[Samba] Struggling with Samba + AD member config (winbind auth failing) :(
Andrej Pintar
api984 at gmail.com
Fri Apr 5 17:25:47 MDT 2013
Hello Samba List,
I am struggling with connecting samba to our AD servers. Thought it will be
easy as before but I was wrong.
DCs:
Windows Server 2012 (2x) with AD Domain Forest/Level 2003 NATIVE.
+ SBS 2003 (will be removed, migrating from SBS AD to new 2012 servers)
-standard AD schema with exchange attributes
DID NOT INSTALL UNIX attributes. This is required for SSSD. Thought i would
go without it.
Not sure where is the hickup.
-doubts on Windows Server 2012 security
I was able to connect existing configuration on Windows Server 2012 VM -
with some test domain in virtual environ.
Thought maybe someone will know any neat trick.
Linux:
Centos 5.9 updated
*Samba 3.0.33 - using *
Samba 3.6.6. (3x package) -tryed
Samba 4.0.0. -tryed
Tryed Winbind and SSSD.
I have setup PAM, NSSWITCH, KRB5, SMB.
net ads info - ok
net ads status - ok
wbinfo -u - ok
wbinfo -g -ok
wbinfo -t -ok
wbinfo -m ok
kinit administrator at UNILINEDOO.LOCAL -ok
klist -ke - ok
net ads testjoin -ok
id <user> - ok
getent passwd - ok
getent group - ok
join commands:
net join ads -U Administrator
net join ads -U Adminsitrator
createupn="cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL"
Was looking at GPO in WIN2K12:
-encryption
-smb signing
-kerberos enc
-netlogon compatibility
-RPC client auth
-regedit: lanmanserver, lanmanworkstation
-SAM enumeration
-Pipes
-pipe perms on /var/cache/samba/winbindd_priv/pipe
KINIT did not work for:
kinit CBOX40$
-asks pass
*klist:*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
CRC-32)
3 host/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
RSA-MD5)
3 host/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
3 host/cbox40 at UNILINEDOO.LOCAL (DES cbc mode with CRC-32)
3 host/cbox40 at UNILINEDOO.LOCAL (DES cbc mode with RSA-MD5)
3 host/cbox40 at UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
3 CBOX40$@UNILINEDOO.LOCAL (DES cbc mode with CRC-32)
3 CBOX40$@UNILINEDOO.LOCAL (DES cbc mode with RSA-MD5)
3 CBOX40$@UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
3 cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
CRC-32)
3 cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
RSA-MD5)
3 cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
::::::::::::::::::::::::::::::::::::::::::::::::::::::Configs:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
*KRB5:*
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
[libdefaults]
default_realm = UNILINEDOO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
clockskew = 300
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
TDD.LOCAL = {
kdc = 192.168.0.237:88
kdc = 192.168.0.238:88
master_kdc = 192.168.0.237
default_domain = UNILINEDOO.LOCAL
}
[domain_realm]
.unilinedoo.local = UNILINEDOO.LOCAL
unilinedoo.local = UNILINEDOO.LOCAL
[appdefaults]
pam = {
debug = true
ticket_lifetime = 15d
renew_lifetime = 15d
forwardable = true
krb4_convert = false
}
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::SMB.CONF:
[global]
log file = /var/log/samba/%m.log
load printers = no
# Global winbind settings
#idmap backend = rid:UNILINEDOO=10000-50000
* idmap backend = ad*
* idmap uid = 10000-40000*
* idmap gid = 10000-40000*
#idmap domains = UNILINEDOO
#idmap config UNILINEDOO: default = yes
#idmap config UNILINEDOO: backend = rid
#idmap config UNILINEDOO: range = 10000-20000
#idmap alloc config: range = 10000-20000
password server = 192.168.0.237
workgroup = UNILINEDOO
*realm = UNILINEDOO.LOCAL*
winbind enum groups = yes
winbind enum users = yes
domain master = no
*winbind separator = +*
* winbind trusted domains only = no*
* encrypt passwords = yes*
wins support = no
* winbind use default domain = yes*
dns proxy = no
* netbios name = CBOX40*
server string = CBOX ADS
local master = no
os level = 20
create mode = 775
* security = ads*
preferred master = no
max log size = 50
#log level: log level = 5 winbind:10 auth:10
log level = 3
debug timestamp = yes
directory mode = 775
