[Samba] krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2
Rowland penny
rpenny at samba.org
Thu May 16 12:47:47 UTC 2019
On 16/05/2019 13:26, Markus Spanner-Denzer via samba wrote:
> Hi,
>
>
> in our setup, we have a number of AD domains with an exisiting one-way trust between the local domain of the system (which I will call LOCALDOM in the following) and the domain containing the user accounts (which I will call TRUSTEDDOM in the following). The domain controllers run Windows Server 2012.
>
>
> Beginning with samba 4.4 we have an issue with authentication through pam_winbind on the Linux clients when krb5_auth is enabled in pam_winbind.conf (which worked in samba 4.2). Login to the Linux systems always fails with "No logon servers". The situation can also be reproduced with "wbinfo -K".
>
>
> On samba >= 4.4 (tested on SLES12SP3 and RHEL7):
>
> # wbinfo -K TRUSTEDDOM\\myaccount
> Enter TRUSTEDDOM\myaccount's password:
> plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] failed (requesting cctype: FILE)
> wbcLogonUser(TRUSTEDDOM\myaccount): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> error message was: No logon servers
> Could not authenticate user [TRUSTEDDOM\myaccount] with Kerberos (ccache: FILE)
>
>
> The same worked with samba 4.2 (tested on SLES12SP1, identical configuration in samba.conf and krb5.conf):
>
> # wbinfo -K TRUSTEDDOM\\myaccount
> Enter TRUSTEDDOM\myaccount's password:
> plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] succeeded (requesting cctype: FILE)
>
>
> Authenticating users from the local domain works in all releases of samba:
>
> # wbinfo -K LOCALDOM\\mylocalaccount
> Enter LOCALDOM\\mylocalaccount's password:
> plaintext kerberos password authentication for [LOCALDOM\\mylocalaccount] succeeded (requesting cctype: FILE)
>
>
> Authenticating users without krb5 (i.e. wbinfo -a) also works in all releases. Therefore, disabling krb5_auth helps as a work-around, the user can then request a Kerberos ticket manually using kinit myaccount at TRUSTEDDOM
>
> Both LOCALDOM and TRUSTEDDOM are configured in krb5.conf.
>
>
> It seems like newer releases of samba(-winbind) cannot locate the correct KDC for trusted domains. Do you know of any change in samba-winbind's behavior between 4.2 and 4.4? Is there something which has to be changed in the configuration? Unfortunately, I didn't find any hint in the documentation.
>
>
There were a few winbind changes in 4.3, but whether they would affect
you, I have no idea, because you haven't posted your smb.conf.
Rowland
More information about the samba
mailing list