[Samba] Kerberos Authentication problem "Username X is invalid on this system"

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 15 02:23:35 MST 2015


On 14/01/15 23:33, Shaun Anderson wrote:
> This is a new Samba config that has not yet worked.  I have installed sernet-samba 4.1.14.
>
> [root at sltltfsee samba]# rpm -qa | grep sernet
> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
> sernet-samba-common-4.1.14-10.el6.x86_64
> sernet-samba-4.1.14-10.el6.x86_64
> sernet-samba-libs-4.1.14-10.el6.x86_64
> sernet-samba-winbind-4.1.14-10.el6.x86_64
> sernet-samba-client-4.1.14-10.el6.x86_64
>
> I have been added to the domain and all of that appears to work fine.  I have created shares, however am unable to access them.
>
> Here are the contents of nsswitch.conf:
> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"
>
>
> passwd:     compat winbindd files
> shadow:     compat files
> group:      compat winbind files
> hosts:      files dns wins
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     db files
> netmasks:   files
> networks:   files dns
> protocols:  db files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
>
> krb.conf file:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.ORG
> dns_lookup_realm = true
> ;dns_lookup_realm = false
> dns_lookup_kdc = true
> ;dns_lookup_kdc = false
> ticket_lifetime = 600
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> MYDOMAIN.ORG = {
>    kdc = SL1TDC3.MYDOMAIN.ORG
>    kdc = SL1DC5.MYDOMAIN.ORG
>    admin_server = SL1TDC3.MYDOMAIN.ORG
>    default_domain = MYDOMAIN.ORG
> }
>
> [domain_realm]
> .mydomain.org = MYDOMAIN.ORG
> mydomain.org = MYDOMAIN.ORG
> MYDOMAIN.org = MYDOMAIN.ORG
> .MYDOMAIN.org = MYDOMAIN.ORG
>
> Smb.conf file:
> [root at sltltfsee samba]# cat /etc/samba/smb.conf
> [global]
>
>     workgroup = SL1
>     netbios name = SLTLTFSEE
>     server string = LTFSEE Server
>     realm = SL1.MYDOMAIN.ORG
>     security = ads
>     encrypt passwords = yes
>     idmap config * : range = 16777216-33554431
>     idmap config * : backend = tdb
>     template shell = /bash/bin
>     allow trusted domains = Yes
>     client ntlmv2 auth = yes
>     force unknown acl user = yes
>     auth methods = guest sam winbind
>     passdb backend = tdbsam
>     groupdb:backend = tdb
>     interfaces = eth1 lo
>     username map = /etc/samba/smbusers
>     guest ok = yes
>
> #LOGGING
> log level =3
> log file = /var/log/samba/smb.ltfsee.log
> max log size = 50
>
> #WINBIND
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind use default domain =true
> winbind offline logon = true
> winbind refresh tickets = Yes
>
>
> #GPFS items
>          gpfs:sharemodes = yes
>          gpfs:prealloc = yes
>          gpfs:dfreequota = yes
>          gpfs:hsm = yes
>          gpfs:winattr = yes
>          gpfs:leases = yes
>
> #General FS items
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = yes
>
> #SHARES
>
> [general]
>     path = /gpfs/ltfsee/general
>     read only = no
>     valid users = @"Domain Users"
>
> Things such as winbind lookups work just fine:
> [root at sltltfsee samba]# wbinfo -a choatej%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> [root at sltltfsee samba]# wbinfo -i SL1\\choatej
> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
>
> [root at sltltfsee samba]# wbinfo -U 16777216
> S-1-5-21-1823944398-2898753305-4095703837-125569
>
> [root at sltltfsee samba]# wbinfo -s S-1-5-21-1823944398-2898753305-4095703837-125569
> SL1\choatej 1
>
> User can authenticate using ntlm_auth:
> [root at sltltfsee samba]# ntlm_auth --username=choatej
> Password:
> NT_STATUS_OK: Success (0x0)
>
> Attempting to access share from a windows client gives "Access is denied" message.
>
>  From the smb log "smb.ltfsee.log"
> [2015/01/14 16:26:02.882034,  3] ../source3/smbd/negprot.c:672(reply_negprot)
>    Selected protocol SMB 2.???
> [2015/01/14 16:26:02.887418,  3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>    Selected protocol SMB2_10
> [2015/01/14 16:26:02.990573,  3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>    Found account name from PAC: choatej [Choate, James]
> [2015/01/14 16:26:02.990632,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>    Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
> [2015/01/14 16:26:02.991491,  1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>    Username SL1\choatej is invalid on this system
> [2015/01/14 16:26:02.991554,  1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>    Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> [2015/01/14 16:26:02.996300,  3] ../source3/smbd/server_exit.c:221(exit_server_common)
>    Server exit (NT_STATUS_CONNECTION_RESET)
>
>
> Kerberos ticket was generated using 'net ads kerberos kinit -P'
>
> [root at sltltfsee samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
>
> Valid starting     Expires            Service principal
> 01/14/15 15:52:23  01/14/15 16:02:23  krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
>          renew until 01/21/15 15:52:23
>
>
> I'm by no means a kerberos expert, but if I have a generated ticket then what is being missed?  Where is the 'Username X is invalid on this system" message coming from?
>
>
> Regards,
>
> Shaun Anderson
> "Aut viam inveniam aut faciam"
>
>
>
>
> DISCLAIMER: The information in this message (and any attachments hereto) may be
> confidential and protected from disclosure. If the reader of this message is
> neither the intended recipient nor an agent responsible for delivering the
> message to the intended recipient, you are hereby notified that any unauthorized
> disclosure of this information is strictly prohibited. Any unauthorized
> disclosure may cause the breaching party to be liable to ConvergeOne Holdings
> Corp. and/or its subsidiaries and affiliates for damages.  If you have received
> this message in error, please notify the sender by replying to the e-mail
> message, and delete it from your computer without reading it or saving it in any
> manner.

