Univention Bugzilla – Bug 52277
local smbclient logon on a "univention-samba-slave-pdc" without domain part in username no longer possible if kerberos ticket exists
Last modified: 2020-10-29 23:51:52 CET
master slave (with the univention-samba-slave-pdc package) UCS: 4.4-6 errata776 Installed: samba-memberserver=4.7 samba: 2:4.10.18-1A~4.4.0.202010271 All the following commands on the slave. -> smbclient -U 'Administrator'%univention //slave098/Administrator Try "help" to get a list of possible commands. smb: \> but -> kinit --password-file=/etc/machine.secret $(hostname)'$' -> smbclient -U 'Administrator'%univention //slave098/Administrator tree connect failed: NT_STATUS_ACCESS_DENIED Without the domain part in the username (or -W) smbclient no longer works. -> smbclient -U 'AUTOTEST098\Administrator'%univention //slave098/Administrator Try "help" to get a list of possible commands. smb: \> But only as long as there is a kerberos ticket. -> kdestroy -> smbclient -U 'Administrator'%univention //slave098/Administrator Try "help" to get a list of possible commands. smb: \> With samba version 2:4.10.1-1A~4.4.0.2020100715 we did not have this "problem". But it seems to be a minor issue as smbclient still works with domain part in the username.
In case of -> -> smbclient -U 'Administrator'%univention //slave098/Administrator tree connect failed: NT_STATUS_ACCESS_DENIED smbd looks like this Mapping user []\[Administrator@AUTOTEST098.LOCAL] from workstation [SLAVE098] [2020/10/26 22:47:10.910436, 5] ../../source3/auth/user_info.c:64(make_user_info) attempting to make a user_info for Administrator@AUTOTEST098.LOCAL (Administrator@AUTOTEST098.LOCAL) [2020/10/26 22:47:10.910452, 5] ../../source3/auth/user_info.c:72(make_user_info) making strings for Administrator@AUTOTEST098.LOCAL's user_info struct [2020/10/26 22:47:10.910468, 5] ../../source3/auth/user_info.c:117(make_user_info) making blobs for Administrator@AUTOTEST098.LOCAL's user_info struct [2020/10/26 22:47:10.910483, 3] ../../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[Administrator@AUTOTEST098.LOCAL]@[SLAVE098] with the new password interface [2020/10/26 22:47:10.910500, 3] ../../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: []\[Administrator@AUTOTEST098.LOCAL]@[SLAVE098] [2020/10/26 22:47:10.910515, 5] ../../lib/util/util.c:511(dump_data) [0000] 2C 81 0E 55 BA D2 8D 3D ,..U...= [2020/10/26 22:47:10.910555, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2020/10/26 22:47:10.910572, 4] ../../source3/smbd/uid.c:576(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2020/10/26 22:47:10.910588, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2020/10/26 22:47:10.910602, 5] ../../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2020/10/26 22:47:10.910617, 5] ../../source3/auth/token_util.c:866(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2020/10/26 22:47:10.910672, 5] ../../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [dc=autotest098,dc=local], filter => [(&(uid=Administrator@AUTOTEST098.LOCAL)(objectclass=sambaSamAccount))], scope => [2] [2020/10/26 22:47:10.912671, 4] ../../source3/passdb/pdb_ldap.c:1549(ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [Administrator@AUTOTEST098.LOCAL] count=0 normally the mapping goes like this Mapping user [AUTOTEST098]\[Administrator] from workstation [SLAVE098] [2020/10/26 22:59:01.276610, 5] ../../source3/auth/user_info.c:64(make_user_info) attempting to make a user_info for Administrator (Administrator) [2020/10/26 22:59:01.276620, 5] ../../source3/auth/user_info.c:72(make_user_info) making strings for Administrator's user_info struct [2020/10/26 22:59:01.276632, 5] ../../source3/auth/user_info.c:117(make_user_info) making blobs for Administrator's user_info struct [2020/10/26 22:59:01.276647, 3] ../../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [AUTOTEST098]\[Administrator]@[SLAVE098] with the new password interface [2020/10/26 22:59:01.276658, 3] ../../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [AUTOTEST098]\[Administrator]@[SLAVE098] [2020/10/26 22:59:01.276668, 5] ../../lib/util/util.c:511(dump_data) [0000] B0 32 C2 4C 81 91 FE 42 .2.L...B [2020/10/26 22:59:01.276692, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2020/10/26 22:59:01.276704, 4] ../../source3/smbd/uid.c:576(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2020/10/26 22:59:01.276714, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2020/10/26 22:59:01.276781, 5] ../../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2020/10/26 22:59:01.276794, 5] ../../source3/auth/token_util.c:866(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2020/10/26 22:59:01.276842, 5] ../../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [dc=autotest098,dc=local], filter => [(&(uid=Administrator)(objectclass=sambaSamAccount))], scope => [2] [2020/10/26 22:59:01.277423, 2] ../../source3/passdb/pdb_ldap.c:530(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: Administrator