Issue authenticating user to SMB shares on windows (but ok on Mac)

Status
Not open for further replies.

coulix

Dabbler
Joined
Feb 12, 2018
Messages
14
Hello there ~

Freenas: FreeBSD SUPERNAS.local.chefclub.tools 11.1-STABLE FreeBSD 11.1-STABLE #0 45cac2c77(freenas/11-stable)
Samba: Version 4.7.3

I am a bit lost having 0 expertise in Windows.

I have a samba4 running on an other server acting as our domain controller.

On mac `username/pass` works.
On windows, I set CHEFCLUB workgroup and tried local.chefclub.tools/{username} but it fails to connect.

When looking at the samba logs I see:

Mac:

check_ntlm_password: authentication for user [greg] -> [greg] -> [CHEFCLUB\greg] succeeded


Windows:

without FQDN (local.chefclub.tools):

check_ntlm_password: Authentication for user [greg] -> [greg] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1


[2018/03/15 15:12:17.718309, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)

Auth: [SMB2,(null)] user [THEO]\[greg] at
[Thu, 15 Mar 2018 15:12:17.718291 CET] with [NTLMv2]
status [NT_STATUS_LOGON_FAILURE] workstation [THEO] remote host
[ipv4:192.168.0.29:50074] mapped to [THEO]\[greg]. local host [ipv4:192.168.0.106:445]

THEO is the computer windows name.


With: -> Nothing and windows tells me that I dot have the necessary authorizations to use this network ressource.


My Freenas smb.conf

Code:
[global]
	interfaces = 127.0.0.1 192.168.0.106
	bind interfaces only = yes
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 941105
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = CHEFCLUB
	realm = LOCAL.CHEFCLUB.TOOLS
	security = ADS
	client use spnego = yes
	local master = no
	domain master = no
	preferred master = no
	ads dns update = no
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	winbind nss info = rfc2307
	idmap config CHEFCLUB: backend = rid
	idmap config CHEFCLUB: range = 20000-90000000
	allow trusted domains = no
	client ldap sasl wrapping = plain
	template shell = /bin/sh
	template homedir = /mnt/chocolat/homedir/%D/%U
	netbios name = SUPERNAS
	netbios aliases = SUPERNAS
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = no
	dos charset = CP437
	unix charset = UTF-8
	log level = 2


[openbar]
	path = "/mnt/brioche/openbar"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare




Krb5.conf

Code:
[appdefaults]
			pam = {
				forwardable = true
				ticket_lifetime = 86400
				renew_lifetime = 86400
			}

[libdefaults]
			dns_lookup_realm = true
			dns_lookup_kdc = true
			ticket_lifetime = 24h
			clockskew = 300
			forwardable = yes
			default_realm = LOCAL.CHEFCLUB.TOOLS

[domain_realm]
			local.chefclub.tools = LOCAL.CHEFCLUB.TOOLS
			.local.chefclub.tools = LOCAL.CHEFCLUB.TOOLS
			LOCAL.CHEFCLUB.TOOLS = LOCAL.CHEFCLUB.TOOLS
			.LOCAL.CHEFCLUB.TOOLS = LOCAL.CHEFCLUB.TOOLS

[realms]
		LOCAL.CHEFCLUB.TOOLS = {
			kdc = dc1.local.chefclub.tools
			admin_server = dc1.local.chefclub.tools
			kpasswd_server = dc1.local.chefclub.tools
			default_domain = LOCAL.CHEFCLUB.TOOLS
		}

[logging]
			default = SYSLOG:INFO:LOCAL7




Then, domain controller samba

Code:
[global]
		netbios name = DC1
		realm = LOCAL.CHEFCLUB.TOOLS
		server role = active directory domain controller
		server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
		workgroup = CHEFCLUB
		idmap_ldb:use rfc2307 = yes
		ldap server require strong auth = no
		dns forwarder = 8.8.8.8,8.8.4.4

[netlogon]
		path = /var/lib/samba/sysvol/local.chefclub.tools/scripts
		read only = No

[sysvol]
		path = /var/lib/samba/sysvol
		read only = No






and krb5.conf
Code:
[libdefaults]
		default_realm = LOCAL.CHEFCLUB.TOOLS
		dns_lookup_realm = false
		dns_lookup_kdc = true


 
Last edited:
D

dlavigne

Guest
If you don't get an answer here, create a report at bugs.freenas.org and post the issue number here.
 
Status
Not open for further replies.
Top