#StackBounty: #active-directory #kerberos #samba4 #ubuntu-18.04 Samba4 AD DC setup and working, but won't connect with Windows 7 or…

Bounty: 100

I’ve gotten a Samba 4 AD DC setup running on Ubuntu 18.04 LTS. I used this tutorial to make it work:

https://www.tecmint.com/install-samba4-active-directory-ubuntu/

The problem is I can’t get my Windows 7 or 10 clients to connect to the domain.

Here is my krb5.conf file:

[logging]
default = FILE:/var/log/krb-def.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/lrb-adm.log

[libdefaults]
default_realm = MVPOSERVER.LAN

[realms]
MVPOSERVER.LAN = {
   default_domain = mvposerver.lan
   kdc = adc1.mvposerver.lan:88
}

My hosts file:

127.0.0.1   localhost
192.168.9.50    mvposerver
192.168.9.50    mvposerver.lan adc1 _kerberos._udp _ldap._tcp _ldap._tcp.dc._msdcs
192.168.9.50    adc1.mvposerver.lan
192.168.9.50    _kerberos._udp.mvposerver.lan
192.168.9.50    _ldap._tcp.mvposerver.lan
192.168.9.50    _ldap._tcp.dc._msdcs.mvposerver.lan

My netplan IP config is:

network:
  version: 2
  renderer: NetworkManager
  ethernets:
    enp1s0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.9.50/24]
      gateway4:  192.168.9.250
      nameservers:
              search: [mvposerver.lan]
              addresses: [127.0.0.1, 192.168.9.250]

Samba config:

enter image description here

Host returns the IP:

# host -t A mvposerver.lan
mvposerver.lan has address 192.168.9.50

Hostname of the server is adc1. klist returns the created Admin, so it’s connecting:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MVPOSERVER.LAN

Valid starting       Expires              Service principal
06/18/2019 15:34:17  06/19/2019 01:34:17  krbtgt/MVPOSERVER.LAN@MVPOSERVER.LAN
    renew until 06/19/2019 15:34:14

And samba-tool works for user listing:

# samba-tool user list
Administrator
krbtgt
Guest

Yet connecting Windows 7 Pro won’t return ping on the hostname, nor will it connect to the controller. If I ping the hostname mvposerver.lan, which does return the IP on the server itself, it won’t resolve it:

enter image description here
enter image description here
enter image description here

If I ping the Samba NETBIOS name it does return an IP:

enter image description here

Also, I know Kerberos is working, because in Windows 7 if I make my domain mvposerver instead of mvposerver.lan it does ask me to connect using credentials, but then errors out after:

enter image description here
enter image description here
enter image description here

I also can’t ping google.com or any other domain name from the Windows client once on DNS through the DC. I can ping google.com from the DC server in terminal just fine, I can also ping 8.8.8.8 from the client, just not domain resolve.

EDIT

I installed Bind9, setup DNS records, now the server won’t ping it’s own hostname, nor does the client still. But client does have internet now.

DNS Setup:

enter image description here

EDIT2

I have updated my DNS records and got DNS working, now the client has internet and detects the hostnames correctly:

enter image description here
enter image description here
enter image description here
enter image description here
enter image description here

So now the client finds the DC by hostname just fine, and it even finds the hostname and IP, but it can’t find the DC software running, even though Samba says it’s there.


Get this bounty!!!

#StackBounty: #active-directory #kerberos #samba4 #ubuntu-18.04 Samba4 AD DC setup and working, but won't connect with Windows 7 or…

Bounty: 100

I’ve gotten a Samba 4 AD DC setup running on Ubuntu 18.04 LTS. I used this tutorial to make it work:

https://www.tecmint.com/install-samba4-active-directory-ubuntu/

The problem is I can’t get my Windows 7 or 10 clients to connect to the domain.

