[Samba] problem authenticating with kerberos and smb

Rowland Penny rowlandpenny at googlemail.com
Thu Nov 27 09:45:36 MST 2014 

On 27/11/14 16:07, Michael Edwards wrote:
> Hi folks
>
> We're having a bit of an issue with a CentOS 6.5 box that is running
> Samba 3.6.23-12.  Everything was running fine until Samba was upgraded
> from 3.6.9-169 to 3.6.23-12 last month, and we're now having problems
> accessing the machine or any shares on it.
>
> The machine is joined to a Windows 2008 R2 Active Directory, and we're
> using Kerberos for authenticating users.  The issue only occurs when
> we're using Kerberos - when using NTLM there are no problems.  The
> machine also runs NFS, which is working fine when using Kerberos.  See
> below gist for log level = 10 smb log.  There is an example of the
> process working while using NTLM, and a few examples of it not working
> when using Kerberos.
>
> https://gist.github.com/mikes1988/381d507891b493a4e8ff
>
> We've spent some time looking through the log, trying to pinpoint
> exactly where it's breaking, and suspect that it's going wrong around
> the lines I've pasted below.  It looks like the domain information is
> getting lost along the way, and then when we get to lookup_sid.c we're
> getting the mismatched sids, presumably because one sid is for HGVNAS,
> and the other is for DOMAIN.  Output of sudo net getlocalsid and sudo
> net getlocalsid DOMAIN are below, showing the two sids that are shown in
> the log.
>
> edwam at hgvnas:~$ sudo net getlocalsid
> SID for domain HGVNAS is: S-1-5-21-127897388-885368389-1514669401
> edwam at hgvnas:~$ sudo net getlocalsid DOMAIN
> SID for domain DOMAIN is: S-1-5-21-2809677999-1344825738-4163663879
>
> I would appreciate any feedback on where we're going wrong, I've pasted
> our current configuration after the log - is there a configuration
> option that we've missed along the way, that is now required in the
> newer versions?  Please let me know if there are any other logs or
> configs that you need to help.
>
> [2014/11/27 12:23:55.365650, 10] libsmb/clikrb5.c:1155(get_key_from_keytab)
>    get_key_from_keytab: will look for kvno 2, enctype 23 and name:
> host/hgvnas.inside.local at INSIDE.LOCAL
> [2014/11/27 12:23:55.365721,  3]
> libads/kerberos_verify.c:267(ads_keytab_verify_ticket)
>    libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
> succeeded for principal host/hgvnas.inside.local at INSIDE.LOCAL
> [2014/11/27 12:23:55.365799, 10]
> libsmb/clikrb5.c:955(get_krb5_smb_session_key)
>    Got KRB5 session key of length 16
> [2014/11/27 12:23:55.365833, 10] libsmb/clikrb5.c:396(unwrap_pac)
>    authorization data is not a Windows PAC (type: 141)
> [2014/11/27 12:23:55.365863,  3]
> libads/kerberos_verify.c:684(ads_verify_ticket)
>    libads/kerberos_verify.c:684: did not retrieve auth data. continuing
> without PAC
> [2014/11/27 12:23:55.365928,  3]
> auth/user_krb5.c:50(get_user_from_kerberos_info)
>    Kerberos ticket principal name is [edwam at INSIDE.LOCAL]
> [2014/11/27 12:23:55.365977, 10]
> auth/user_krb5.c:96(get_user_from_kerberos_info)
>    Mapping [INSIDE.LOCAL] to short name using winbindd
> [2014/11/27 12:23:55.366275, 10]
> auth/user_krb5.c:112(get_user_from_kerberos_info)
>    Domain is [DOMAIN] (using Winbind)
> [2014/11/27 12:23:55.366334,  5] lib/username.c:171(Get_Pwnam_alloc)
>    Finding user DOMAIN\edwam
> [2014/11/27 12:23:55.366365,  5] lib/username.c:116(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as lowercase is domain\edwam
> [2014/11/27 12:23:55.366546,  5] lib/username.c:124(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as given is DOMAIN\edwam
> [2014/11/27 12:23:55.366704,  5] lib/username.c:134(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as uppercase is DOMAIN\EDWAM
> [2014/11/27 12:23:55.366978,  5] lib/username.c:143(Get_Pwnam_internals)
