15374]:   check_ntlm_password:  mapped user is: [MYDOMAIN.NET]\[myuser]
@[SAMBA] 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:push_sec_ctx(256) 
smbd[15374]:   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/uid.c:push_conn_ctx(365) 
smbd[15374]:   push_conn_ctx(0) : conn_ctx_stack_ndx = 0 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
smbd[15374]:   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:pop_sec_ctx(386) 
smbd[15374]:   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 
smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/namequery_dc.c:rpc_dc_name(145) 
smbd[15374]:   rpc_dc_name: Returning DC SAMBA (10.0.0.186) for domain MYDOMAIN.
NET 
smbd[15374]: [2005/02/04 11:16:59, 3] libsmb/cliconnect.c:
cli_start_connection(1388) 
smbd[15374]:   Connecting to host=SAMBA 
smbd[15374]: [2005/02/04 11:16:59, 3] lib/util_sock.c:open_socket_out(752) 
smbd[15374]:   Connecting to 10.0.0.186 at port 445 
smbd[15374]: [2005/02/04 11:16:59, 0] auth/auth_domain.c:
domain_client_validate(199) 
smbd[15374]:   domain_client_validate: unable to validate password for user 
myuser in domain MYDOMAIN.NET to Domain controller \\SAMBA. Error was 
NT_STATUS_WRONG_PASSWORD. 
smbd[15374]: [2005/02/04 11:16:59, 2] auth/auth.c:check_ntlm_password(312) 
smbd[15374]:   check_ntlm_password:  Authentication for user [myuser] -> 
[myuser] FAILED with error NT_STATUS_WRONG_PASSWORD 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/process.c:timeout_processing(1336) 
smbd[15374]:   timeout_processing: End of file from client (client has 
disconnected). 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
smbd[15374]:   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 
smbd[15374]: [2005/02/04 11:16:59, 2] smbd/server.c:exit_server(571) 
smbd[15374]:   Closing connections 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/connection.c:yield_connection(69) 
smbd[15374]:   Yielding connection to  
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/connection.c:yield_connection(76) 
smbd[15374]:   yield_connection: tdb_delete for name  failed with error Record 
does not exist. 
smbd[15374]: [2005/02/04 11:16:59, 3] smbd/server.c:exit_server(614) 
smbd[15374]:   Server exit (normal exit)
Comment 1 Gerald (Jerry) Carter 2005-02-09 08:30:40 UTC
did you set 'lanman auth = no' and 'ntlm auth = no' on the domain member ?
Comment 2 Jonas Olsson 2005-02-09 09:29:05 UTC
(In reply to comment #1)
> did you set 'lanman auth = no' and 'ntlm auth = no' on the domain member ?

No, I didn't but I have tried it now with the same results.
Comment 3 Gerald (Jerry) Carter 2005-02-09 09:43:51 UTC
we'll have to try to proeuce this locally.  It might take a 
while to get to this one.  Thanks in advance for being patient.
Comment 4 Jonas Olsson 2005-02-09 10:05:47 UTC
What would a suitable workaround be? We have several Windows XP workstations 
which attempt to connect to the member server in question but since most of them 
are configured to use NTLMv2 as their primary authentication type by default 
they fail to authenticate with the server.

Since we are unable to control this setting on all the clients in question a 
server solution would be preferrable.
Comment 5 Aaron Zirbes 2005-02-10 14:01:26 UTC
Bug is repeatable in our setup using backend = tdbsam or smbpasswd, Samba v3.0.8
- 3.0.11.  I assume it comes from Member server not using NTLMv2 to auth. 
SMB.CONF files available if needed, just ask.
Comment 6 Andrew Bartlett 2005-06-05 15:55:20 UTC
What I need to see is the smb.conf and logs from both the member server and the
DC.  I think we are munging one of the names in such a way that we break the hash.
Comment 7 Gerald (Jerry) Carter 2006-02-03 15:32:46 UTC
no response from reporter and probably fixed in >=3.0.21