Here is my krb5.conf file:

[logging]
default = FILE:/var/log/krb-def.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/lrb-adm.log

[libdefaults]
default_realm = MVPOSERVER.LAN

[realms]
MVPOSERVER.LAN = {
   default_domain = mvposerver.lan
   kdc = adc1.mvposerver.lan:88
}

My hosts file:

127.0.0.1   localhost
192.168.9.50    mvposerver
192.168.9.50    mvposerver.lan adc1 _kerberos._udp _ldap._tcp _ldap._tcp.dc._msdcs
192.168.9.50    adc1.mvposerver.lan
192.168.9.50    _kerberos._udp.mvposerver.lan
192.168.9.50    _ldap._tcp.mvposerver.lan
192.168.9.50    _ldap._tcp.dc._msdcs.mvposerver.lan

My netplan IP config is:

network:
  version: 2
  renderer: NetworkManager
  ethernets:
    enp1s0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.9.50/24]
      gateway4:  192.168.9.250
      nameservers:
              search: [mvposerver.lan]
              addresses: [127.0.0.1, 192.168.9.250]

Samba config:

enter image description here

Host returns the IP:

# host -t A mvposerver.lan
mvposerver.lan has address 192.168.9.50

Hostname of the server is adc1. klist returns the created Admin, so it’s connecting:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MVPOSERVER.LAN

Valid starting       Expires              Service principal
06/18/2019 15:34:17  06/19/2019 01:34:17  krbtgt/MVPOSERVER.LAN@MVPOSERVER.LAN
    renew until 06/19/2019 15:34:14

And samba-tool works for user listing:

# samba-tool user list
Administrator
krbtgt
Guest

Yet connecting Windows 7 Pro won’t return ping on the hostname, nor will it connect to the controller. If I ping the hostname mvposerver.lan, which does return the IP on the server itself, it won’t resolve it:

enter image description here
enter image description here
enter image description here

If I ping the Samba NETBIOS name it does return an IP:

enter image description here

Also, I know Kerberos is working, because in Windows 7 if I make my domain mvposerver instead of mvposerver.lan it does ask me to connect using credentials, but then errors out after:

enter image description here
enter image description here
enter image description here

I also can’t ping google.com or any other domain name from the Windows client once on DNS through the DC. I can ping google.com from the DC server in terminal just fine, I can also ping 8.8.8.8 from the client, just not domain resolve.

EDIT

I installed Bind9, setup DNS records, now the server won’t ping it’s own hostname, nor does the client still. But client does have internet now.

DNS Setup:

enter image description here

EDIT2

I have updated my DNS records and got DNS working, now the client has internet and detects the hostnames correctly:

enter image description here
enter image description here
enter image description here
enter image description here
enter image description here

So now the client finds the DC by hostname just fine, and it even finds the hostname and IP, but it can’t find the DC software running, even though Samba says it’s there.


Get this bounty!!!

#StackBounty: #active-directory #kerberos #samba4 #ubuntu-18.04 Samba4 AD DC setup and working, but won't connect with Windows 7 or…

Bounty: 100

I’ve gotten a Samba 4 AD DC setup running on Ubuntu 18.04 LTS. I used this tutorial to make it work:

https://www.tecmint.com/install-samba4-active-directory-ubuntu/

The problem is I can’t get my Windows 7 or 10 clients to connect to the domain.

Here is my krb5.conf file:

[logging]
default = FILE:/var/log/krb-def.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/lrb-adm.log

[libdefaults]
default_realm = MVPOSERVER.LAN

[realms]
MVPOSERVER.LAN = {
   default_domain = mvposerver.lan
   kdc = adc1.mvposerver.lan:88
}

My hosts file:

127.0.0.1   localhost
192.168.9.50    mvposerver
192.168.9.50    mvposerver.lan adc1 _kerberos._udp _ldap._tcp _ldap._tcp.dc._msdcs
192.168.9.50    adc1.mvposerver.lan
192.168.9.50    _kerberos._udp.mvposerver.lan
192.168.9.50    _ldap._tcp.mvposerver.lan
192.168.9.50    _ldap._tcp.dc._msdcs.mvposerver.lan

My netplan IP config is:

network:
  version: 2
  renderer: NetworkManager
  ethernets:
    enp1s0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.9.50/24]
      gateway4:  192.168.9.250
      nameservers:
              search: [mvposerver.lan]
              addresses: [127.0.0.1, 192.168.9.250]