>    Checking combinations of 0 uppercase letters in domain\edwam
> [2014/11/27 12:23:55.367022,  5] lib/username.c:149(Get_Pwnam_internals)
>    Get_Pwnam_internals didn't find user [DOMAIN\edwam]!
> [2014/11/27 12:23:55.367057,  5] lib/username.c:171(Get_Pwnam_alloc)
>    Finding user edwam
> [2014/11/27 12:23:55.367094,  5] lib/username.c:116(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as lowercase is edwam
> [2014/11/27 12:23:55.367124,  5] lib/username.c:149(Get_Pwnam_internals)
>    Get_Pwnam_internals did find user [edwam]!
> [2014/11/27 12:23:55.367170,  6] param/loadparm.c:7490(lp_file_list_changed)
>    lp_file_list_changed()
>    file /etc/samba/smb.shares.conf -> /etc/samba/smb.shares.conf  last
> mod_time: Tue Oct 22 14:30:34 2013
>   
>    file /etc/samba/smb.server.conf -> /etc/samba/smb.server.conf  last
> mod_time: Thu Nov 27 11:19:31 2014
>   
>    file /etc/samba/smb.rhel.conf -> /etc/samba/smb.rhel.conf  last
> mod_time: Thu Jan  1 01:00:00 1970
>   
>    file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Wed
> Nov 26 11:26:10 2014
>   
> [2014/11/27 12:23:55.367358,  5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
>    pdb_getsampwnam (TDB): error fetching database.
>     Key: USER_edwam
> [2014/11/27 12:23:55.367399, 10] auth/user_krb5.c:239(make_server_info_krb5)
>    didn't find user edwam in passdb, calling make_server_info_pw
> [2014/11/27 12:23:55.367432, 10] passdb/lookup_sid.c:76(lookup_name)
>    lookup_name: HGVNAS\edwam => domain=[HGVNAS], name=[edwam]
> ...
> [2014/11/27 12:23:55.374945,  1] auth/server_info.c:602(passwd_to_SamInfo3)
>    The primary group domain
> sid(S-1-5-21-2809677999-1344825738-4163663879-513) does not match the
> domain sid(S-1-5-21-127897388-885368389-1514669401) for
> edwam(S-1-22-1-10181)
> [2014/11/27 12:23:55.375014,  1] auth/user_krb5.c:249(make_server_info_krb5)
>    make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
> [2014/11/27 12:23:55.375051,  1] smbd/sesssetup.c:381(reply_spnego_kerberos)
>    make_server_info_krb5 failed!
> [2014/11/27 12:23:55.375099,  3] smbd/error.c:81(error_packet_set)
>    error packet at smbd/sesssetup.c(385) cmd=115 (SMBsesssetupX)
> NT_STATUS_INVALID_SID
>
>
> /etc/samba/smb.conf:
> [global]
> workgroup = DOMAIN
> server string = Samba/%v server at %h (CentOS release 6.5 (Final))
> log file = /var/log/samba/%M.log
> # only if guest logins should be possible (don't see why ATM)
> ;map to guest = bad user
> kerberos method = system keytab
> security = ads
> realm = inside.local
> preferred master = no
> # only if guest logins should be possible and using user shares (don't
> see why)
> ;usershare allow guests = yes
>
> include = /etc/samba/smb.rhel.conf
> include = /etc/samba/smb.server.conf
> include = /etc/samba/smb.shares.conf
>
> smb.rhel.conf is unused on this machine
>
> /etc/samba/smb.server.conf:
> # disable print sharing; see
> #
> http://serverfault.com/questions/207510/how-do-you-disable-smb-printing-support
> load printers = no
> printing = bsd
> printcap name = /dev/null
> # note: in samba >= 4.0 this should be enough
> disable spoolss = yes
> log level = 10
>
> # make winbind use NSS (and therefore SSSD) to resolve SIDs for domain
> users to
> # UIDs; this is needed to allow adding/modifying ACEs on shared files from
> # Windows ACL editor; it also allows the names to be mapped to proper
> # DOMAIN\name format instead of being displayed as "Unix User\name"; see
> # idmap_nss(8).
> # - https://lists.samba.org/archive/samba/2012-June/167961.html
> # - https://lists.samba.org/archive/samba/2013-January/171142.html
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> idmap config DOMAIN : backend = nss
> idmap config DOMAIN : range = 10000-999999
>
> /etc/samba/samba.shares.conf:
> [global]
> # defaults for all shares
> # make samba as POSIX compliant as possible so there's no discrepancies
