ahaenggli/AzureAD-LDAP-wrapper

SMB Login Issue

natangallo opened this issue · 13 comments

Describe the bug
Every user user logs in with no issue using web and afp. Using SMB, only some users are able to log in

To Reproduce
Steps to reproduce the behavior:
User name or password fail after SMB login from windows or mac

Here are Synology SAMBA Logs

/../source3/auth/auth.c:189: [2022/09/06 20:35:12.973776, auth 3, pid=23413] auth_check_ntlm_password
check_ntlm_password: Checking password for unmapped user [my-domGALLERY][designoffice]@[MACBOOKPRO-6B01] with the new password interface
../../source3/auth/auth.c:192: [2022/09/06 20:35:12.973784, auth 3, pid=23413] auth_check_ntlm_password
check_ntlm_password: mapped user is: [my-domGALLERY][designoffice]@[MACBOOKPRO-6B01]
../../source3/passdb/pdb_ldap.c:646: [2022/09/06 20:35:12.979254, passdb 2, pid=23413] init_sam_from_ldap
init_sam_from_ldap: Entry found for user: designoffice
../../libcli/security/dom_sid.c:213: [2022/09/06 20:35:12.979298, all 3, pid=23413] dom_sid_parse_endp
string_to_sid: SID S-1-5-21-2475342291-1480345137-508597502-5316240366 is not in a valid format
../../source3/passdb/pdb_get_set.c:550: [2022/09/06 20:35:12.979307, passdb 1, pid=23413] pdb_set_user_sid_from_string
pdb_set_user_sid_from_string: S-1-5-21-2475342291-1480345137-508597502-5316240366 isn't a valid SID!
../../source3/passdb/pdb_ldap.c:705: [2022/09/06 20:35:12.979315, passdb 1, pid=23413] init_sam_from_ldap
init_sam_from_ldap: no sambaSID or sambaSID attribute found for this user designoffice
../../source3/passdb/pdb_ldap.c:1804: [2022/09/06 20:35:12.979322, passdb 1, pid=23413] ldapsam_getsampwnam
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'designoffice'!
../../source3/passdb/pdb_interface.c:341: [2022/09/06 20:35:12.979329, syno 3, pid=23413] pdb_getsampwnam
getsampwnam account designoffice fail NT_STATUS_NO_SUCH_USER
../../source3/auth/check_samsec.c:458: [2022/09/06 20:35:12.979350, auth 3, pid=23413] check_sam_security
check_sam_security: Couldn't find user 'designoffice' in passdb.
../../source3/auth/auth.c:361: [2022/09/06 20:35:12.979359, auth 2, pid=23413] auth_check_ntlm_password
check_ntlm_password: Authentication for user [designoffice] -> [designoffice] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
../../auth/auth_log.c:812: [2022/09/06 20:35:12.979380, auth_audit 2, pid=23413] log_authentication_event_human_readable
Auth: [SMB2,(null)] user [my-domGALLERY][designoffice] at [Tue, 06 Sep 2022 20:35:12.979369 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MACBOOKPRO-6B01] remote host [ipv4:10.10.10.1:62780] mapped to [my-domGALLERY][designoffice]. local host [ipv4:10.10.10.27:445]
{"timestamp":"2022-09-06T20:35:12.979407+0200","type":"Authentication","Authentication":{"version":{"major":1,"minor":1},"eventId":4625,"logonType":3,"status":"NT_STATUS_NO_SUCH_USER","localAddress":"ipv4:10.10.10.27:445","remoteAddress":"ipv4:10.10.10.1:62780","serviceDescription":"SMB2","authDescription":null,"clientDomain":"my-domGALLERY","clientAccount":"designoffice","workstation":"MACBOOKPRO-6B01","becameAccount":null,"becameDomain":null,"becameSid":null,"mappedAccount":"designoffice","mappedDomain":"my-domGALLERY","netlogonComputer":null,"netlogonTrustAccount":null,"netlogonNegotiateFlags":"0x00000000","netlogonSecureChannelType":0,"netlogonTrustAccountSid":null,"passwordType":"NTLMv2","duration":27243}}
../../source3/auth/auth_util.c:2482: [2022/09/06 20:35:12.979438, auth 3, pid=23413] do_map_to_guest_server_info
No such user designoffice [my-domGALLERY] - using guest account
../../source3/smbd/smb2_server.c:2796: [2022/09/06 20:35:12.979569, syno 3, pid=23413] smbd_smb2_request_dispatch
SMB2: cmd=SMB2_OP_SESSSETUP [NT_STATUS_OK]
../../auth/gensec/spnego.c:1444: [2022/09/06 20:35:12.979593, auth 3, pid=23413] gensec_spnego_server_negTokenTarg_step
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
../../source3/smbd/smb2_server.c:3228: [2022/09/06 20:35:12.979618, smb2 3, pid=23413] smbd_smb2_request_error_ex
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:148
my-domadmin@my-domGALLERY:/$

This bug (SID XXX is not in a valid format) should be fixed since v1.8.0. Are you using the latest version?

Strange... Maybe I mixed up a variable somewhere... Actually, SIDs for users starting with S-1-5-21-2475342291-1480345137-508597502 (config) should no longer appear since v1.8.0.
Could you try setting the environment variable LDAP_SAMBA_USEAZURESID to true? Maybe that works as a workaround.

the workaround does not work

That's a bit strange... Do you have any entry in the azure.json file (can be found in the mapped volume) for the sambaSID attribute that doesn't start with S-1-5-21-2475342291-1480345137-508597502 ?

Without a mapped volume there are sometimes problems with the cache. e.g. the whole cache is missing after each update and so all users would have to log in again normally before they could use smb. In the latest version (v1.8.2) a message should appear if the wrapper is used without a mapped volume. In addition, the version number is now displayed at startup, so you can check whether the latest version is really being used.
grafik

I think the answers via email got a bit mixed up. What are the current problems?

  • For "barlafante", are you getting a new error message? What is the error message? Is the error in the docker log or in the samba log?
  • You wanted to add attachments, maybe this only works if you enter a comment via web and not as a reply via email.
  • Error: EACCES: permission; Does this message occur regularly? Have you changed the folder permissions on the NAS? With each container restart, the owner should be set correctly and the error should disappear.