Samba config:

enter image description here

Host returns the IP:

# host -t A mvposerver.lan
mvposerver.lan has address 192.168.9.50

Hostname of the server is adc1. klist returns the created Admin, so it’s connecting:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MVPOSERVER.LAN

Valid starting       Expires              Service principal
06/18/2019 15:34:17  06/19/2019 01:34:17  krbtgt/MVPOSERVER.LAN@MVPOSERVER.LAN
    renew until 06/19/2019 15:34:14

And samba-tool works for user listing:

# samba-tool user list
Administrator
krbtgt
Guest

Yet connecting Windows 7 Pro won’t return ping on the hostname, nor will it connect to the controller. If I ping the hostname mvposerver.lan, which does return the IP on the server itself, it won’t resolve it:

enter image description here
enter image description here
enter image description here

If I ping the Samba NETBIOS name it does return an IP:

enter image description here

Also, I know Kerberos is working, because in Windows 7 if I make my domain mvposerver instead of mvposerver.lan it does ask me to connect using credentials, but then errors out after:

enter image description here
enter image description here
enter image description here

I also can’t ping google.com or any other domain name from the Windows client once on DNS through the DC. I can ping google.com from the DC server in terminal just fine, I can also ping 8.8.8.8 from the client, just not domain resolve.

EDIT

I installed Bind9, setup DNS records, now the server won’t ping it’s own hostname, nor does the client still. But client does have internet now.

DNS Setup:

enter image description here

EDIT2

I have updated my DNS records and got DNS working, now the client has internet and detects the hostnames correctly:

enter image description here
enter image description here
enter image description here
enter image description here
enter image description here

So now the client finds the DC by hostname just fine, and it even finds the hostname and IP, but it can’t find the DC software running, even though Samba says it’s there.


Get this bounty!!!

#StackBounty: #windows #google-chrome #windows-registry #active-directory #group-policy enable Google Chrome policies otherwise only av…

Bounty: 50

There are a number of settings for Google Chrome which are applied as “policies”. Under the hood, these are registry entries, typically located at HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome. These policies are nominally designed to be enabled by Group Policy in an Active Directory environment (using ADM or ADMX files). Many of them work whether the computer is joined to a domain or not; presumably Chrome is just reading the registry value.

However, some policies only work when the computer is joined to Active Directory or “or Windows 10 Pro or Enterprise instances that enrolled for device management” (see link). Since the policy configuration values are ultimately just registry entries, then Chrome must be going out of its way to check if the computer is in Active Directory.

What I want to know, is there a way to deceive Chrome about the computer’s Active Directory membership, or some way to otherwise convince Chrome to honor these policies regardless?


Get this bounty!!!

#StackBounty: #active-directory #amazon-web-services #aws-directory-service Is it possible to choose which objects get synchronized in …

Bounty: 50

In Azure AD Connect Sync, it is possible to configure filtering. This is described as:

By using filtering, you can control which objects appear in Azure Active Directory (Azure AD) from your on-premises directory. The default configuration takes all objects in all domains in the configured forests.

I need this similar functionality in AWS Managed AD synchronized to an on-premises directory. Is it possible? If so, how?


Get this bounty!!!

#StackBounty: #mount #samba #cifs #active-directory #sssd Linux clients can't login on samba share while windows and mac can (activ…

Bounty: 50

Setup

server

  • Centos 7.6
  • Samba 4.8
  • Winbind
  • SSSD
  • Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

  • Windows clients can connect using DOMAINusername and password credentials
  • Mac OSX clients can connect using username@full.domain.name and password credentials (other options are not accepted like DOMAINusername)
  • Linux client can’t connect using mount.cifs, I tried with those options
    • username=username,domain=DOMAIN
    • username=username,domain=FULL.DOMAIN.TLD (caps or not)
    • username=DOMAINusername
    • username=FULL.DOMAIN.TLDusername
    • username=username@DOMAIN
    • …etc

Clients used for this tests are

  • Windows 10
  • Centos 7
  • Debian 9
  • Ubuntu 18
  • OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd… but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@… this works also with smbclient

