Samba does not use PAM from NTLM credentials
Rob Straughan
console at robertstraughan.co.uk
Mon Mar 30 14:21:46 MDT 2015
Hi,
I have a Samba 4.1.6 install on Ubuntu 14.04.2. Underneath, NSS/PAM
setup uses openLDAP and Kerberos 5; this part is working correctly.
I have attached zipped copies of the config files, and of the logs for
this problem (they were at level 10, so a bit of an eyesore to go
through, but they do contain useful information).
From any Linux client, I can use the following commands successfully
(nb: domain == realm):
kinit username
smbclient -k //smbsv.domain/sharedfiles
Now if you look in the logs, you will see that it actually fails to
match the principal name, from the ticket, of "username at REALM", but then
falls through to PAM with just the username, which works because the
account exists in openLDAP, and the Kerberos password authenticates
through PAM. The net result is a valid login with the relevant
permissions, and ability to do everything as expected.
However, I then have a Windows 7 Home Premium x64 client that fails to
login, because this behaviour does not happen for the user. I have
included logs for what happens if I leave the username based on the
workstation domain, or if I deliberately include the correct Kerberos
realm in the username.
What's curious is that Samba seems to alter the credentials that come
through, specifically this: "Mapped domain from [REALM] to [SMBSV] for
user [username]"
Why did it do this, when it received the correct REALM value in the
first place? Does this change prevent it from falling through to the
underlying PAM mechanism, which is configured with Kerberos defaulting
to REALM?
I need to figure out if I should: a) change a setting in Samba to alter
how it handles the credentials, or b) change a setting in Windows to
alter how it passes the credentials.
Can anybody help with this?
Regards,
Rob.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fromlinux.zip
Type: application/octet-stream
Size: 19790 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150330/0b36660e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fromwin7.withrealm.zip
Type: application/octet-stream
Size: 7672 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150330/0b36660e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fromwin7.withworkstation.zip
Type: application/octet-stream
Size: 7642 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150330/0b36660e/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.zip
Type: application/octet-stream
Size: 273 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150330/0b36660e/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb.zip
Type: application/octet-stream
Size: 515 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150330/0b36660e/attachment-0004.obj>
More information about the samba-technical
mailing list