On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "survived"
updates/upgrades till this day in such a way that integrated Samba
serves up under different hostname/domain and serves non-enrolled
clients(win 10) too.
With new deployment, 4.9.6, just adding things to just DNS - which
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
rather it is, that non-enrolled clients, linux & windows will fail even
if trying a "legitimate" master's Samba.
Is that the default behavior in current version - as I mentioned my
"old" with up-dates/grades IPA allows non-enrolled - and if so can it be
managed into allowing non-enrolled clients?
Log snippet off a master's Samba when non-enrolled Linux connects:
...
[2022/01/17 11:14:09.090933, 2, pid=35744]
ipa_sam.c:3645(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720, 1, pid=35744]
../../source3/auth/check_samsec.c:454(check_sam_security)
Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758, 2, pid=35744]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [me254] -> [me254]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793, 2, pid=35744]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
{"timestamp": "2022-01-17T11:14:09.099858+0000", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445",
"remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "CCN", "clientAccount":
"me254", "workstation": "DRUNK", "becameAccount": null, "becameDomain":
null, "becameSid": null, "mappedAccount": "me254", "mappedDomain":
"CCN", "netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":
12172}}
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
