On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "survived"
updates/upgrades till this day in such a way that integrated Samba
serves up under different hostname/domain and serves non-enrolled
clients(win 10) too.
With new deployment, 4.9.6, just adding things to just DNS - which
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
rather it is, that non-enrolled clients, linux & windows will fail even
if trying a "legitimate" master's Samba.
Is that the default behavior in current version - as I mentioned my
"old" with up-dates/grades IPA allows non-enrolled - and if so can it be
managed into allowing non-enrolled clients?
Log snippet off a master's Samba when non-enrolled Linux connects:
...
[2022/01/17 11:14:09.090933, 2, pid=35744]
ipa_sam.c:3645(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720, 1, pid=35744]
../../source3/auth/check_samsec.c:454(check_sam_security)
Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758, 2, pid=35744]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [me254] -> [me254]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793, 2, pid=35744]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
{"timestamp": "2022-01-17T11:14:09.099858+0000", "type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType":
3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:10.0.0.16:445",
"remoteAddress": "ipv4:10.0.0.6:55170",
"serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "CCN",
"clientAccount":
"me254", "workstation": "DRUNK", "becameAccount":
null, "becameDomain":
null, "becameSid": null, "mappedAccount": "me254",
"mappedDomain":
"CCN", "netlogonComputer": null, "netlogonTrustAccount":
null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2",
"duration":
12172}}