samba SSO + KERBEROS

sirovy sirovy at fzu.cz
Fri Aug 22 03:08:07 MDT 2014 

Hi,

I have samba 4.1.6-Ubuntu and I would like to have sso with samba. I 
have already working kerberos auth for ssh and apache. So I can get 
ticket by kinit username and go to web pages and to servers over ssh. 
And if I don't have tiket services ask me for password and auth me.
But samba is avaliable only with tiket and If I don't have ticket samba 
ask me but don't auth me. I nead combination of kerberos and 
username+password auth for user which don't able to get kerberos ticket.

Please look at my config, maybe I try something imposible.

I have this smb.conf (testparm output)
Quote:
[global]
workgroup = DOM.TLD
realm = DOM.TLD
netbios name = SAMBA
server string = %h server (Samba, Ubuntu)
server role = standalone server
security = ADS
auth methods = guest, pam, winbind
map to guest = Bad User
password server = kdc.dom.tld
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
dedicated keytab file = /etc/samba/krb5.keytab
kerberos method = dedicated keytab
syslog = 0
log file = /var/log/samba/%m.log
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb

[public]
comment = "Public share for everyone"
path = /home/public
read only = No
create mask = 0755
guest ok = Yes

[homes]
comment = "Private share"
path = /home/samba/%U
read only = No
create mask = 0755

And this is in krb5.conf
Quote:
[libdefaults]
default_realm = FZU.CZ

[realms]
FZU.CZ = {
kdc = kdc.dom.tld
kdc = kdc-2.dom.tld
admin_server = kdc.dom.tld
}
Firewall is open and samba listen.


In log if I try smbclient is:
Quote:
marek at linux133 ~ $ smbclient //samba.dom.tld/sirovy -d5 -U sirovy
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
(16384)
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
params.cm_process() - Processing configuration file 
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = dom.tld
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = ads
doing parameter cups options = raw
doing parameter password server = kdc.dom.tld
doing parameter realm = DOM.TLD
pm_process() returned Yes
added interface virbr0 ip=10.1.1.1 bcast=10.1.1.255 
netmask=255.255.255.0
added interface em1 ip=123.123.123.133 bcast=123.123.123.255 
netmask=255.255.254.0
Netbios name list:-
my_netbios_names[0]="LINUX133"
Client started (version 4.1.9).
Enter sirovy's password:
Opening cache file at /var/lib/samba/gencache.tdb
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file 
/var/lib/samba/gencache.tdb: Permission denied
gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for DOM.TLD
no entry for samba.dom.tld#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name samba.dom.tld<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba.dom.tld<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: WINS server resolution selected and no WINS servers 
listed.
resolve_hosts: Attempting host lookup for name samba.dom.tld<0x20>
namecache_store: storing 1 address for samba.dom.tld#20: 10.26.202.52
Connecting to 10.26.202.52 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
And on server I see:
Quote:
[2014/08/20 14:48:20.625845, 0] 
../source3/auth/auth.c:380(load_auth_module)
load_auth_module: can't find auth method pam!
[2014/08/20 14:48:20.631437, 0] 
../source3/auth/auth.c:380(load_auth_module)
load_auth_module: can't find auth method pam!
[2014/08/20 14:48:20.634042, 3] 
../source3/auth/auth.c:177(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user 
[DOM.TLD]\[sirovy]@[LINUX133] with the new password interface
[2014/08/20 14:48:20.634130, 3] 
../source3/auth/auth.c:180(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOM.TLD]\[sirovy]@[LINUX133]
[2014/08/20 14:48:20.634273, 2] 
../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [sirovy] -> [sirovy] FAILED 
with error NT_STATUS_LOGON_FAILURE

Of course I have keytab for cifs/samba.dom.tld in 
/etc/samba/krb5.keytab. And if I do kinit sirovy, than I mount samba 
without problem from linux.

Does anybody able to hep me to debug this problem or provide me any 
functional tutorial? I have followed tutorial from here 
http://dbocklandt.be/tutorial/settin...-and-kerberos/

-- 
Marek Sirový
SAVT

More information about the samba-technical mailing list