[Samba] Kerberos Authentication problem "Username X is invalid on this system"
Shaun Anderson
sanderson at chooses1.com
Wed Jan 14 16:33:55 MST 2015
This is a new Samba config that has not yet worked. I have installed sernet-samba 4.1.14.
[root at sltltfsee samba]# rpm -qa | grep sernet
sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
sernet-samba-common-4.1.14-10.el6.x86_64
sernet-samba-4.1.14-10.el6.x86_64
sernet-samba-libs-4.1.14-10.el6.x86_64
sernet-samba-winbind-4.1.14-10.el6.x86_64
sernet-samba-client-4.1.14-10.el6.x86_64
I have been added to the domain and all of that appears to work fine. I have created shares, however am unable to access them.
Here are the contents of nsswitch.conf:
[root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"
passwd: compat winbindd files
shadow: compat files
group: compat winbind files
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
krb.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.ORG
dns_lookup_realm = true
;dns_lookup_realm = false
dns_lookup_kdc = true
;dns_lookup_kdc = false
ticket_lifetime = 600
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.ORG = {
kdc = SL1TDC3.MYDOMAIN.ORG
kdc = SL1DC5.MYDOMAIN.ORG
admin_server = SL1TDC3.MYDOMAIN.ORG
default_domain = MYDOMAIN.ORG
}
[domain_realm]
.mydomain.org = MYDOMAIN.ORG
mydomain.org = MYDOMAIN.ORG
MYDOMAIN.org = MYDOMAIN.ORG
.MYDOMAIN.org = MYDOMAIN.ORG
Smb.conf file:
[root at sltltfsee samba]# cat /etc/samba/smb.conf
[global]
workgroup = SL1
netbios name = SLTLTFSEE
server string = LTFSEE Server
realm = SL1.MYDOMAIN.ORG
security = ads
encrypt passwords = yes
idmap config * : range = 16777216-33554431
idmap config * : backend = tdb
template shell = /bash/bin
allow trusted domains = Yes
client ntlmv2 auth = yes
force unknown acl user = yes
auth methods = guest sam winbind
passdb backend = tdbsam
groupdb:backend = tdb
interfaces = eth1 lo
username map = /etc/samba/smbusers
guest ok = yes
#LOGGING
log level =3
log file = /var/log/samba/smb.ltfsee.log
max log size = 50
#WINBIND
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind use default domain =true
winbind offline logon = true
winbind refresh tickets = Yes
#GPFS items
gpfs:sharemodes = yes
gpfs:prealloc = yes
gpfs:dfreequota = yes
gpfs:hsm = yes
gpfs:winattr = yes
gpfs:leases = yes
#General FS items
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = yes
#SHARES
[general]
path = /gpfs/ltfsee/general
read only = no
valid users = @"Domain Users"
Things such as winbind lookups work just fine:
[root at sltltfsee samba]# wbinfo -a choatej%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at sltltfsee samba]# wbinfo -i SL1\\choatej
choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
[root at sltltfsee samba]# wbinfo -U 16777216
S-1-5-21-1823944398-2898753305-4095703837-125569
[root at sltltfsee samba]# wbinfo -s S-1-5-21-1823944398-2898753305-4095703837-125569
SL1\choatej 1
User can authenticate using ntlm_auth:
[root at sltltfsee samba]# ntlm_auth --username=choatej
Password:
NT_STATUS_OK: Success (0x0)
Attempting to access share from a windows client gives "Access is denied" message.
From the smb log "smb.ltfsee.log"
[2015/01/14 16:26:02.882034, 3] ../source3/smbd/negprot.c:672(reply_negprot)
Selected protocol SMB 2.???
[2015/01/14 16:26:02.887418, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2015/01/14 16:26:02.990573, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
Found account name from PAC: choatej [Choate, James]
[2015/01/14 16:26:02.990632, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
[2015/01/14 16:26:02.991491, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username SL1\choatej is invalid on this system
[2015/01/14 16:26:02.991554, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/01/14 16:26:02.996300, 3] ../source3/smbd/server_exit.c:221(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Kerberos ticket was generated using 'net ads kerberos kinit -P'
[root at sltltfsee samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
Valid starting Expires Service principal
01/14/15 15:52:23 01/14/15 16:02:23 krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
renew until 01/21/15 15:52:23
I'm by no means a kerberos expert, but if I have a generated ticket then what is being missed? Where is the 'Username X is invalid on this system" message coming from?
Regards,
Shaun Anderson
"Aut viam inveniam aut faciam"
DISCLAIMER: The information in this message (and any attachments hereto) may be
confidential and protected from disclosure. If the reader of this message is
neither the intended recipient nor an agent responsible for delivering the
message to the intended recipient, you are hereby notified that any unauthorized
disclosure of this information is strictly prohibited. Any unauthorized
disclosure may cause the breaching party to be liable to ConvergeOne Holdings
Corp. and/or its subsidiaries and affiliates for damages. If you have received
this message in error, please notify the sender by replying to the e-mail
message, and delete it from your computer without reading it or saving it in any
manner.
More information about the samba
mailing list