[SOLVED] SAMBA local user auth fails (NTLM used instead)

Issues related to applications and software problems
Post Reply
vieri
Posts: 1
Joined: 2019/01/15 15:10:41

[SOLVED] SAMBA local user auth fails (NTLM used instead)

Post by vieri » 2019/01/15 15:27:42

Hi,

I'm trying to access a CentOS 7 Samba share from a Windows 10 client. I require local user authentication (as in a unix user in the CentOS Samba server).
I do NOT want NTLM or ADS authentication.

This is my config:

Code: Select all

$ cat smb.conf
[global]
workgroup = DOMAIN
map to guest = Bad User
log level = 3
ntlm auth = no
lanman auth = no
client lanman auth = no

[Anonymous]
comment = Anonymous File Server Share
path = /samba/anonymous
guest ok = yes
read only = no

[copies]
comment = Secure File Server Share
path = /copies
read only = no
guest ok = no
My Windows 10 client can access the anonymous share, but user authentication fails when trying to access "copies".

Code: Select all

$ sudo tail -n 0 -f  /var/log/samba/log.smbd
[2019/01/15 16:17:01.223137,  2] ../source3/smbd/service.c:1120(close_cnum)
  hman1561 (ipv4:10.215.144.48:57884) closed connection to service Anonymous
[2019/01/15 16:17:10.509080,  3] ../source3/smbd/service.c:1120(close_cnum)
  hman1561 (ipv4:10.215.144.48:57884) closed connection to service IPC$
[2019/01/15 16:17:10.509747,  3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2019/01/15 16:17:10.510613,  3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[copy] domain=[DOMAIN] workstation=[HMAN1561] len1=24 len2=24
[2019/01/15 16:17:10.510702,  3] ../source3/param/loadparm.c:3868(lp_load_ex)
  lp_load_ex: refreshing parameters
[2019/01/15 16:17:10.510793,  3] ../source3/param/loadparm.c:547(init_globals)
  Initialising global parameters
[2019/01/15 16:17:10.511099,  3] ../source3/param/loadparm.c:2782(lp_do_section)
  Processing section "[global]"
[2019/01/15 16:17:10.511314,  2] ../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[Anonymous]"
[2019/01/15 16:17:10.511426,  2] ../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[copies]"
[2019/01/15 16:17:10.511825,  3] ../source3/param/loadparm.c:1617(lp_add_ipc)
  adding IPC service
[2019/01/15 16:17:10.511923,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[copy]@[HMAN1561] with the new password interface
[2019/01/15 16:17:10.511959,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[copy]@[HMAN1561]
[2019/01/15 16:17:10.512493,  3] ../source3/passdb/lookup_sid.c:1680(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for copy
[2019/01/15 16:17:10.512716,  2] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user copy
[2019/01/15 16:17:10.512846,  3] ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user copy
[2019/01/15 16:17:10.513429,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [copy] -> [copy] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2019/01/15 16:17:10.513521,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [DOMAIN]\[copy] at [Tue, 15 Jan 2019 16:17:10.513495 CET] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] workstation [HMAN1561] remote host [ipv4:10.215.144.48:57884] mapped to [DOMAIN]\[copy]. local host [ipv4:10.215.248.137:445]
[2019/01/15 16:17:10.513646,  3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
[2019/01/15 16:17:10.514551,  3] ../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
Why is Samba trying to authenticate with NTLM?
How can I force it to use local unix accounts? (I already created the unix user + samba user for username "copy", of course)

Code: Select all

$ cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)

$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
Thanks

[EDIT] I had to set "ntlm auth = yes" in the general section.

Post Reply