[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
Markus Jansen
jansen at schmitzmine.eu
Mon Oct 5 15:14:08 UTC 2020
Dear all,
i'm investigating the issue that I can't authenticate against a Samba (as Active-Directory Member) using the userPrincipalName (UPN). (Using Samba and sAMAccountName works fine.)
After some research I'm quite sure that winbind is limited to the sAMAccountName and can't use UPN. So I deciced to use SSSD and configured the `ldap_user_name = userPrincipalName` in the sssd.conf
Example:
* sAMAccountName: timfin01
* userPrincipalName: tim.finnigan
"getent passwd tim.finnigan" works, i.e. returns "tim.finnigan:*:1238402723:1238400513:Tim Finnigan:/home/tim.finnigan at ad.adtest.de:/bin/bash", so I guess SSSD authentication using UPN should function.
But Samba refuses to work. I increased the SSSD-Logging and examined, that authentication with UPN like "smbutil view -A
//tim.finnigan at smb-test" doesn't lead to any entry in the logs. The SMB-Log instead shows the following:
[2020/09/29 16:08:42.196546, 3] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [ADTEST]\[tim.finnigan]@[MJBOOK] with the new password interface
[2020/09/29 16:08:42.196559, 3] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [ADTEST]\[tim.finnigan]@[MJBOOK]
[2020/09/29 16:08:42.196573, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2020/09/29 16:08:42.196584, 4] ../../source3/smbd/uid.c:576(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2020/09/29 16:08:42.196594, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2020/09/29 16:08:42.198802, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/09/29 16:08:42.198849, 2] ../../source3/auth/auth.c:346(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [tim.finnigan] -> [tim.finnigan] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2020/09/29 16:08:42.198916, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [ADTEST]\[tim.finnigan] at [Tue, 29 Sep 2020 16:08:42.198899 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MJBOOK] remote host [ipv4:10.10.230.10:51669] mapped to [ADTEST]\[tim.finnigan]. local host [ipv4:134.100.203.47:445]
{"timestamp": "2020-09-29T16:08:42.198974+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:134.100.203.47:445", "remoteAddress": "ipv4:10.10.230.10:51669", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ADTEST", "clientAccount": "tim.finnigan", "workstation": "MJBOOK", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "tim.finnigan", "mappedDomain": "ADTEST", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 77558}}
[2020/09/29 16:08:42.199043, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
When authenticating via "smbutil view -A //timfin01 at smb-test" it works when setting the "ldap_user_name = sAMAccountName" in the sssd.conf for test purposes. Then, I can also see that SSSD is used for authentication in the SSSD logs.
I guess Samba has a kind of fallback to NTLM, that isn't supported by SSSD. And Samba first checks the username existence before using the authentication backend (SSSD). My smb.conf:
[global]
workgroup = ADTEST
security = ads
encrypt passwords = yes
client signing = yes
client use spnego = yes
kerberos method = system keytab
#kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
# password server =
realm = ad.adtest.de
idmap config * : backend = sss
idmap config * : range = 200000-2147483647
unix extensions = no
log level = 4 winbind:5 nmbd:3
log file = /var/log/samba/%m.log
[share1]
vfs objects = fileid
fielid:algorithm = fsname
path = /share1
browseable = yes
writeable = yes
guest ok = no
public = yes
wide links = yes
Finally, the sssd.conf:
[sssd]
config_file_version = 2
domains = ad.adtest.de
services = nss, pam
[domain/ad.adtest.de]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_domain = ad.adtest.de
krb5_realm = ad.adtest.de
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
# ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
ldap_user_name = userPrincipalName
debug_level = 9
I'm using Samba 4.10.4-11.el7_8 on CentOS 8.
I'm not sure if I understand this right, but if so, is there a way to force Samba to use SSSD? Any hints are very appreciated.
More information about the samba
mailing list