Samba4 customization

[lucas1]

Good day.

Installed Samba4 from package. In smb4.conf created share.

Server role: ROLE_STANDALONE.

Add uders pdbedit -a
pdbedit -L shows list added samba users.

Error while trying to connect to share from Windows:

 auth_check_ntlm_password: sam_ignoredomain authentication for user [user@hostname] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

What do you advise?

 

[SirDice]

Make sure you don't have any old attempts cached on Windows. Look at the output from net use in a command prompt. You can use /DELETE to remove those.

 

[msplsh]

Get the log from samba instead.

 

[lucas1]

old attempts cached not.

now so in log:

[2021/01/25 17:02:32.292516,  3] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
  Got user=[lucas] domain=[freebsdtr] workstation=[OIT_1] len1=24 len2=24
[2021/01/25 17:02:32.292660,  5] ../../source3/auth/auth_util.c:124(make_user_info_map)
  Mapping user [freebsdtr]\[lucas] from workstation [OIT_1]
[2021/01/25 17:02:32.292686,  5] ../../source3/auth/user_info.c:64(make_user_info)
  attempting to make a user_info for lucas (lucas)
[2021/01/25 17:02:32.292710,  5] ../../source3/auth/user_info.c:72(make_user_info)
  making strings for lucas's user_info struct
[2021/01/25 17:02:32.292740,  5] ../../source3/auth/user_info.c:117(make_user_info)
  making blobs for lucas's user_info struct
[2021/01/25 17:02:32.292766,  3] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [freebsdtr]\[lucas]@[OIT_1] with the new password interface
[2021/01/25 17:02:32.292793,  3] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [freebsdtr]\[lucas]@[OIT_1]
[2021/01/25 17:02:32.293703,  5] ../../source3/auth/auth.c:263(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [lucas] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/01/25 17:02:32.293740,  2] ../../source3/auth/auth.c:347(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [lucas] -> [lucas] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/01/25 17:02:32.293799,  5] ../../auth/ntlmssp/ntlmssp_server.c:816(ntlmssp_server_auth_done)
  ntlmssp_server_auth_done: Checking NTLMSSP password for freebsdtr\lucas failed: NT_STATUS_WRONG_PASSWORD
[2021/01/25 17:02:32.293835,  5] ../../auth/gensec/gensec.c:543(gensec_update_done)
  gensec_update_done: ntlmssp[0x80bb18e60]: NT_STATUS_WRONG_PASSWORD
[2021/01/25 17:02:32.293862,  3] ../../auth/gensec/spnego.c:1445(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD
[2021/01/25 17:02:32.293889,  5] ../../auth/gensec/gensec.c:543(gensec_update_done)
  gensec_update_done: spnego[0x80bb18a60]: NT_STATUS_WRONG_PASSWORD

 

[SirDice]

login failed: NT_STATUS_WRONG_PASSWORD

Seems fairly obvious why it fails. Make sure you use the password you set with pdbedit(8), not your login password (these can be different).

 

[lucas1]

The fact that the error is obvious - I agree.
And this not login password.
password samba user is very simple.

 

[lucas1]

ntlm auth = yes

 

[msplsh]

ntlm auth = yes

is a deviation from the default. Why allow NTLMv1? Post the smb.conf file if you can.

I have 4.13 running just fine and the only deviations I have are some Mac-specific extensions and it works just fine on W10.

 

[lucas1]

Good day.

How to force a computer with FreeBSD to perform a broadcast WINS request?
which package?

Want join computer with freebsd to domain. Computer with freebsd not resolved by myself.
Without used /etc/hosts.

 

[SirDice]

How to force a computer with FreeBSD to perform a broadcast WINS request?

WINS is a dead protocol. It died along with NT4 and Windows 95/98, don't rely on that awful protocol. Use DNS like every Windows version since 2000 has done.

Want join computer with freebsd to domain. Computer with freebsd not resolved by myself.
Without used /etc/hosts.

DNS is the keyword here. Domain controllers are found by querying DNS for certain SRV records.

Verify that SRV Domain Name System (DNS) records have been created - Windows Server

Describes how to verify Service Location (SRV) locator resource records for a domain controller after you install the Active Directory directory service.

docs.microsoft.com

 

[lucas1]

I guess I didn't fully describe the situation.
Here is the error text when join domain:
No DNS domain configured for freebsdtr. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

1. nslookup mydomain.com resolved in ip addresses domain controllers from computer with NetBIOS name freebsdtr.
Record on DNS server in zone mydomain.com for computer name freebsdtr not.
How to auto-register and dynamically update a record for freebsdtr on DNS server?

2. Computer freedsdtr visible in networked environment on Windows computers.
But ping freebsdtr on him - "cannot resolve freebsdtr: Host name lookup failure"
How to force a computer with FreeBSD to perform a broadcast NetBIOS request?

 

[lucas1]

Added IP addresss and FQDN to /etc/hosts file.
Joined to domain.

How to add Domain Admins to BUILTIN\administrators Samba?

 

[lucas1]

How to add Domain Admins to BUILTIN\administrators Samba - it is no longer necessary.

 

[lucas1]

Good day.

There is such an error in samba4 logs from workstations when accessing a shared resource :

2021/03/03 11:46:46.795529, 3] ../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username Domain\user_n is invalid on this system

Moreover, this error occurs only for domain users whose names contain symbol _ underline.

There is no need to write about the fact that such names should not be used.

Is there some kind of solution for smb4.conf or kerberos.conf?

 

[lucas1]

smb4.conf:

winbind normalize names = no

or not use this parameter.

Something like this.