[Samba] problem authenticating with kerberos and smb

Michael Edwards michael.edwards at henderson-group.com
Thu Nov 27 09:07:59 MST 2014 

Hi folks

We're having a bit of an issue with a CentOS 6.5 box that is running
Samba 3.6.23-12.  Everything was running fine until Samba was upgraded
from 3.6.9-169 to 3.6.23-12 last month, and we're now having problems
accessing the machine or any shares on it.

The machine is joined to a Windows 2008 R2 Active Directory, and we're
using Kerberos for authenticating users.  The issue only occurs when
we're using Kerberos - when using NTLM there are no problems.  The
machine also runs NFS, which is working fine when using Kerberos.  See
below gist for log level = 10 smb log.  There is an example of the
process working while using NTLM, and a few examples of it not working
when using Kerberos.

https://gist.github.com/mikes1988/381d507891b493a4e8ff

We've spent some time looking through the log, trying to pinpoint
exactly where it's breaking, and suspect that it's going wrong around
the lines I've pasted below.  It looks like the domain information is
getting lost along the way, and then when we get to lookup_sid.c we're
getting the mismatched sids, presumably because one sid is for HGVNAS,
and the other is for DOMAIN.  Output of sudo net getlocalsid and sudo
net getlocalsid DOMAIN are below, showing the two sids that are shown in
the log.

edwam at hgvnas:~$ sudo net getlocalsid
SID for domain HGVNAS is: S-1-5-21-127897388-885368389-1514669401
edwam at hgvnas:~$ sudo net getlocalsid DOMAIN
SID for domain DOMAIN is: S-1-5-21-2809677999-1344825738-4163663879

I would appreciate any feedback on where we're going wrong, I've pasted
our current configuration after the log - is there a configuration
option that we've missed along the way, that is now required in the
newer versions?  Please let me know if there are any other logs or
configs that you need to help.

[2014/11/27 12:23:55.365650, 10] libsmb/clikrb5.c:1155(get_key_from_keytab)
  get_key_from_keytab: will look for kvno 2, enctype 23 and name:
host/hgvnas.inside.local at INSIDE.LOCAL
[2014/11/27 12:23:55.365721,  3]
libads/kerberos_verify.c:267(ads_keytab_verify_ticket)
  libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal host/hgvnas.inside.local at INSIDE.LOCAL
[2014/11/27 12:23:55.365799, 10]
libsmb/clikrb5.c:955(get_krb5_smb_session_key)
  Got KRB5 session key of length 16
[2014/11/27 12:23:55.365833, 10] libsmb/clikrb5.c:396(unwrap_pac)
  authorization data is not a Windows PAC (type: 141)
[2014/11/27 12:23:55.365863,  3]
libads/kerberos_verify.c:684(ads_verify_ticket)
  libads/kerberos_verify.c:684: did not retrieve auth data. continuing
without PAC
[2014/11/27 12:23:55.365928,  3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [edwam at INSIDE.LOCAL]
[2014/11/27 12:23:55.365977, 10]
auth/user_krb5.c:96(get_user_from_kerberos_info)
  Mapping [INSIDE.LOCAL] to short name using winbindd
[2014/11/27 12:23:55.366275, 10]
auth/user_krb5.c:112(get_user_from_kerberos_info)
  Domain is [DOMAIN] (using Winbind)
[2014/11/27 12:23:55.366334,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user DOMAIN\edwam
[2014/11/27 12:23:55.366365,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is domain\edwam
[2014/11/27 12:23:55.366546,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is DOMAIN\edwam
[2014/11/27 12:23:55.366704,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is DOMAIN\EDWAM
[2014/11/27 12:23:55.366978,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in domain\edwam
[2014/11/27 12:23:55.367022,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [DOMAIN\edwam]!
[2014/11/27 12:23:55.367057,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user edwam
[2014/11/27 12:23:55.367094,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is edwam
[2014/11/27 12:23:55.367124,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [edwam]!
[2014/11/27 12:23:55.367170,  6] param/loadparm.c:7490(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.shares.conf -> /etc/samba/smb.shares.conf  last
mod_time: Tue Oct 22 14:30:34 2013
 
  file /etc/samba/smb.server.conf -> /etc/samba/smb.server.conf  last
mod_time: Thu Nov 27 11:19:31 2014
 
  file /etc/samba/smb.rhel.conf -> /etc/samba/smb.rhel.conf  last
mod_time: Thu Jan  1 01:00:00 1970
 
