[FreeNAS 11.3-U4.1] Can't authenticate to share if not in domain

_bolek_

Cadet
Joined
Aug 29, 2016
Messages
7
Hello,

after upgrading FreeNAS to 11.3-U4.1 i have very strange issue.
Every computer Windows 10 Pro that is connected to AD or server with Linux can access share or map it.
Any other station that are not part of AD or don't have Linux when try open share or try map it get that same result "Access Deny" and asked for credentioal over and over again.
What is more strange, AD show that FreeNAS logged success and get credential but on FreeNAS i have this:

Code:
/Event View/Windows Logs/Security

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4768</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>14339</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2020-08-20T11:12:24.500381200Z" />
  <EventRecordID>181853</EventRecordID>
  <Correlation />
  <Execution ProcessID="720" ThreadID="1908" />
  <Channel>Security</Channel>
  <Computer>dcs.domain.local</Computer>
  <Security />
  </System>
 <EventData>
  <Data Name="TargetUserName">FREENAS01$</Data>
  <Data Name="TargetDomainName">DOMAIN.local</Data>
  <Data Name="TargetSid">xxx</Data>
  <Data Name="ServiceName">krbtgt</Data>
  <Data Name="ServiceSid">xxx</Data>
  <Data Name="TicketOptions">0x40010000</Data>
  <Data Name="Status">0x0</Data>
  <Data Name="TicketEncryptionType">0x12</Data>
  <Data Name="PreAuthType">2</Data>
  <Data Name="IpAddress">xxx.xxx.xxx.xxx</Data>
  <Data Name="IpPort">11831</Data>
  <Data Name="CertIssuerName" />
  <Data Name="CertSerialNumber" />
  <Data Name="CertThumbprint" />
  </EventData>
  </Event>


Code:
/var/log/log.smbd

[2020/08/20 12:48:46.350835,  1] ../../source3/auth/auth.c:128(check_domain_match)
  check_domain_match: Attempt to connect as user USER from domain USER-KOMPUTER denied.
[2020/08/20 12:48:56.913070,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)


Code:
/var/log/log.wb-DOMAIN

[2020/08/20 12:48:57.000638,  1] ../../source3/winbindd/winbindd_pam.c:1642(winbind_samlogon_retry_loop)
  winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.  Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain DOMAIN


I searched everywhere and couldn't find any solution :/
 

_bolek_

Cadet
Joined
Aug 29, 2016
Messages
7
@anodos I tried two different option as login:
- DOMAIN\USER
- User@DOMAIN.local

both fail :/
FreeNAS have healthy connection to AD (GUI show that same - communication between FreeNAS and AD is ok)
wbinfo and net ads shoe everything is ok.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Oh. Misunderstood what you were trying to accomplish. It looks like NTLMv2 auth through domain is failing. Kerberos auth isn't an option for non domain-joined clients.
 

_bolek_

Cadet
Joined
Aug 29, 2016
Messages
7
You may have a point because i have problem with one of DC :/
ok i need to check this (but weird, i don't have any error about NTLMv2 :| )
 

_bolek_

Cadet
Joined
Aug 29, 2016
Messages
7
OK i checked an only when i try log in to FreeNas share then i got this message do i think something is wrong witch smb on FreeNAS after restart machine everything is going back to work an stop working after 7-10 days :/
 
Top