Don't think this is going to work, you have 'default_realm = 
MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in smb.conf.
You don't have *anything* in smb.conf to pull from the domain, you pull 
from outside the domain.
Do you realise that 'passwd:     compat winbindd files' means 
'passwd:     files winbindd files' ?

Change /etc/nsswitch.conf to this:

passwd:     compat winbindd
shadow:     compat files
group:      compat winbind

hosts:      files dns
networks:   files

protocols:  db files
services:   db files
ethers:     db files
rpc:        db files

netgroup:   nis
bootparams: nisplus [NOTFOUND=return] files
netmasks:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

Change /etc/krb5.conf to:

[libdefaults]
default_realm = SL1.MYDOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = true

Change /etc/samba/smb.conf to:

[global]
    workgroup = SL1
    security = ADS
    realm = SL1.MYDOMAIN.ORG
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = LTFSEE Server
    #WINBIND
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind offline logon = Yes
    winbind refresh tickets = Yes
    winbind normalize names = Yes
    #IDMAP
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config SL1 : backend  = ad
    idmap config SL1 : range = 16777216-33554431
    idmap config SL1 : schema_mode = rfc2307
    template shell = /bash/bin
    interfaces = eth1 lo
    username map = /etc/samba/smbusers
    guest ok = yes
    printcap name = cups
    cups options = raw
    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user

    #LOGGING
    log level = 3
    log file = /var/log/samba/smb.ltfsee.log
    max log size = 50

    #General FS items
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = yes

#SHARES

[general]
    path = /gpfs/ltfsee/general
    read only = no
    valid users = @"Domain Users"

The above are based on my *working* laptop.

It might be better if you leave the domain before changing the files, 
delete /etc/krb5.keytab if it exists, then rejoin the domain.

Rowland



More information about the samba mailing list