Authentication Failure On Samba Shares After Upgrading To MacOS Sonoma 14.3

Question

Problem:

I have a Samba server, version 4.15.13-Ubuntu. Everything works fine but I have problems to authenticate Shares with Sonoma 14.3 (all previous Mac versions work, Windos clients work).

I can log in as another user whose password has not been changed since a longer time.

Yesterday, I was able to log in with a test password which I have changed 2 days ago, but if I change the password again, I am unable to log-in with the new password. If I change back to the old password, I can login with the old password. Both tested passwords (the old and the new one) have the same lengh and no special characters.

And the best one: sometimes it works when i insert my username normally and somethime it works when inserting my username with capital letters.

Logfiles / Error messages:

[2024/02/08 12:36:12.185684, 3] ../../libcli/auth/ntlm_check.c:492(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user testuser [2024/02/08 12:36:12.185714, 3] ../../libcli/auth/ntlm_check.c:637(ntlm_password_check) ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user testuser [2024/02/08 12:36:12.185975, 2] ../../source3/auth/auth.c:345(auth_check_ntlm_password) check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2024/02/08 12:36:12.186017, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [SMB-SERVER][testuser] at [Thu, 08 Feb 2024 12:36:12.186007 CET] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [VPN-MAN-40-99] remote host [ipv4:192.168.40.99:50378] mapped to [SMB-SERVER][testuser]. local host [ipv4:192.168.57.192:445] {"timestamp": "2024-02-08T12:36:12.186062+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:192.168.57.192:445", "remoteAddress": "ipv4:192.168.40.99:50378", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "SMB-SERVER", "clientAccount": "testuser", "workstation": "VPN-MAN-40-99", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "testuser", "mappedDomain": "SMB-SERVER", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 16017}} [2024/02/08 12:36:12.186098, 3] ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD [2024/02/08 12:36:12.186114, 3] ../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:147

smb.conf
--------
[global]
netbios name = smb-server 
workgroup = MYWORKGROUP 
server string = Samba Server
log file      = /var/log/samba/log.%m
log level    = 3
max log size  = 1000
invalid users = nobody root
printable = no 
security      = USER
server min protocol = SMB2
server max protocol = SMB3
client min protocol = SMB2
ntlm auth = yes 
passdb backend = smbpasswd 
smb encrypt = auto
obey pam restrictions = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
pam password change = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*success fully*
passwd chat debug = No

Tests:

sudo testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

• Rebooting samba server or samba services: does not help

• The hashes are the same when checking

  pdbedit -L -w -u testuser

  cat /etc/samba/smbpasswd |grep testuser

• Login with different clients works, problem with MacOS Sonoma 14.3

In advance, thank you for any hint.

Answer 1

You describe that you changed the password again and that the old password worked. And that it worked sometimes with capital letters and sometimes without capital letters.

Based on your informations I did some tests and found the following workaround: Restart your Mac, then try again. If the log-on after the restart does not work with your normal user name, use capital letters.

My Tests:

• Changing samba password --> same problem as described.
• Coming back to a snapshot of the samba server: login with old password works again. So I assumed that the problem comes from the Mac Client.
• Tried to delete caches on Mac, deleted password in the keychain file. Did not help.
• Since the old password works and since a new password worked after retry one or two days later, I assume that a restart of the Mac could help.
• So, I changed the password on the samba server, then restarted the Mac.
• I did this test sereral times, it worked all the time.

It would be interesting to know what Sonoma clears exactly after a restart - since flushing all local caches did not help.