Here are my conf files

smb.conf

[global]
 workgroup = DOMAIN
 security = ads
 client signing = yes
 client use spnego = yes
 realm = DOMAIN.DOM.CH
 server role = MEMBER SERVER
 passdb backend = tdbsam
 kerberos method = secrets and keytab
 idmap config * : range = 10000-99999999
 idmap config * : backend = tdb
 wins server = xx.xx.xx.xx
 winbind use default domain = yes

 load printers = no
 disable spoolss = yes
 show add printer wizard = No

 local master = No
 dns proxy = No
 logging = file
 log file = /var/log/samba/smb-%I.log
 log level = 4
 max log size = 10000
 follow symlinks = yes

 min protocol = SMB2
 client min protocol = SMB2

 debug hires timestamp = No
 acl group control = yes
 delete readonly = yes
 acl allow execute always = yes
 dos filemode = Yes
 inherit permissions = Yes
 store dos attributes = Yes

 vfs objects = acl_xattr

[MyShare]
 inherit acls = Yes
 path = /srv/samba/partage
 read only = no
 admin users = @"DOMAINGROUP-AdminsU" "DOMAINuser"
 vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/


includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}


default_realm = DOMAIN.DOM.CH
[realms]
 DOMAIN.DOM.CH = {
  kdc = domain.dom.ch
  admin_server = domain.dom.ch
 }


[domain_realm]
 domain.dom.ch = DOMAIN.DOM.CH
 .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd]
domains = domain.dom.ch
config_file_version = 2
services = nss, pam
default_domain_suffix = DOMAIN.DOM.CH

[domain/domain.dom.ch]
ad_domain = domain.dom.ch
krb5_realm = DOMAIN.DOM.CH
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166
 Mapping user [DOMAIN][user] from workstation []
 ...
 check_ntlm_password:  Checking password for unmapped user [DOMAIN][user]@[] with the new password interface
 check_ntlm_password:  mapped user is: [DOMAIN][user]@[]
 check_ntlm_password: auth_context challenge created by random
 challenge is:
 Check auth for: [user]
 auth_check_ntlm_password: guest had nothing to say
 Check auth for: [user]
 check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
 auth_check_ntlm_password: sam had nothing to say
 Check auth for: [user]
 check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE
 auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAINuser failed: NT_STATUS_LOGON_FAILURE
 gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239]
 gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this “workstation=[]”. With windows and mac clients, I always have a workstation name in brackets but nothing when it’s a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN][user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN][user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219
 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don’t know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success


Get this bounty!!!

#StackBounty: #mount #samba #cifs #active-directory #sssd Linux clients can't login on samba share while windows and mac can (activ…

Bounty: 50

Setup

server

  • Centos 7.6
  • Samba 4.8
  • Winbind
  • SSSD
  • Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

  • Windows clients can connect using DOMAINusername and password credentials
  • Mac OSX clients can connect using username@full.domain.name and password credentials (other options are not accepted like DOMAINusername)
  • Linux client can’t connect using mount.cifs, I tried with those options
    • username=username,domain=DOMAIN
    • username=username,domain=FULL.DOMAIN.TLD (caps or not)
    • username=DOMAINusername
    • username=FULL.DOMAIN.TLDusername
    • username=username@DOMAIN
    • …etc

Clients used for this tests are

  • Windows 10
  • Centos 7
  • Debian 9
  • Ubuntu 18
  • OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd… but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@… this works also with smbclient

