SOLVED Authentification on Samba share with local user with Active Directory enabled

[templar]

I have TrueNAS with local and active directory users. I want to use it for Proxmox as extra storage for backups, and for Proxmox I created local user "pve". Also I created extra Samba share only for this user. Proxmox connects to this share if Active Directory at TrueNAS disabled. But if I enable it, Proxmox shows error:

Code:

connection check for storage 'nas-smb' failed - session setup failed: NT_STATUS_LOGON_FAILURE (500)

In TrueNAS Logs I found those lines:

Code:

Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.333463,  3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Feb 29 22:16:47 nas-serv smbd[327736]:   Got NTLMSSP neg_flags=0xe2088235
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.333877,  3] ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
Feb 29 22:16:47 nas-serv smbd[327736]:   Got user=[pve] domain=[] workstation=[pve3] len1=0 len2=174
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.333937,  3] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
Feb 29 22:16:47 nas-serv smbd[327736]:   check_ntlm_password:  Checking password for unmapped user []\[pve]@[pve3] with the new password interface
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.333963,  3] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
Feb 29 22:16:47 nas-serv smbd[327736]:   check_ntlm_password:  mapped user is: []\[pve]@[pve3]
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334100,  3] ../../source3/passdb/lookup_sid.c:1710(get_primary_group_sid)
Feb 29 22:16:47 nas-serv smbd[327736]:   Primary group S-1-5-21-2868696844-2172991825-3234253970-1006 for user pve is a Local Group and not a domain group
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334131,  3] ../../source3/passdb/lookup_sid.c:1720(get_primary_group_sid)
Feb 29 22:16:47 nas-serv smbd[327736]:   Forcing Primary Group to 'Domain Users' for pve
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334364,  3] ../../source3/passdb/lookup_sid.c:1710(get_primary_group_sid)
Feb 29 22:16:47 nas-serv smbd[327736]:   Primary group S-1-5-21-2868696844-2172991825-3234253970-1006 for user pve is a Local Group and not a domain group
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334398,  3] ../../source3/passdb/lookup_sid.c:1720(get_primary_group_sid)
Feb 29 22:16:47 nas-serv smbd[327736]:   Forcing Primary Group to 'Domain Users' for pve
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334619,  3] ../../source3/auth/auth.c:268(auth_check_ntlm_password)
Feb 29 22:16:47 nas-serv smbd[327736]:   auth_check_ntlm_password: sam authentication for user [pve] succeeded
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334681,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Feb 29 22:16:47 nas-serv smbd[327736]:   Auth: [SMB2,(null)] user []\[pve] at [Thu, 29 Feb 2024 22:16:47.334670 CET] with [NTLMv2] status [NT_STATUS_OK] workstation [pve3] remote host [ipv4:192.168.8.17:40526] became [NAS]\[pve] [S-1-5-21-2868696844-2172991825-3234253970-20072]. local host [ipv4:192.168.8.42:445]
Feb 29 22:16:47 nas-serv smbd[327736]:   {"timestamp": "2024-02-29T22:16:47.334722+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:192.168.8.42:445", "remoteAddress": "ipv4:192.168.8.17:40526", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "pve", "workstation": "pve3", "becameAccount": "pve", "becameDomain": "NAS", "becameSid": "S-1-5-21-2868696844-2172991825-3234253970-20072", "mappedAccount": "pve", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 1338}}
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334769,  2] ../../source3/auth/auth.c:324(auth_check_ntlm_password)
Feb 29 22:16:47 nas-serv smbd[327736]:   check_ntlm_password:  authentication for user [pve] -> [pve] -> [pve] succeeded
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334793,  3] ../../source3/param/loadparm.c:4000(lp_load_ex)
Feb 29 22:16:47 nas-serv smbd[327736]:   lp_load_ex: refreshing parameters
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334844,  3] ../../source3/param/loadparm.c:560(init_globals)
Feb 29 22:16:47 nas-serv smbd[327736]:   Initialising global parameters
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.334925,  3] ../../source3/param/loadparm.c:2902(lp_do_section)
Feb 29 22:16:47 nas-serv smbd[327736]:   Processing section "[global]"
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335342,  3] ../../source3/param/loadparm.c:2902(lp_do_section)
Feb 29 22:16:47 nas-serv smbd[327736]:   Processing section "[GLOBAL]"
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335559,  1] ../../lib/param/loadparm.c:1909(lpcfg_do_global_parameter)
Feb 29 22:16:47 nas-serv smbd[327736]:   lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335627,  3] ../../source3/param/loadparm.c:1686(lp_add_ipc)
Feb 29 22:16:47 nas-serv smbd[327736]:   adding IPC service
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335691,  3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
Feb 29 22:16:47 nas-serv smbd[327736]:   NTLMSSP Sign/Seal - Initialising with flags:
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335733,  3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Feb 29 22:16:47 nas-serv smbd[327736]:   Got NTLMSSP neg_flags=0xe2088235
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335791,  3] ../../source3/lib/util_names.c:84(is_allowed_domain)
Feb 29 22:16:47 nas-serv smbd[327736]:   is_allowed_domain: Not trusted domain 'NAS'
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335816,  3] ../../source3/auth/auth_util.c:489(create_local_token)
Feb 29 22:16:47 nas-serv smbd[327736]:   create_local_token: Authentication failed for user [pve] from firewalled domain [NAS]
Feb 29 22:16:47 nas-serv smbd[327736]: [2024/02/29 22:16:47.335845,  3] ../../source3/smbd/smb2_server.c:3962(smbd_smb2_request_error_ex)
Feb 29 22:16:47 nas-serv smbd[327736]:   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_AUTHENTICATION_FIREWALL_FAILED] || at ../../source3/smbd/smb2_sesssetup.c:147

"NAS" was the first hostname, I gave it on installation, but then I renamed it to "nas-serv".

My configuration if that matters:
Proxmox cluster with 4 members,
Member 1 with Samba as Active Directory server in LXC container
Member 2 with TrueNAS in VM

TrueNAS-SCALE-23.10.2
Samba: 4.19.3
Proxmox: 8.1.4

 

[templar]

Code:

admin@nas-serv[~]$ wbinfo --trusted-domains --verbose
Domain Name     DNS Domain                                                       Trust Type  Transitive  In   Out
BUILTIN                                                                          Local
NAS-SERV                                                                         Local
MY-DOMAIN        MY-DOMAIN.COM                                                     Workstation Yes         No   Yes  

It looks like I have yet to change somewhere "nas" to "nas-serv". But where?

 

[anodos]

This is your netbios name. See SMB form. NOTE: changing this will require you to leave and re-join active directory. It's probably easier to just connect with \\NAS-SERV\<username>

 

[templar]

This is your netbios name. See SMB form. NOTE: changing this will require you to leave and re-join active directory. It's probably easier to just connect with \\NAS-SERV\<username>

There was the right value already. But I tried anyway to rejoin domain anyway and it didn't help. It helps, if I explicitly tell Proxmox to use "NAS-SERV" as domain. But I would like to omit it.

What did you mean connecting to "\\NAS-SERV\<username>"?

 

[anodos]

There was the right value already. But I tried anyway to rejoin domain anyway and it didn't help. It helps, if I explicitly tell Proxmox to use "NAS-SERV" as domain. But I would like to omit it.

What did you mean connecting to "\\NAS-SERV\<username>"?

Okay. Looks like we are saying the same thing. Generally speaking, NAS-SERV is required for local users. Otherwise, the username underdetermines who should be authenticated.