Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Issue authenticating user to SMB shares on windows (but ok on Mac)

Status
Not open for further replies.

coulix

Junior Member
Joined
Feb 12, 2018
Messages
14
Hello there ~

Freenas: FreeBSD SUPERNAS.local.chefclub.tools 11.1-STABLE FreeBSD 11.1-STABLE #0 45cac2c77(freenas/11-stable)
Samba: Version 4.7.3

I am a bit lost having 0 expertise in Windows.

I have a samba4 running on an other server acting as our domain controller.

On mac `username/pass` works.
On windows, I set CHEFCLUB workgroup and tried local.chefclub.tools/{username} but it fails to connect.

When looking at the samba logs I see:

Mac:

check_ntlm_password: authentication for user [greg] -> [greg] -> [CHEFCLUB\greg] succeeded


Windows:

without FQDN (local.chefclub.tools):

check_ntlm_password: Authentication for user [greg] -> [greg] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1


[2018/03/15 15:12:17.718309, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)

Auth: [SMB2,(null)] user [THEO]\[greg] at
[Thu, 15 Mar 2018 15:12:17.718291 CET] with [NTLMv2]
status [NT_STATUS_LOGON_FAILURE] workstation [THEO] remote host
[ipv4:192.168.0.29:50074] mapped to [THEO]\[greg]. local host [ipv4:192.168.0.106:445]

THEO is the computer windows name.


With: -> Nothing and windows tells me that I dot have the necessary authorizations to use this network ressource.


My Freenas smb.conf

Code:
[global]
	interfaces = 127.0.0.1 192.168.0.106
	bind interfaces only = yes
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 941105
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = CHEFCLUB
	realm = LOCAL.CHEFCLUB.TOOLS
	security = ADS
	client use spnego = yes
	local master = no
	domain master = no
	preferred master = no
	ads dns update = no
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	winbind nss info = rfc2307
	idmap config CHEFCLUB: backend = rid
	idmap config CHEFCLUB: range = 20000-90000000
	allow trusted domains = no
	client ldap sasl wrapping = plain
	template shell = /bin/sh
	template homedir = /mnt/chocolat/homedir/%D/%U
	netbios name = SUPERNAS
	netbios aliases = SUPERNAS
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = no
	dos charset = CP437
	unix charset = UTF-8
	log level = 2


[openbar]
	path = "/mnt/brioche/openbar"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare




Krb5.conf

Code:
[appdefaults]
			pam = {
				forwardable = true
				ticket_lifetime = 86400
				renew_lifetime = 86400
			}

[libdefaults]
			dns_lookup_realm = true
			dns_lookup_kdc = true
			ticket_lifetime = 24h
			clockskew = 300
			forwardable = yes
			default_realm = LOCAL.CHEFCLUB.TOOLS

[domain_realm]
			local.chefclub.tools = LOCAL.CHEFCLUB.TOOLS
			.local.chefclub.tools = LOCAL.CHEFCLUB.TOOLS
			LOCAL.CHEFCLUB.TOOLS = LOCAL.CHEFCLUB.TOOLS
			.LOCAL.CHEFCLUB.TOOLS = LOCAL.CHEFCLUB.TOOLS

[realms]
		LOCAL.CHEFCLUB.TOOLS = {
			kdc = dc1.local.chefclub.tools
			admin_server = dc1.local.chefclub.tools
			kpasswd_server = dc1.local.chefclub.tools
			default_domain = LOCAL.CHEFCLUB.TOOLS
		}

[logging]
			default = SYSLOG:INFO:LOCAL7




Then, domain controller samba

Code:
[global]
		netbios name = DC1
		realm = LOCAL.CHEFCLUB.TOOLS
		server role = active directory domain controller
		server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
		workgroup = CHEFCLUB
		idmap_ldb:use rfc2307 = yes
		ldap server require strong auth = no
		dns forwarder = 8.8.8.8,8.8.4.4

[netlogon]
		path = /var/lib/samba/sysvol/local.chefclub.tools/scripts
		read only = No

[sysvol]
		path = /var/lib/samba/sysvol
		read only = No






and krb5.conf
Code:
[libdefaults]
		default_realm = LOCAL.CHEFCLUB.TOOLS
		dns_lookup_realm = false
		dns_lookup_kdc = true


 
Last edited:
D

dlavigne

Guest
If you don't get an answer here, create a report at bugs.freenas.org and post the issue number here.
 
Status
Not open for further replies.
Top