Here are my conf files

smb.conf

[global]
 workgroup = DOMAIN
 security = ads
 client signing = yes
 client use spnego = yes
 realm = DOMAIN.DOM.CH
 server role = MEMBER SERVER
 passdb backend = tdbsam
 kerberos method = secrets and keytab
 idmap config * : range = 10000-99999999
 idmap config * : backend = tdb
 wins server = xx.xx.xx.xx
 winbind use default domain = yes

 load printers = no
 disable spoolss = yes
 show add printer wizard = No

 local master = No
 dns proxy = No
 logging = file
 log file = /var/log/samba/smb-%I.log
 log level = 4
 max log size = 10000
 follow symlinks = yes

 min protocol = SMB2
 client min protocol = SMB2

 debug hires timestamp = No
 acl group control = yes
 delete readonly = yes
 acl allow execute always = yes
 dos filemode = Yes
 inherit permissions = Yes
 store dos attributes = Yes

 vfs objects = acl_xattr

[MyShare]
 inherit acls = Yes
 path = /srv/samba/partage
 read only = no
 admin users = @"DOMAINGROUP-AdminsU" "DOMAINuser"
 vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/


includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}


default_realm = DOMAIN.DOM.CH
[realms]
 DOMAIN.DOM.CH = {
  kdc = domain.dom.ch
  admin_server = domain.dom.ch
 }


[domain_realm]
 domain.dom.ch = DOMAIN.DOM.CH
 .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd]
domains = domain.dom.ch
config_file_version = 2
services = nss, pam
default_domain_suffix = DOMAIN.DOM.CH

[domain/domain.dom.ch]
ad_domain = domain.dom.ch
krb5_realm = DOMAIN.DOM.CH
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166
 Mapping user [DOMAIN][user] from workstation []
 ...
 check_ntlm_password:  Checking password for unmapped user [DOMAIN][user]@[] with the new password interface
 check_ntlm_password:  mapped user is: [DOMAIN][user]@[]
 check_ntlm_password: auth_context challenge created by random
 challenge is:
 Check auth for: [user]
 auth_check_ntlm_password: guest had nothing to say
 Check auth for: [user]
 check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
 auth_check_ntlm_password: sam had nothing to say
 Check auth for: [user]
 check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE
 auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAINuser failed: NT_STATUS_LOGON_FAILURE
 gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239]
 gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this “workstation=[]”. With windows and mac clients, I always have a workstation name in brackets but nothing when it’s a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN][user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN][user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219
 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don’t know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success


Get this bounty!!!

#StackBounty: #mount #samba #cifs #active-directory #sssd Linux clients can't login on samba share while windows and mac can (activ…

Bounty: 50

Setup

server

  • Centos 7.6
  • Samba 4.8
  • Winbind
  • SSSD
  • Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

  • Windows clients can connect using DOMAINusername and password credentials
  • Mac OSX clients can connect using username@full.domain.name and password credentials (other options are not accepted like DOMAINusername)
  • Linux client can’t connect using mount.cifs, I tried with those options
    • username=username,domain=DOMAIN
    • username=username,domain=FULL.DOMAIN.TLD (caps or not)
    • username=DOMAINusername
    • username=FULL.DOMAIN.TLDusername
    • username=username@DOMAIN
    • …etc

Clients used for this tests are

  • Windows 10
  • Centos 7
  • Debian 9
  • Ubuntu 18
  • OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd… but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@… this works also with smbclient

Here are my conf files

smb.conf

[global]
 workgroup = DOMAIN
 security = ads
 client signing = yes
 client use spnego = yes
 realm = DOMAIN.DOM.CH
 server role = MEMBER SERVER
 passdb backend = tdbsam
 kerberos method = secrets and keytab
 idmap config * : range = 10000-99999999
 idmap config * : backend = tdb
 wins server = xx.xx.xx.xx
 winbind use default domain = yes

 load printers = no
 disable spoolss = yes
 show add printer wizard = No

 local master = No
 dns proxy = No
 logging = file
 log file = /var/log/samba/smb-%I.log
 log level = 4
 max log size = 10000
 follow symlinks = yes

 min protocol = SMB2
 client min protocol = SMB2

 debug hires timestamp = No
 acl group control = yes
 delete readonly = yes
 acl allow execute always = yes
 dos filemode = Yes
 inherit permissions = Yes
 store dos attributes = Yes

 vfs objects = acl_xattr

[MyShare]
 inherit acls = Yes
 path = /srv/samba/partage
 read only = no
 admin users = @"DOMAINGROUP-AdminsU" "DOMAINuser"
 vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/


includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}


default_realm = DOMAIN.DOM.CH
[realms]
 DOMAIN.DOM.CH = {
  kdc = domain.dom.ch
  admin_server = domain.dom.ch
 }


