# Samba4 customization



## lucas1 (Jan 25, 2021)

Good day.

Installed Samba4 from package. In smb4.conf created share.  

Server role: ROLE_STANDALONE.

Add uders `pdbedit -a`
`pdbedit -L` shows list added samba users.

Error while trying to connect to share from Windows:

```
auth_check_ntlm_password: sam_ignoredomain authentication for user [user@hostname] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
```
What do you advise?


----------



## SirDice (Jan 25, 2021)

Make sure you don't have any old attempts cached on Windows. Look at the output from `net use` in a command prompt. You can use `/DELETE` to remove those.


----------



## msplsh (Jan 25, 2021)

Get the log from samba instead.


----------



## lucas1 (Jan 25, 2021)

old attempts cached not.

now so in log:


```
[2021/01/25 17:02:32.292516,  3] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
  Got user=[lucas] domain=[freebsdtr] workstation=[OIT_1] len1=24 len2=24
[2021/01/25 17:02:32.292660,  5] ../../source3/auth/auth_util.c:124(make_user_info_map)
  Mapping user [freebsdtr]\[lucas] from workstation [OIT_1]
[2021/01/25 17:02:32.292686,  5] ../../source3/auth/user_info.c:64(make_user_info)
  attempting to make a user_info for lucas (lucas)
[2021/01/25 17:02:32.292710,  5] ../../source3/auth/user_info.c:72(make_user_info)
  making strings for lucas's user_info struct
[2021/01/25 17:02:32.292740,  5] ../../source3/auth/user_info.c:117(make_user_info)
  making blobs for lucas's user_info struct
[2021/01/25 17:02:32.292766,  3] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [freebsdtr]\[lucas]@[OIT_1] with the new password interface
[2021/01/25 17:02:32.292793,  3] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [freebsdtr]\[lucas]@[OIT_1]
[2021/01/25 17:02:32.293703,  5] ../../source3/auth/auth.c:263(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [lucas] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/01/25 17:02:32.293740,  2] ../../source3/auth/auth.c:347(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [lucas] -> [lucas] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/01/25 17:02:32.293799,  5] ../../auth/ntlmssp/ntlmssp_server.c:816(ntlmssp_server_auth_done)
  ntlmssp_server_auth_done: Checking NTLMSSP password for freebsdtr\lucas failed: NT_STATUS_WRONG_PASSWORD
[2021/01/25 17:02:32.293835,  5] ../../auth/gensec/gensec.c:543(gensec_update_done)
  gensec_update_done: ntlmssp[0x80bb18e60]: NT_STATUS_WRONG_PASSWORD
[2021/01/25 17:02:32.293862,  3] ../../auth/gensec/spnego.c:1445(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD
[2021/01/25 17:02:32.293889,  5] ../../auth/gensec/gensec.c:543(gensec_update_done)
  gensec_update_done: spnego[0x80bb18a60]: NT_STATUS_WRONG_PASSWORD
```


----------



## SirDice (Jan 25, 2021)

lucas1 said:


> login failed: NT_STATUS_WRONG_PASSWORD


Seems fairly obvious why it fails. Make sure you use the password you set with pdbedit(8), not your login password (these can be different).


----------



## lucas1 (Jan 25, 2021)

The fact that the error is obvious - I agree.
And this not login password.
password samba user is very simple.


----------



## lucas1 (Jan 25, 2021)

ntlm auth = *yes*


----------



## msplsh (Jan 25, 2021)

```
ntlm auth = yes
```
 is a deviation from the default.  Why allow NTLMv1?  Post the smb.conf file if you can.

I have 4.13 running just fine and the only deviations I have are some Mac-specific extensions and it works just fine on W10.


----------



## lucas1 (Jan 27, 2021)

Good day.

How to force a computer with FreeBSD to perform a broadcast WINS request?  
which package?

Want join computer with freebsd to domain. Computer with freebsd not resolved by myself.
Without used /etc/hosts.


----------



## SirDice (Jan 27, 2021)

lucas1 said:


> How to force a computer with FreeBSD to perform a broadcast WINS request?


WINS is a dead protocol. It died along with NT4 and Windows 95/98, don't rely on that awful protocol. Use DNS like every Windows version since 2000 has done.



lucas1 said:


> Want join computer with freebsd to domain. Computer with freebsd not resolved by myself.
> Without used /etc/hosts.


DNS is the keyword here. Domain controllers are found by querying DNS for certain SRV records.









						Verify that SRV Domain Name System (DNS) records have been created - Windows Server
					

Describes how to verify Service Location (SRV) locator resource records for a domain controller after you install the Active Directory directory service.



					docs.microsoft.com


----------



## lucas1 (Jan 28, 2021)

I guess I didn't fully describe the situation.
Here is the error text when join domain:
No DNS domain configured for freebsdtr. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

1. nslookup mydomain.com resolved in ip addresses domain controllers from computer with NetBIOS name freebsdtr.
  Record on DNS server in zone mydomain.com for computer name freebsdtr not. 
How to *auto-register* and *dynamically update* a record for freebsdtr on  DNS server?

2. Computer freedsdtr visible in networked environment on Windows computers.
But ping freebsdtr on him -  "cannot resolve freebsdtr: Host name lookup failure"
How to force a computer with FreeBSD to perform a broadcast NetBIOS request?


----------



## lucas1 (Jan 28, 2021)

Added  IP addresss and FQDN to /etc/hosts file.
Joined to domain.

How to add Domain Admins to  BUILTIN\administrators Samba?


----------



## lucas1 (Jan 28, 2021)

How to add Domain Admins to  BUILTIN\administrators Samba - it is no longer necessary.


----------



## lucas1 (Mar 3, 2021)

Good day. 

There is such an error in samba4 logs from workstations when accessing a shared resource :

2021/03/03 11:46:46.795529,  3] ../../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username Domain\*user*_*n* is invalid on this system

Moreover, this error occurs only for domain users whose names contain* symbol _ underline.*

There is no need to write about the fact that such names should not be used.

Is there some kind of solution for smb4.conf or kerberos.conf?


----------



## lucas1 (Mar 4, 2021)

smb4.conf:

winbind normalize names = no

or not use this parameter.

Something like this.


----------

