Samba appearing to not authenticate valid user

[jboyce]

Greetings -

I have 10 users on a TrueNAS system that is configured as a Samba file server. All users are accessing the server via OpenVPN on our gateway device. I have one user that can not map the Samba share to his Windows 10 box, and I can not figure out why.

1. In the /var/log/samba4/auth_audit.log file and see that it gives an "NT_STATUS_NO_SUCH_USER" response, but I can't figure out why it is giving that response.

2. All the users were setup on this server at the same time, and they all have the same permissions and are in the same group.

3. All the users are using Windows 10 (except me).

4. All the users properly authenticate with the VPN and get to the internal network.

5. I verified that the user with the problem is using the correct user name and password. I verified as the root user that I can log in via SSH into that users account, so I am certain the user name and password are correct.

Below is two lines from the samba auth_audit.log file. The first line is my authenticated login (jeffb), the second line is the users login that fails (markl). I am assuming that there is something else in this that gives me a better indication of what the issue is that needs to be fixed.

{"timestamp": "2021-12-20T11:24:04.930654-0800", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:192.168.120.10:445", "remoteAddress": "ipv4:10.4.2.3:6759", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "jab-prec3610", "clientAccount": "jeffb", "workstation": "JAB-PREC3610", "becameAccount": "jeffb", "becameDomain": "CONDOR", "becameSid": "S-1-5-21-3334089603-2255436485-1770521543-1006", "mappedAccount": "jeffb", "mappedDomain": "jab-prec3610", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv1", "duration": 52093}}

{"timestamp": "2021-12-20T11:24:58.933051-0800", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.120.10:445", "remoteAddress": "ipv4:10.4.2.10:49849", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MARKL", "clientAccount": "markl", "workstation": "MARKL", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "markl", "mappedDomain": "MARKL", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 23073}}

Can someone give me a clue as to what I am missing here? Thanks.

Jeff

 

[jboyce]

Ok, a little more investigation on my part and I have confirmed that I have one Unix user that is not listed as a Samba user. It does happen to be the very last user that was created when I setup all my users. Checked this with pdbedit -L shown below. I should list the user markl:1008:Mark LaRiviere, but does not. Is there a special incantation to get Samba to synchronize with the Unix users when they are out of sync?

root@condor[~]# pdbedit -L
mikeb:1004:Mike Bonoff
juliap:1005:Julia Pulsifer
danw:1006:Dan Warren
jeannieh:1007:Jeannie Heltzel
jeffb:1000:Jeff Boyce
georgeg:1001:George Gilmour
robynr:1002:Robyn Rice
jasons:1003:Jason Shappart

 

[anodos]

There is an edge-case bug where the next_rid counter in passdb.tdb can cause issues with our book-keeping in middleware. Try this:

Code:

rm /var/db/system/samba4/secrets/passdb.tdb
midclt call smb.synchronize_passdb -job

And see if issue goes away.

 

[jboyce]

That certainly put the missing user into the Samba accounts. I won't be able to confirm that he can map a directory until tomorrow morning, but suspect that this will completely solve my issue. For the record, here are the results of those commands on my system. Thanks.

root@condor[~]# rm /var/db/system/samba4/secrets/passdb.tdb
rm: /var/db/system/samba4/secrets/passdb.tdb: No such file or directory
root@condor[~]#
root@condor[~]# midclt call smb.synchronize_passdb -job
Status: (none)
Total Progress: [########################################] 100.00%
null
root@condor[~]#
root@condor[~]# pdbedit -L
mikeb:1004:Mike Bonoff
juliap:1005:Julia Pulsifer
danw:1006:Dan Warren
jeannieh:1007:Jeannie Heltzel
jeffb:1000:Jeff Boyce
markl:1008:Mark LaRiviere
georgeg:1001:George Gilmour
robynr:1002:Robyn Rice
jasons:1003:Jason Shappart
root@condor[~]#