[domain_realm]
 domain.dom.ch = DOMAIN.DOM.CH
 .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd]
domains = domain.dom.ch
config_file_version = 2
services = nss, pam
default_domain_suffix = DOMAIN.DOM.CH

[domain/domain.dom.ch]
ad_domain = domain.dom.ch
krb5_realm = DOMAIN.DOM.CH
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166
 Mapping user [DOMAIN][user] from workstation []
 ...
 check_ntlm_password:  Checking password for unmapped user [DOMAIN][user]@[] with the new password interface
 check_ntlm_password:  mapped user is: [DOMAIN][user]@[]
 check_ntlm_password: auth_context challenge created by random
 challenge is:
 Check auth for: [user]
 auth_check_ntlm_password: guest had nothing to say
 Check auth for: [user]
 check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
 auth_check_ntlm_password: sam had nothing to say
 Check auth for: [user]
 check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE
 auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAINuser failed: NT_STATUS_LOGON_FAILURE
 gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239]
 gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this “workstation=[]”. With windows and mac clients, I always have a workstation name in brackets but nothing when it’s a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN][user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN][user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219
 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don’t know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success


Get this bounty!!!

#StackBounty: #mount #samba #cifs #active-directory #sssd Linux clients can't login on samba share while windows and mac can (activ…

Bounty: 50

Setup

server

  • Centos 7.6
  • Samba 4.8
  • Winbind
  • SSSD
  • Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

  • Windows clients can connect using DOMAINusername and password credentials
  • Mac OSX clients can connect using username@full.domain.name and password credentials (other options are not accepted like DOMAINusername)
  • Linux client can’t connect using mount.cifs, I tried with those options
    • username=username,domain=DOMAIN
    • username=username,domain=FULL.DOMAIN.TLD (caps or not)
    • username=DOMAINusername
    • username=FULL.DOMAIN.TLDusername
    • username=username@DOMAIN
    • …etc

Clients used for this tests are

  • Windows 10
  • Centos 7
  • Debian 9
  • Ubuntu 18
  • OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd… but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@… this works also with smbclient

Here are my conf files

smb.conf

[global]
 workgroup = DOMAIN
 security = ads
 client signing = yes
 client use spnego = yes
 realm = DOMAIN.DOM.CH
 server role = MEMBER SERVER
 passdb backend = tdbsam
 kerberos method = secrets and keytab
 idmap config * : range = 10000-99999999
 idmap config * : backend = tdb
 wins server = xx.xx.xx.xx
 winbind use default domain = yes

 load printers = no
 disable spoolss = yes
 show add printer wizard = No

 local master = No
 dns proxy = No
 logging = file
 log file = /var/log/samba/smb-%I.log
 log level = 4
 max log size = 10000
 follow symlinks = yes

 min protocol = SMB2
 client min protocol = SMB2

 debug hires timestamp = No
 acl group control = yes
 delete readonly = yes
 acl allow execute always = yes
 dos filemode = Yes
 inherit permissions = Yes
 store dos attributes = Yes

 vfs objects = acl_xattr

[MyShare]
 inherit acls = Yes
 path = /srv/samba/partage
 read only = no
 admin users = @"DOMAINGROUP-AdminsU" "DOMAINuser"
 vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/


includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}


default_realm = DOMAIN.DOM.CH
[realms]
 DOMAIN.DOM.CH = {
  kdc = domain.dom.ch
  admin_server = domain.dom.ch
 }


[domain_realm]
 domain.dom.ch = DOMAIN.DOM.CH
 .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd]
domains = domain.dom.ch
config_file_version = 2
services = nss, pam
default_domain_suffix = DOMAIN.DOM.CH