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Wed
Nov 26 11:26:10 2014
 
[2014/11/27 12:23:55.367358,  5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_edwam
[2014/11/27 12:23:55.367399, 10] auth/user_krb5.c:239(make_server_info_krb5)
  didn't find user edwam in passdb, calling make_server_info_pw
[2014/11/27 12:23:55.367432, 10] passdb/lookup_sid.c:76(lookup_name)
  lookup_name: HGVNAS\edwam => domain=[HGVNAS], name=[edwam]
...
[2014/11/27 12:23:55.374945,  1] auth/server_info.c:602(passwd_to_SamInfo3)
  The primary group domain
sid(S-1-5-21-2809677999-1344825738-4163663879-513) does not match the
domain sid(S-1-5-21-127897388-885368389-1514669401) for
edwam(S-1-22-1-10181)
[2014/11/27 12:23:55.375014,  1] auth/user_krb5.c:249(make_server_info_krb5)
  make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2014/11/27 12:23:55.375051,  1] smbd/sesssetup.c:381(reply_spnego_kerberos)
  make_server_info_krb5 failed!
[2014/11/27 12:23:55.375099,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(385) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_SID


/etc/samba/smb.conf:
[global]
workgroup = DOMAIN
server string = Samba/%v server at %h (CentOS release 6.5 (Final))
log file = /var/log/samba/%M.log
# only if guest logins should be possible (don't see why ATM)
;map to guest = bad user
kerberos method = system keytab
security = ads
realm = inside.local
preferred master = no
# only if guest logins should be possible and using user shares (don't
see why)
;usershare allow guests = yes

include = /etc/samba/smb.rhel.conf
include = /etc/samba/smb.server.conf
include = /etc/samba/smb.shares.conf

smb.rhel.conf is unused on this machine

/etc/samba/smb.server.conf:
# disable print sharing; see
#
http://serverfault.com/questions/207510/how-do-you-disable-smb-printing-support
load printers = no
printing = bsd
printcap name = /dev/null
# note: in samba >= 4.0 this should be enough
disable spoolss = yes
log level = 10

# make winbind use NSS (and therefore SSSD) to resolve SIDs for domain
users to
# UIDs; this is needed to allow adding/modifying ACEs on shared files from
# Windows ACL editor; it also allows the names to be mapped to proper
# DOMAIN\name format instead of being displayed as "Unix User\name"; see
# idmap_nss(8).
# - https://lists.samba.org/archive/samba/2012-June/167961.html
# - https://lists.samba.org/archive/samba/2013-January/171142.html
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = nss
idmap config DOMAIN : range = 10000-999999

/etc/samba/samba.shares.conf:
[global]
# defaults for all shares
# make samba as POSIX compliant as possible so there's no discrepancies
# between local/SMB/NFS access

# create files/dirs with at most those permissions
# (does not affect permissions being explicitly set, only defaults when
file/dir is created)
create mask = 0664
directory mask = 0775

# POSIX conformance - inherit default ACEs of the parent dir
inherit acls = yes

# do not map old DOS modes to UNIX permissions
# in particular no mapping of archive bit to u+x
# and no changes to DOS readonly, use ACLs instead
map archive = no
map readonly = permissions

# shares are writeable by default
writeable = yes

[appdata]
comment = application data
path = /srv/appdata

[backups]
comment = application and system backups
path = /srv/backups

[sysdata]
comment = system application data
path = /srv/sysdata

[scratch]
comment = scratch monkey (temp/test area)
path = /srv/scratch

Not sure if the rest are relevant:
/etc/krb5.conf:
[logging]
default = SYSLOG:DEBUG:AUTH
default = FILE:/var/log/krb5.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
renew_lifetime = 7d

; this is only needed for samba-3.6.9 which doesn't support AES and uses DES
; by default, but since DES is not allowed by default in AD-2008 this
makes the
; host principal unusable; starting with RC4 is most compatible as it is
; allowed by AD-2008 and older; these 3 options can be removed for
; samba-3.6.10+ which will then default to AES
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5

/etc/sssd/sssd.conf:
[nss]
debug_level=2
[pam]
[sssd]
config_file_version=2
domains=inside.local
services=nss, pam
[domain/inside.local
ldap_referrals=false
ldap_search_base=DC=Inside,DC=local
ldap_user_object_class=user
cache_credentials=true
enumerate=true
auth_provider=krb5
chpass_provider=krb5
ldap_user_home_directory=unixHomeDirectory
krb5_realm=INSIDE.LOCAL
krb5_server=_srv_, hgpdc01.inside.local, hgvdc01.inside.local
ldap_force_upper_case_realm=true
ldap_uri=_srv_, ldap://hgpdc01.inside.local/, ldap://hgvdc01.inside.local/
krb5_renew_interval=1800
ldap_sasl_mech=GSSAPI
min_id=10000
ldap_schema=rfc2307bis
ldap_group_object_class=group
ldap_account_expire_policy=ad
ldap_user_principal=userPrincipalName
id_provider=ldap
[#EOF#]

Other info:
OS: CentOS release 6.5
Kernel: 2.6.32-431.29.2.el6.x86_64

Thanks in advance
Michael



**********************************************************************************************
The information in this email is confidential and may be legally privileged.  It is intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed  in the governing client engagement leter or contract.
If you have received this email in error please notify support at henderson-group.com

John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************

More information about the samba mailing list