[Samba] SMBD not authenticating against Active Directory
Kums
kumaran.rajaram at gmail.com
Thu Nov 27 00:01:47 GMT 2008
Hi,
Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use
Active Directory for authentication. I followed the instructions from
article in following website:
http://technet.microsoft.com/en-au/magazine/dd228986.aspx
Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the
users in Active Directory through winbind as well as authenticate users
using NTLM authentication.
Problem is that Iam unable to access Samba share from Windows clients as AD
user. Analyzing the network traffic on SMBD port gives:
---
10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request,
NTLMSSP_AUTH, User: TESTDOMAIN\testuser
10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response,
Error:STATUS_LOGON_FAILURE
--
I can however access the Samba share as local user in the Samba server via
smbpasswd:
---
166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request,
NTLMSSP_AUTH, User: D1950-01\kums
166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response
166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path:
\\192.168.97.5\global
166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
---
Winbind gives following error, not sure if this is significant for I can
access the AD via "wbinfo"
[2008/11/26 15:22:58, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find
KDC for requested realm
Please see attached for configuration detail + detailed error log. Googling
helped me to get so far, but not completely resolve this issue.
Please advise.
Thanks in Advance,
-Kums
-------------- next part --------------
i) Software Version
samba-client-3.2.3
samba-common-3.2.3
samba-3.2.3
samba-doc-3.2.3
samba-winbind-32bit-3.2.3
samba-swat-3.2.3
samba-debuginfo-3.2.3
krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1
ii) Configure Kerberos
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
TESTDOMAIN.LOCAL = {
kdc = 172.16.4.10
default_domain = TESTDOMAIN.LOCAL
}
[domain_realm]
.testdomain = TESTDOMAIN.LOCAL
testdomain = TESTDOMAIN.LOCAL
.localdomain = TESTDOMAIN.LOCAL
localdomain = TESTDOMAIN.LOCAL
sol.datadirectnet.com = TESTDOMAIN.LOCAL
testdomain.local = TESTDOMAIN.LOCAL
.testdomain.local = TESTDOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
iii) Authenticate a user against AD via Kerberos
kinit Administrator at TESTDOMAIN.LOCAL
Password for Administrator at TESTDOMAIN.LOCAL:
iv) List Kerberos Tickets
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at TESTDOMAIN.LOCAL
Valid starting Expires Service principal
11/26/08 14:54:36 11/27/08 00:54:39 krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
renew until 11/27/08 14:54:36
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
v) Configure WinBind +PAM
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_mkhomedir.so skel=/etc/skel umask=0644
session required pam_unix.so
vi) Windbind started and can see users in AD
/etc/init.d/winbind status
winbindd (pid 14574 14562 14561 14459 14458) is running...
wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -u list
D1950-01+kums
D1950-01+tristan
TESTDOMAIN+administrator
TESTDOMAIN+guest
TESTDOMAIN+krbtgt
TESTDOMAIN+testuser
wbinfo -g
TESTDOMAIN+domain computers
TESTDOMAIN+domain controllers
TESTDOMAIN+schema admins
TESTDOMAIN+enterprise admins
TESTDOMAIN+cert publishers
TESTDOMAIN+domain admins
TESTDOMAIN+domain users
wbinfo -a TESTDOMAIN+testuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
vii) Modify /etc/pam.d/samba
/etc/pam.d/samba
auth required pam_stack.so service=system-auth
auth required pam_env.so
auth sufficient pam_krb5 use_first_pass
auth include /lib/security/pam_winbind.so
auth required pam_deny.so
session required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
account include /lib/security/pam_winbind.so
password required pam_stack.so service=system-auth
viii) Configure smb.conf
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.LOCAL
security = ADS
password server = 172.16.4.10
client NTLMv2 auth = Yes
log file = /var/log/samba/log.%m
max log size = 50
smb ports = 445
use mmap = No
dns proxy = No
socket address = 192.168.97.5
idmap backend = ad
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
force unknown acl user = Yes
[global-share]
path = /mnt/global
read only = No
inherit permissions = Yes
inherit acls = Yes
ix) Samba running
/etc/init.d/smb status
smbd (pid 32010 32006) is running...
nmbd (pid 31998) is running...
lsof -i TCP:445
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
winbindd 31799 root 17u IPv4 8034872 TCP D1950-01.sol.datadirectnet.com:57534->172.16.4.10:microsoft-ds (ESTABLISHED)
winbindd 31800 root 17u IPv4 8034855 TCP D1950-01.sol.datadirectnet.com:57532->172.16.4.10:microsoft-ds (ESTABLISHED)
smbd 32006 root 19u IPv4 8035491 TCP node1:microsoft-ds (LISTEN)
x) Join to AD is successful
net ads testjoin
Join is OK
xi) Authentication of AD user seems to work fine
ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=testuser
password:
NT_STATUS_OK: Success (0x0)
xii) /etc/init.d/iptables status
Firewall is stopped.
xiii)Analyze Network Traffic on SMBD port
Login as TESTDOMAIN\testuser (in Windows System)
10.844796 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
10.844932 192.168.97.2 -> 192.168.97.5 SMB Trans2 Request, GET_DFS_REFERRAL, File: \192.168.97.5\global-share
10.844993 192.168.97.5 -> 192.168.97.2 SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND
10.849712 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
10.849800 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser
10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE
11.033663 192.168.97.2 -> 192.168.97.5 TCP capmux > microsoft-ds [ACK] Seq=1616 Ack=1172 Win=15213 Len=0
20.944057 192.168.97.2 -> 192.168.97.5 SMB Logoff AndX Request
20.944152 192.168.97.5 -> 192.168.97.2 SMB Logoff AndX Response
20.944231 192.168.97.2 -> 192.168.97.5 SMB Tree Disconnect Request
20.944360 192.168.97.5 -> 192.168.97.2 SMB Tree Disconnect Response
Login as D1950-01\kums (in Windows System)
163.625577 192.168.97.2 -> 192.168.97.5 TCP 4746 > microsoft-ds [ACK] Seq=1024 Ack=855 Win=15530 Len=0
166.059399 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
166.059551 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums
166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response
166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global-share
166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
xiv) Winbind Error
[2008/11/26 15:22:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
ads_krb5_mk_req: krb5_get_credentials failed for dc$@TESTDOMAIN (Cannot find KDC for requested realm)
[2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm
More information about the samba
mailing list