[domain/domain.dom.ch]
ad_domain = domain.dom.ch
krb5_realm = DOMAIN.DOM.CH
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166
 Mapping user [DOMAIN][user] from workstation []
 ...
 check_ntlm_password:  Checking password for unmapped user [DOMAIN][user]@[] with the new password interface
 check_ntlm_password:  mapped user is: [DOMAIN][user]@[]
 check_ntlm_password: auth_context challenge created by random
 challenge is:
 Check auth for: [user]
 auth_check_ntlm_password: guest had nothing to say
 Check auth for: [user]
 check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
 auth_check_ntlm_password: sam had nothing to say
 Check auth for: [user]
 check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE
 auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAINuser failed: NT_STATUS_LOGON_FAILURE
 gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239]
 gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this “workstation=[]”. With windows and mac clients, I always have a workstation name in brackets but nothing when it’s a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN][user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN][user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219
 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don’t know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success


Get this bounty!!!

#StackBounty: #mount #samba #cifs #active-directory #sssd Linux clients can't login on samba share while windows and mac can (activ…

Bounty: 50

Setup

server

  • Centos 7.6
  • Samba 4.8
  • Winbind
  • SSSD
  • Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

  • Windows clients can connect using DOMAINusername and password credentials
  • Mac OSX clients can connect using username@full.domain.name and password credentials (other options are not accepted like DOMAINusername)
  • Linux client can’t connect using mount.cifs, I tried with those options
    • username=username,domain=DOMAIN
    • username=username,domain=FULL.DOMAIN.TLD (caps or not)
    • username=DOMAINusername
    • username=FULL.DOMAIN.TLDusername
    • username=username@DOMAIN
    • …etc

Clients used for this tests are

  • Windows 10
  • Centos 7
  • Debian 9
  • Ubuntu 18
  • OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd… but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@… this works also with smbclient

Here are my conf files

smb.conf

[global]
 workgroup = DOMAIN
 security = ads
 client signing = yes
 client use spnego = yes
 realm = DOMAIN.DOM.CH
 server role = MEMBER SERVER
 passdb backend = tdbsam
 kerberos method = secrets and keytab
 idmap config * : range = 10000-99999999
 idmap config * : backend = tdb
 wins server = xx.xx.xx.xx
 winbind use default domain = yes

 load printers = no
 disable spoolss = yes
 show add printer wizard = No

 local master = No
 dns proxy = No
 logging = file
 log file = /var/log/samba/smb-%I.log
 log level = 4
 max log size = 10000
 follow symlinks = yes

 min protocol = SMB2
 client min protocol = SMB2

 debug hires timestamp = No
 acl group control = yes
 delete readonly = yes
 acl allow execute always = yes
 dos filemode = Yes
 inherit permissions = Yes
 store dos attributes = Yes

 vfs objects = acl_xattr

[MyShare]
 inherit acls = Yes
 path = /srv/samba/partage
 read only = no
 admin users = @"DOMAINGROUP-AdminsU" "DOMAINuser"
 vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/


includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}


default_realm = DOMAIN.DOM.CH
[realms]
 DOMAIN.DOM.CH = {
  kdc = domain.dom.ch
  admin_server = domain.dom.ch
 }


[domain_realm]
 domain.dom.ch = DOMAIN.DOM.CH
 .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd]
domains = domain.dom.ch
config_file_version = 2
services = nss, pam
default_domain_suffix = DOMAIN.DOM.CH

[domain/domain.dom.ch]
ad_domain = domain.dom.ch
krb5_realm = DOMAIN.DOM.CH
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166
 Mapping user [DOMAIN][user] from workstation []
 ...
 check_ntlm_password:  Checking password for unmapped user [DOMAIN][user]@[] with the new password interface
 check_ntlm_password:  mapped user is: [DOMAIN][user]@[]
 check_ntlm_password: auth_context challenge created by random
 challenge is:
 Check auth for: [user]
 auth_check_ntlm_password: guest had nothing to say
 Check auth for: [user]
 check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
 auth_check_ntlm_password: sam had nothing to say
 Check auth for: [user]
 check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE
 auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAINuser failed: NT_STATUS_LOGON_FAILURE
 gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239]
 gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this “workstation=[]”. With windows and mac clients, I always have a workstation name in brackets but nothing when it’s a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN][user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN][user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219
 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don’t know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success


Get this bounty!!!