Bug 9368 - check_ntlm_password: "sam_ignoredomain" option does not work anymore
Summary: check_ntlm_password: "sam_ignoredomain" option does not work anymore
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.6.3
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-07 18:26 UTC by Martin B
Modified: 2018-05-07 12:08 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin B 2012-11-07 18:26:04 UTC
While a Samba Server 3.0.37 respects failover to a user not known in the domain but smbpasswd file, the same does not work in 3.6.x. It seems that Samba 3.6 does not recognise "sam_ignoredomain" anymore, which is not documented in release notes. This failover feature is highly wanted.

smb.conf (3.0.37):
   auth methods = sam_ignoredomain ntdomain

smb.conf (3.6.3):
   passdb backend = smbpasswd
   auth methods = sam_ignoredomain ntdomain

Listening with "smbd -i -d3" reveals:

Samba 3.0:
check_ntlm_password:  Checking password for unmapped user []\[xxx]@[YYY] with the new password interface
check_ntlm_password:  mapped user is: [DDD]\[xxx]@[YYY]
check_ntlm_password: sam_ignoredomain authentication for user [xxx] succeeded
...

Samba 3.6:
check_ntlm_password:  Checking password for unmapped user [DDD]\[xxx]@[YYY] with the new password interface
check_ntlm_password:  mapped user is: [DDD]\[xxx]@[YYY]
Forcing Primary Group to 'Domain Users' for service
ntlm_password_check: NTLMv2 password check failed
ntlm_password_check: Lanman passwords NOT PERMITTED for user service
ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user service
get_dc_list: preferred server list: "SSS, *"
resolve_lmhosts: Attempting lmhosts lookup for name SSS<0x20>
...
domain_client_validate: unable to validate password for user xxx in domain DDD to Domain controller SSS. Error was NT_STATUS_NO_SUCH_USER.
check_ntlm_password:  Authentication for user [xxx] -> [xxx] FAILED with error NT_STATUS_NO_SUCH_USER
Comment 1 Stefan Metzmacher 2018-05-07 12:08:20 UTC
auth methods is gone in recent releases and everything should work as expected
automatically...