[Samba] Kerberos Authentication problem "Username X is invalid on this system"
Rowland Penny
rowlandpenny at googlemail.com
Thu Jan 15 02:23:35 MST 2015
On 14/01/15 23:33, Shaun Anderson wrote:
> This is a new Samba config that has not yet worked. I have installed sernet-samba 4.1.14.
>
> [root at sltltfsee samba]# rpm -qa | grep sernet
> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
> sernet-samba-common-4.1.14-10.el6.x86_64
> sernet-samba-4.1.14-10.el6.x86_64
> sernet-samba-libs-4.1.14-10.el6.x86_64
> sernet-samba-winbind-4.1.14-10.el6.x86_64
> sernet-samba-client-4.1.14-10.el6.x86_64
>
> I have been added to the domain and all of that appears to work fine. I have created shares, however am unable to access them.
>
> Here are the contents of nsswitch.conf:
> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"
>
>
> passwd: compat winbindd files
> shadow: compat files
> group: compat winbind files
> hosts: files dns wins
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: db files
> netmasks: files
> networks: files dns
> protocols: db files
> rpc: files
> services: files
> netgroup: files
> publickey: nisplus
> automount: files
> aliases: files nisplus
>
> krb.conf file:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.ORG
> dns_lookup_realm = true
> ;dns_lookup_realm = false
> dns_lookup_kdc = true
> ;dns_lookup_kdc = false
> ticket_lifetime = 600
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> MYDOMAIN.ORG = {
> kdc = SL1TDC3.MYDOMAIN.ORG
> kdc = SL1DC5.MYDOMAIN.ORG
> admin_server = SL1TDC3.MYDOMAIN.ORG
> default_domain = MYDOMAIN.ORG
> }
>
> [domain_realm]
> .mydomain.org = MYDOMAIN.ORG
> mydomain.org = MYDOMAIN.ORG
> MYDOMAIN.org = MYDOMAIN.ORG
> .MYDOMAIN.org = MYDOMAIN.ORG
>
> Smb.conf file:
> [root at sltltfsee samba]# cat /etc/samba/smb.conf
> [global]
>
> workgroup = SL1
> netbios name = SLTLTFSEE
> server string = LTFSEE Server
> realm = SL1.MYDOMAIN.ORG
> security = ads
> encrypt passwords = yes
> idmap config * : range = 16777216-33554431
> idmap config * : backend = tdb
> template shell = /bash/bin
> allow trusted domains = Yes
> client ntlmv2 auth = yes
> force unknown acl user = yes
> auth methods = guest sam winbind
> passdb backend = tdbsam
> groupdb:backend = tdb
> interfaces = eth1 lo
> username map = /etc/samba/smbusers
> guest ok = yes
>
> #LOGGING
> log level =3
> log file = /var/log/samba/smb.ltfsee.log
> max log size = 50
>
> #WINBIND
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind use default domain =true
> winbind offline logon = true
> winbind refresh tickets = Yes
>
>
> #GPFS items
> gpfs:sharemodes = yes
> gpfs:prealloc = yes
> gpfs:dfreequota = yes
> gpfs:hsm = yes
> gpfs:winattr = yes
> gpfs:leases = yes
>
> #General FS items
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = yes
>
> #SHARES
>
> [general]
> path = /gpfs/ltfsee/general
> read only = no
> valid users = @"Domain Users"
>
> Things such as winbind lookups work just fine:
> [root at sltltfsee samba]# wbinfo -a choatej%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> [root at sltltfsee samba]# wbinfo -i SL1\\choatej
> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
>
> [root at sltltfsee samba]# wbinfo -U 16777216
> S-1-5-21-1823944398-2898753305-4095703837-125569
>
> [root at sltltfsee samba]# wbinfo -s S-1-5-21-1823944398-2898753305-4095703837-125569
> SL1\choatej 1
>
> User can authenticate using ntlm_auth:
> [root at sltltfsee samba]# ntlm_auth --username=choatej
> Password:
> NT_STATUS_OK: Success (0x0)
>
> Attempting to access share from a windows client gives "Access is denied" message.
>
> From the smb log "smb.ltfsee.log"
> [2015/01/14 16:26:02.882034, 3] ../source3/smbd/negprot.c:672(reply_negprot)
> Selected protocol SMB 2.???
> [2015/01/14 16:26:02.887418, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2015/01/14 16:26:02.990573, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: choatej [Choate, James]
> [2015/01/14 16:26:02.990632, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
> [2015/01/14 16:26:02.991491, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username SL1\choatej is invalid on this system
> [2015/01/14 16:26:02.991554, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> [2015/01/14 16:26:02.996300, 3] ../source3/smbd/server_exit.c:221(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
>
> Kerberos ticket was generated using 'net ads kerberos kinit -P'
>
> [root at sltltfsee samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
>
> Valid starting Expires Service principal
> 01/14/15 15:52:23 01/14/15 16:02:23 krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
> renew until 01/21/15 15:52:23
>
>
> I'm by no means a kerberos expert, but if I have a generated ticket then what is being missed? Where is the 'Username X is invalid on this system" message coming from?
>
>
> Regards,
>
> Shaun Anderson
> "Aut viam inveniam aut faciam"
>
>
>
>
> DISCLAIMER: The information in this message (and any attachments hereto) may be
> confidential and protected from disclosure. If the reader of this message is
> neither the intended recipient nor an agent responsible for delivering the
> message to the intended recipient, you are hereby notified that any unauthorized
> disclosure of this information is strictly prohibited. Any unauthorized
> disclosure may cause the breaching party to be liable to ConvergeOne Holdings
> Corp. and/or its subsidiaries and affiliates for damages. If you have received
> this message in error, please notify the sender by replying to the e-mail
> message, and delete it from your computer without reading it or saving it in any
> manner.
Don't think this is going to work, you have 'default_realm =
MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in smb.conf.
You don't have *anything* in smb.conf to pull from the domain, you pull
from outside the domain.
Do you realise that 'passwd: compat winbindd files' means
'passwd: files winbindd files' ?
Change /etc/nsswitch.conf to this:
passwd: compat winbindd
shadow: compat files
group: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
bootparams: nisplus [NOTFOUND=return] files
netmasks: files
publickey: nisplus
automount: files
aliases: files nisplus
Change /etc/krb5.conf to:
[libdefaults]
default_realm = SL1.MYDOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
Change /etc/samba/smb.conf to:
[global]
workgroup = SL1
security = ADS
realm = SL1.MYDOMAIN.ORG
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = LTFSEE Server
#WINBIND
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind normalize names = Yes
#IDMAP
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config SL1 : backend = ad
idmap config SL1 : range = 16777216-33554431
idmap config SL1 : schema_mode = rfc2307
template shell = /bash/bin
interfaces = eth1 lo
username map = /etc/samba/smbusers
guest ok = yes
printcap name = cups
cups options = raw
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
#LOGGING
log level = 3
log file = /var/log/samba/smb.ltfsee.log
max log size = 50
#General FS items
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = yes
#SHARES
[general]
path = /gpfs/ltfsee/general
read only = no
valid users = @"Domain Users"
The above are based on my *working* laptop.
It might be better if you leave the domain before changing the files,
delete /etc/krb5.keytab if it exists, then rejoin the domain.
Rowland
More information about the samba
mailing list