[Samba] Winbind not using kerberos
Tom Alessi
tom.alessi at gmail.com
Mon Oct 11 14:18:06 GMT 2004
I am having a problem with Winbind and kerberos:
OS: Solaris8
Samba: 3.0.7
MIT Kerberos: 1.3.5
OpenLDAP: 2.2.17
Windows: Active Directory on Windows Server 2003
I have Samba compiled with openldap, kerberos and PAM support and
everything is working fine as far as access. The problem is that when
I login to the Solaris system using SSH and I check the security logs
on the Windows domain controller performing the authentication I see
that kerberos is not being used. Instead,
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 is used. This is the event log
related to this logon event:
=======================================
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: <Windows username>
Source Workstation: \\<hostname>
Error Code: 0x0
=======================================
Additionally, the event just prior to this one every time is this:
=======================================
Pre-authentication failed:
User Name: <hostname>$
User ID: <domain>\<hostname>$
Service Name: krbtgt/<kerberos realm>
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: <IP Address>
=======================================
SMB.CONF
=======================================
workgroup = <upper case netbios domain name>
netbios name = <hostname>
winbind separator = +
winbind use default domain = yes
winbind trusted domains only = yes
security = ads
encrypt passwords = yes
realm = <upper case realm name>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
log file = /local/samba/log/log.%m
log level = 10
max log size = 5000
=======================================
PAM.CONF
=======================================
login auth required /usr/lib/security/pam_winbind.so
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
rlogin auth sufficient /usr/lib/security/pam_winbind.so
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_auth.so.1
#
other auth sufficient /usr/lib/security/pam_winbind.so
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account required pam_unix_account.so.1
other account sufficient /usr/lib/security/pam_winbind.so
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1
ppp session required pam_unix_session.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
=======================================
Additional information:
-I have /etc/krb5.conf setup correctly and kinit works just fine.
-If I setup a group policy to deny LM and NTLM and only allow NTLMv2
authentication in Active Directory, then SSH login to this system
completely fails. SMB sharing to this system, however, works ok in
this situation.
-I have the exact same setup on RedHat Fedora and Solaris9 and both
exhibit the exact same behavior.
Thanks in advance for any help.
More information about the samba
mailing list