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#nt pipe support = yes
* client schannel = auto*
* server schannel = auto*
#nt status support = yes
client ntlmv2 auth = yes
* client plaintext auth = yes*
#obey pam restrictions = yes
* allow trusted domains = yes*
* server signing = auto*
* client signing = auto*
* client use spnego = yes*
* use spnego = yes*
#min protocol = SMB1
#max protocol = SMB1
ntlm auth = yes
#ntlmv2 auth = no
#ldapsam:trusted = Yes
#passdb backend = tdbsam
client lanman auth = no
#winbind nss info = rfc2307
winbind refresh tickets = yes
#winbind offline logon = no
#winbind normalize names = no
#winbind cache time = 360
template shell = /bin/bash
* use kerberos keytab = yes*
#kerberos method = secrets and keytab
#ldap ssl = Off
[test]
nt acl support = yes
writeable = yes
inherit permissions = no
path = /srv/uniline/
force group = domain users
comment = Uniline Company Share
valid users = @"UNILINEDOO+domain users"
create mode = 770
directory mode = 770
# public = yes
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
*NSSWITCH:*
passwd: files winbind
shadow: files
group: files winbind
(tryed sss)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::PAM:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
*auth requisite pam_winbind.so use_first_pass *
#krb5_auth
#require_membership_of=S-1-5-21-2974736424-2030979957-651850636-513
auth requisite pam_succeed_if.so uid >= 500 quiet
#auth sufficient pam_krb5.so try_first_pass
#auth sufficient pam_sss.so use_first_pass
#auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
#session optional pam_krb5.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
#session optional pam_sss.so
session optional pam_winbind.so use_first_pass
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::Errors:
wbinfo -a user:pass
[root at cbox40 ~]# wbinfo -a ul67%Prus6u
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user ul67%Prus6u with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user ul67 with challenge/response
*wb-UNILINEDOO:*
[2013/04/06 01:04:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2085)
rpc_pipe_bind: Remote machine ULVDC01.Unilinedoo.local pipe \NETLOGON
fnum 0x4000 bind request returned ok.
[2013/04/06 01:04:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2085)
rpc_pipe_bind: Remote machine ULVDC01.Unilinedoo.local pipe \NETLOGON
fnum 0x1 bind request returned ok.
[2013/04/06 01:04:00, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1841)
* winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust
account password was changed and we didn't know it. Killing connections to
domain UNILINEDOO*
[2013/04/06 01:04:00, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
* NTLM CRAP authentication for user [UNILINEDOO]\[ul67] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)*
*SmbClient:*
[root at cbox40 samba]# smbclient -L localhost -U ul67 -d 3
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface ip=10.0.2.40 bcast=10.0.2.255 nmask=255.255.255.0
added interface ip=192.168.0.173 bcast=192.168.0.255 nmask=255.255.255.0
Client started (version 3.0.33-3.39.el5_8).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Password:
Doing spnego session setup (blob length=121)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
*SPNEGO login failed: Access denied*
*session setup failed: NT_STATUS_ACCESS_DENIED*
-tryed to disable SPNEGO and GOT NT1 error aferwords :D
Its been 10 days so I really know where to start once more.
Will try to do some tricks on GPO and play around once more with regedit
for making win2012 more similar to 2003
environment....
TCP log:
-tcpdump
* -did not see anything break inside of it.*
* -just some preauth failed but read that thats normal.*
--
Andrej Pintar
email : api984 at gmail.com
andrej at skrad.com
api984 at api984.net
web: http://www.api984.net
contact cell: 00385 98 790 639
home server: http://api984.ath.cx
ICQ: 191748772
Skype: api9841
MSN: fatallord at hotmail.com
IRC: api984, freenode.net
::Software is like sex: it's better when it's free::
More information about the samba
mailing list