[Samba] SMBD not authenticating against Active Directory

Kums kumaran.rajaram at gmail.com
Thu Nov 27 00:01:47 GMT 2008


Hi,

Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use
Active Directory for authentication. I followed the instructions from
article in following website:
http://technet.microsoft.com/en-au/magazine/dd228986.aspx

Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the
users in Active Directory through winbind as well as authenticate users
using NTLM authentication.

Problem is that Iam unable to access Samba share from Windows clients as AD
user. Analyzing the network traffic on SMBD port gives:
---
10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request,
NTLMSSP_AUTH, User: TESTDOMAIN\testuser
10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response,
Error:STATUS_LOGON_FAILURE
--

I can however access the Samba share as local user in the Samba server via
smbpasswd:
---
166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request,
NTLMSSP_AUTH, User: D1950-01\kums
166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response
166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path:
\\192.168.97.5\global
166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
---

Winbind gives following error, not sure if this is significant for I can
access the AD via "wbinfo"
[2008/11/26 15:22:58,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find
KDC for requested realm

Please see attached for configuration detail + detailed error log. Googling
helped me to get so far, but not completely resolve this issue.

Please advise.

Thanks in Advance,
-Kums
-------------- next part --------------
i) Software Version
samba-client-3.2.3
samba-common-3.2.3
samba-3.2.3
samba-doc-3.2.3
samba-winbind-32bit-3.2.3
samba-swat-3.2.3
samba-debuginfo-3.2.3

krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1

ii) Configure Kerberos
cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TESTDOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 TESTDOMAIN.LOCAL = {
  kdc = 172.16.4.10
  default_domain = TESTDOMAIN.LOCAL
 }

[domain_realm]
 .testdomain = TESTDOMAIN.LOCAL
 testdomain = TESTDOMAIN.LOCAL
 .localdomain = TESTDOMAIN.LOCAL
 localdomain = TESTDOMAIN.LOCAL
 sol.datadirectnet.com = TESTDOMAIN.LOCAL
 testdomain.local = TESTDOMAIN.LOCAL
 .testdomain.local = TESTDOMAIN.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

iii) Authenticate a user against AD via Kerberos
kinit Administrator at TESTDOMAIN.LOCAL
Password for Administrator at TESTDOMAIN.LOCAL:

iv) List Kerberos Tickets
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at TESTDOMAIN.LOCAL

Valid starting     Expires            Service principal
11/26/08 14:54:36  11/27/08 00:54:39  krbtgt/TESTDOMAIN.LOCAL at TESTDOMAIN.LOCAL
        renew until 11/27/08 14:54:36


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


v) Configure WinBind +PAM

/etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0644
session     required      pam_unix.so

vi) Windbind started and can see users in AD
/etc/init.d/winbind status
winbindd (pid 14574 14562 14561 14459 14458) is running...

wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -u list
D1950-01+kums
D1950-01+tristan
TESTDOMAIN+administrator
TESTDOMAIN+guest
TESTDOMAIN+krbtgt
TESTDOMAIN+testuser

wbinfo -g
TESTDOMAIN+domain computers
TESTDOMAIN+domain controllers
TESTDOMAIN+schema admins
TESTDOMAIN+enterprise admins
TESTDOMAIN+cert publishers
TESTDOMAIN+domain admins
TESTDOMAIN+domain users

wbinfo -a TESTDOMAIN+testuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

vii) Modify /etc/pam.d/samba
/etc/pam.d/samba
auth     required       pam_stack.so service=system-auth
auth     required       pam_env.so
auth     sufficient     pam_krb5 use_first_pass
auth     include        /lib/security/pam_winbind.so
auth     required       pam_deny.so

session  required       pam_stack.so service=system-auth

account  required       pam_stack.so service=system-auth
account  include        /lib/security/pam_winbind.so

password required       pam_stack.so service=system-auth


viii) Configure smb.conf
[global]
        workgroup = TESTDOMAIN
        realm = TESTDOMAIN.LOCAL
        security = ADS
        password server = 172.16.4.10
        client NTLMv2 auth = Yes
        log file = /var/log/samba/log.%m
        max log size = 50
        smb ports = 445
        use mmap = No
        dns proxy = No
        socket address = 192.168.97.5
        idmap backend = ad
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        nfs4:acedup = merge
        nfs4:chown = yes
        nfs4:mode = special
        force unknown acl user = Yes

[global-share]    
        path = /mnt/global
        read only = No
        inherit permissions = Yes
        inherit acls = Yes

ix) Samba running  
/etc/init.d/smb status
smbd (pid 32010 32006) is running...
nmbd (pid 31998) is running...

lsof -i TCP:445
COMMAND    PID USER   FD   TYPE  DEVICE SIZE NODE NAME
winbindd 31799 root   17u  IPv4 8034872       TCP D1950-01.sol.datadirectnet.com:57534->172.16.4.10:microsoft-ds (ESTABLISHED)
winbindd 31800 root   17u  IPv4 8034855       TCP D1950-01.sol.datadirectnet.com:57532->172.16.4.10:microsoft-ds (ESTABLISHED)
smbd     32006 root   19u  IPv4 8035491       TCP node1:microsoft-ds (LISTEN)


x) Join to AD is successful
 net ads testjoin
Join is OK

xi) Authentication of AD user seems to work fine
ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=testuser
password:
NT_STATUS_OK: Success (0x0)


xii) /etc/init.d/iptables status
Firewall is stopped.

xiii)Analyze Network Traffic on SMBD port

Login as TESTDOMAIN\testuser (in Windows System)

 10.844796 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
 10.844932 192.168.97.2 -> 192.168.97.5 SMB Trans2 Request, GET_DFS_REFERRAL, File: \192.168.97.5\global-share
 10.844993 192.168.97.5 -> 192.168.97.2 SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND
 10.849712 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
 10.849800 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser
 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE
11.033663 192.168.97.2 -> 192.168.97.5 TCP capmux > microsoft-ds [ACK] Seq=1616 Ack=1172 Win=15213 Len=0
 20.944057 192.168.97.2 -> 192.168.97.5 SMB Logoff AndX Request
 20.944152 192.168.97.5 -> 192.168.97.2 SMB Logoff AndX Response
 20.944231 192.168.97.2 -> 192.168.97.5 SMB Tree Disconnect Request
 20.944360 192.168.97.5 -> 192.168.97.2 SMB Tree Disconnect Response

Login as D1950-01\kums (in Windows System)

163.625577 192.168.97.2 -> 192.168.97.5 TCP 4746 > microsoft-ds [ACK] Seq=1024 Ack=855 Win=15530 Len=0
166.059399 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
166.059551 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums
166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response
166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global-share
166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response


xiv) Winbind Error
[2008/11/26 15:22:58,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
  ads_krb5_mk_req: krb5_get_credentials failed for dc$@TESTDOMAIN (Cannot find KDC for requested realm)
[2008/11/26 15:22:58,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm











More information about the samba mailing list