CIFS - SAMBA DC says schannel_check_required
My omnios CIFS server (version omnios-r151032-c2a701036f), joined to a samba v4.10.4 DC controller on Centos 7.8. SMB config no smbv1, no netbios, singing and encryption turned on, guest access off.
The CIFS server runs fine with normal kerberos authentication.
On another Centos server a web application (php-7.3) runs that does not use kerberos, but authenticates users via LDAP connection. Connections to shares on the CIFS omnios machine are made with php-smbclient which authticates with username and password. This does not work.
The weird thing is, command line smbclient connections from the web app machine work without problems. So I took some time to investigate and made pcaps from working and not working connections. Attached is a screen dump of the pcap in wireshark latest version of the session that fails.
In the DC logs in debug mode the follwing errors occurs:
Jun 13 12:23:47 mydc.mydomain.tld samba: schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/MY-CIFSSERVER
Jun 13 12:23:47 mydc.mydomain.tld samba: schannel_check_required: [MY-CIFSSERVER] is not using schannel
The server authenticates successfully (see packet 30-33), first line in DC log.
Then, the username/password verification of the end user starts (packet 34 authenticate2). It shows STATUS_ACCESS_DENIED (packet 37). The DC log shows
schannel_check_required: [MY-CIFSSERVER] is not using schannel.
On this page (search for schannel): [[https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html]] from samba v4.8 ( March 13, 2018) it shows the schannel setting is mandatory.
My SMB knowledge is limited but it seems to me something is wrong with the signature of the authetication2 request when the CIFS server starts user authentication session with the DC (packet 21, STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE).
192.168.25.5 - Wepp app
192.168.25.8 - Centos 7.8 - Samba4 DC
192.168.25.9 - omnios server Eth0
192.168.25.10 - omnios server Eth1
Full packet trace available on request.