Sample Header Ad - 728x90

New LDAP user can't connect to [homes], but older one can?

1 vote
0 answers
212 views
samba openldap samba4
My system: 
# cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/ "
SUPPORT_URL="https://www.debian.org/support "
BUG_REPORT_URL="https://bugs.debian.org/ "

# smbd -V
Version 4.13.13-Debian
My problem: I have a number of users that are defined in openldap (OpenLDAP 2.4.57+dfsg-3+deb11u1) on a server vogon, and a samba server on another system, knox. When I connect to samba with an existing user jan, it works fine: 
# smbclient //knox/homes -U jan -W ZOMBIE   
Enter ZOMBIE\jan's password: 
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\knox\homes\
smb: \>
However, when I create a new user, zzuser in LDAP, I get: 
# smbclient //knox/homes -U zzuser -W ZOMBIE
Enter ZOMBIE\zzuser's password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
and in /var/log/samba/log.192.168.50.109: 
...
[2023/04/11 10:06:56.594913,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2023/04/11 10:06:56.594949,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=comind,dc=io], filter => [(&(uid=zzuser)(objectclass=sambaSamAccount))], scope => 
[2023/04/11 10:06:56.595600,  4, pid=1089697, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1563(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [zzuser] count=0
[2023/04/11 10:06:56.595645,  4, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/04/11 10:06:56.595656,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:398(check_sam_security)
  check_sam_security: Couldn't find user 'zzuser' in passdb.
[2023/04/11 10:06:56.595665,  5, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595676,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [zzuser] -> [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595704,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [ZOMBIE]\[zzuser] at [Tue, 11 Apr 2023 10:06:56.595692 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [JAN] remote host [ipv4:192.168.50.106:60046] mapped to [ZOMBIE]\[zzuser]. local host [ipv4:192.168.50.7:445] 
  {"timestamp": "2023-04-11T10:06:56.595778+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.50.7:445", "remoteAddress": "ipv4:192.168.50.106:60046", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZOMBIE", "clientAccount": "zzuser", "workstation": "JAN", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zzuser", "mappedDomain": "ZOMBIE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5241}}
[2023/04/11 10:06:56.595822,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
  auth3_check_password_send: Checking NTLMSSP password for ZOMBIE\zzuser failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595832,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:2295(do_map_to_guest_server_info)
  No such user zzuser [ZOMBIE] - using guest account
...
This contrasts with the fact that zzuser is well known by the system: 
# id zzuser
uid=1104(zzuser) gid=100(users) groups=100(users)
# echo ~zzuser
/knox/home/zzuser
# su - zzuser
zzuser@knox:~$ passwd
Current Password: 
New password: 
Retype new password: 
passwd: password updated successfully
On the other hand: 
zzuser@knox:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Bad SMB2 signature for message
 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
 58 95 CD A8 66 08 74 38   19 A3 59 52 1E BE 15 28   X...f.t8 ..YR...(
Could not connect to machine 127.0.0.1: NT_STATUS_ACCESS_DENIED
And as root: 
# smbpasswd zzuser
New SMB password:
Retype new SMB password:
Failed to find entry for user zzuser.
So what is going on here? I seem to recall that I added user jan to samba in the past, and that may be the difference, but if samba requires that in order to function, then the whole point of using LDAP vanishes.
Asked by j4nd3r53n (779 rep)
Apr 11, 2023, 10:58 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "samba"
More questions tagged "openldap"
More questions tagged "samba4"
Footer Ad - 728x90