> # between local/SMB/NFS access
>
> # create files/dirs with at most those permissions
> # (does not affect permissions being explicitly set, only defaults when
> file/dir is created)
> create mask = 0664
> directory mask = 0775
>
> # POSIX conformance - inherit default ACEs of the parent dir
> inherit acls = yes
>
> # do not map old DOS modes to UNIX permissions
> # in particular no mapping of archive bit to u+x
> # and no changes to DOS readonly, use ACLs instead
> map archive = no
> map readonly = permissions
>
> # shares are writeable by default
> writeable = yes
>
> [appdata]
> comment = application data
> path = /srv/appdata
>
> [backups]
> comment = application and system backups
> path = /srv/backups
>
> [sysdata]
> comment = system application data
> path = /srv/sysdata
>
> [scratch]
> comment = scratch monkey (temp/test area)
> path = /srv/scratch
>
> Not sure if the rest are relevant:
> /etc/krb5.conf:
> [logging]
> default = SYSLOG:DEBUG:AUTH
> default = FILE:/var/log/krb5.log
>
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> forwardable = true
> renew_lifetime = 7d
>
> ; this is only needed for samba-3.6.9 which doesn't support AES and uses DES
> ; by default, but since DES is not allowed by default in AD-2008 this
> makes the
> ; host principal unusable; starting with RC4 is most compatible as it is
> ; allowed by AD-2008 and older; these 3 options can be removed for
> ; samba-3.6.10+ which will then default to AES
> default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
>
> /etc/sssd/sssd.conf:
> [nss]
> debug_level=2
> [pam]
> [sssd]
> config_file_version=2
> domains=inside.local
> services=nss, pam
> [domain/inside.local
> ldap_referrals=false
> ldap_search_base=DC=Inside,DC=local
> ldap_user_object_class=user
> cache_credentials=true
> enumerate=true
> auth_provider=krb5
> chpass_provider=krb5
> ldap_user_home_directory=unixHomeDirectory
> krb5_realm=INSIDE.LOCAL
> krb5_server=_srv_, hgpdc01.inside.local, hgvdc01.inside.local
> ldap_force_upper_case_realm=true
> ldap_uri=_srv_, ldap://hgpdc01.inside.local/, ldap://hgvdc01.inside.local/
> krb5_renew_interval=1800
> ldap_sasl_mech=GSSAPI
> min_id=10000
> ldap_schema=rfc2307bis
> ldap_group_object_class=group
> ldap_account_expire_policy=ad
> ldap_user_principal=userPrincipalName
> id_provider=ldap
> [#EOF#]
>
> Other info:
> OS: CentOS release 6.5
> Kernel: 2.6.32-431.29.2.el6.x86_64
>
> Thanks in advance
> Michael
>
>
>
> **********************************************************************************************
> The information in this email is confidential and may be legally privileged.  It is intended solely for the addressee and access to the email by anyone else is unauthorised.
> If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
> When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed  in the governing client engagement leter or contract.
> If you have received this email in error please notify support at henderson-group.com
>
> John Henderson (Holdings) Ltd
> Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
> Registered in Northern Ireland
> Registration Number NI010588
> Vat No.: 814 6399 12
> *********************************************************************************
>
OK, alter samba.shares.conf by removing the [global] tag and move 
**ALL** the settings to the shares where they belong.

There is also this:     '# make winbind use NSS (and therefore SSSD) to 
resolve SIDs for domain users'

There is **NO** connection between winbind and sssd, you need to user 
either one or the other in /etc/nsswitch.conf

You have 'realm = inside.local' in smb.conf and 'default_realm = 
DOMAIN.LOCAL' in /etc/krb5.conf, now this may just be a sanitizing 
error, but if not you need to sort this.

That's enough to be going on with

Rowland

More information about the samba mailing list