Authentication broken: Centos 7.9, Samba 4.10.16-19. RC4 concern?

Issues related to applications and software problems
Post Reply
jbsysadmin
Posts: 3
Joined: 2020/06/05 14:57:16

Authentication broken: Centos 7.9, Samba 4.10.16-19. RC4 concern?

Post by jbsysadmin » 2022/09/20 15:52:46

Context: Centos 7.9, updated from 7.6. Samba version upgraded from 4.8.3-4.el7 to 4.10.16-19.el7_9.Security is "ADS", passdb backend "tdbsam." Samba config includes: protocol = SMB3.

Upstream security team disabled encryption type RC4 on their cluster of Active Directory servers. It is no longer possible to access shares againbst this. Users are endlessly challenged with authentication window and failed login with known, working passwords. The shares used to be present at login, without need for password due to tored credential. The Windows 10 desktop environment includes GPO forcing at least SMB2. Samba logs show at least SMB3 attempt ("Selected protocol SMB3_11"). But they are filled with "[NTLMv2] status [NT_STATUS_NO_SUCH_USER]" after the process has failed to accept known working password. The Samba node is actually joined to the domain; wbinfo provides correct output about domain groups, usernames, and domain controllers. The command "lsof -i -n | grep winbind" does show connection with a controller.

Access was broken before OS and Samba update. It was hoped that action would improve things; we found out about the RC4 action when escalating later.

Do my Samba/winbind configurations need anything else to account for the disabling of RC4? Are there any end-user actions which must follow? (i.e. changing passwords since the implementation of that drop from Active Directory.) Any leads would be greatly appreciated.

jbsysadmin
Posts: 3
Joined: 2020/06/05 14:57:16

Re: Authentication broken: Centos 7.9, Samba 4.10.16-19. RC4 concern?

Post by jbsysadmin » 2022/09/22 14:57:04

On this issue:

Further research indicated that the parent network Active Directory team had disabled NTLM. I found that the inherited samba presence was never registered for DNS at the parent network level, so I got them registered. (The node is Linux, and uses main identity management/DNS on freeIPA. No one uses Windows logins to access the server on, say, SSH. Windows concern is sharing only; this node did so as a domain member.)

There was progress in that the Samba node logs finally showed that my account was found in AD:

winbindd_pam_auth_pac_verify: PAC for user <domain>\<username> SID S-1-*-***-*****-*****-***-**** primed cache

But this still didn't work. Seeing no other option, I removing, then adding computer account:

net ads leave -U <admin_username>
kinit <admin_username>@<domain>
net ads join -U <admin_username> -S <domain_controller> -k createcomputer="<prior_OU>/<prior_OU_subdirectory>"

However, the progress gained by trying CIFS access by name instead of IP was lost. In /var/log/samba/samba.log:

check_ntlm_password: Checking password for unmapped user [<domain>]\[<username>]@[LOCAL_MACHINE_HOSTNAME] with the new password interface
auth_check_ntlm_password: winbind authentication for user [username] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

Any thoughts?

Post Reply