[Samba] Kerberos Authentication problem "Username X is invalid on this system"
Rowland Penny
rowlandpenny at googlemail.com
Thu Jan 15 02:32:10 MST 2015
On 15/01/15 09:23, Rowland Penny wrote:
> On 14/01/15 23:33, Shaun Anderson wrote:
>> This is a new Samba config that has not yet worked. I have installed
>> sernet-samba 4.1.14.
>>
>> [root at sltltfsee samba]# rpm -qa | grep sernet
>> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
>> sernet-samba-common-4.1.14-10.el6.x86_64
>> sernet-samba-4.1.14-10.el6.x86_64
>> sernet-samba-libs-4.1.14-10.el6.x86_64
>> sernet-samba-winbind-4.1.14-10.el6.x86_64
>> sernet-samba-client-4.1.14-10.el6.x86_64
>>
>> I have been added to the domain and all of that appears to work
>> fine. I have created shares, however am unable to access them.
>>
>> Here are the contents of nsswitch.conf:
>> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"
>>
>>
>> passwd: compat winbindd files
>> shadow: compat files
>> group: compat winbind files
>> hosts: files dns wins
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers: db files
>> netmasks: files
>> networks: files dns
>> protocols: db files
>> rpc: files
>> services: files
>> netgroup: files
>> publickey: nisplus
>> automount: files
>> aliases: files nisplus
>>
>> krb.conf file:
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = MYDOMAIN.ORG
>> dns_lookup_realm = true
>> ;dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ;dns_lookup_kdc = false
>> ticket_lifetime = 600
>> renew_lifetime = 7d
>> forwardable = true
>>
>> [realms]
>> MYDOMAIN.ORG = {
>> kdc = SL1TDC3.MYDOMAIN.ORG
>> kdc = SL1DC5.MYDOMAIN.ORG
>> admin_server = SL1TDC3.MYDOMAIN.ORG
>> default_domain = MYDOMAIN.ORG
>> }
>>
>> [domain_realm]
>> .mydomain.org = MYDOMAIN.ORG
>> mydomain.org = MYDOMAIN.ORG
>> MYDOMAIN.org = MYDOMAIN.ORG
>> .MYDOMAIN.org = MYDOMAIN.ORG
>>
>> Smb.conf file:
>> [root at sltltfsee samba]# cat /etc/samba/smb.conf
>> [global]
>>
>> workgroup = SL1
>> netbios name = SLTLTFSEE
>> server string = LTFSEE Server
>> realm = SL1.MYDOMAIN.ORG
>> security = ads
>> encrypt passwords = yes
>> idmap config * : range = 16777216-33554431
>> idmap config * : backend = tdb
>> template shell = /bash/bin
>> allow trusted domains = Yes
>> client ntlmv2 auth = yes
>> force unknown acl user = yes
>> auth methods = guest sam winbind
>> passdb backend = tdbsam
>> groupdb:backend = tdb
>> interfaces = eth1 lo
>> username map = /etc/samba/smbusers
>> guest ok = yes
>>
>> #LOGGING
>> log level =3
>> log file = /var/log/samba/smb.ltfsee.log
>> max log size = 50
>>
>> #WINBIND
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind nested groups = Yes
>> winbind use default domain =true
>> winbind offline logon = true
>> winbind refresh tickets = Yes
>>
>>
>> #GPFS items
>> gpfs:sharemodes = yes
>> gpfs:prealloc = yes
>> gpfs:dfreequota = yes
>> gpfs:hsm = yes
>> gpfs:winattr = yes
>> gpfs:leases = yes
>>
>> #General FS items
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = yes
>>
>> #SHARES
>>
>> [general]
>> path = /gpfs/ltfsee/general
>> read only = no
>> valid users = @"Domain Users"
>>
>> Things such as winbind lookups work just fine:
>> [root at sltltfsee samba]# wbinfo -a choatej%password
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> [root at sltltfsee samba]# wbinfo -i SL1\\choatej
>> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
>>
>> [root at sltltfsee samba]# wbinfo -U 16777216
>> S-1-5-21-1823944398-2898753305-4095703837-125569
>>
>> [root at sltltfsee samba]# wbinfo -s
>> S-1-5-21-1823944398-2898753305-4095703837-125569
>> SL1\choatej 1
>>
>> User can authenticate using ntlm_auth:
>> [root at sltltfsee samba]# ntlm_auth --username=choatej
>> Password:
>> NT_STATUS_OK: Success (0x0)
>>
>> Attempting to access share from a windows client gives "Access is
>> denied" message.
>>
>> From the smb log "smb.ltfsee.log"
>> [2015/01/14 16:26:02.882034, 3]
>> ../source3/smbd/negprot.c:672(reply_negprot)
>> Selected protocol SMB 2.???
>> [2015/01/14 16:26:02.887418, 3]
>> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>> Selected protocol SMB2_10
>> [2015/01/14 16:26:02.990573, 3]
>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>> Found account name from PAC: choatej [Choate, James]
>> [2015/01/14 16:26:02.990632, 3]
>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>> Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
>> [2015/01/14 16:26:02.991491, 1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>> Username SL1\choatej is invalid on this system
>> [2015/01/14 16:26:02.991554, 1]
>> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>> Failed to map kerberos principal to system user
>> (NT_STATUS_LOGON_FAILURE)
>> [2015/01/14 16:26:02.996300, 3]
>> ../source3/smbd/server_exit.c:221(exit_server_common)
>> Server exit (NT_STATUS_CONNECTION_RESET)
>>
>>
>> Kerberos ticket was generated using 'net ads kerberos kinit -P'
>>
>> [root at sltltfsee samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
>>
>> Valid starting Expires Service principal
>> 01/14/15 15:52:23 01/14/15 16:02:23
>> krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
>> renew until 01/21/15 15:52:23
>>
>>
>> I'm by no means a kerberos expert, but if I have a generated ticket
>> then what is being missed? Where is the 'Username X is invalid on
>> this system" message coming from?
>>
>>
>> Regards,
>>
>> Shaun Anderson
>> "Aut viam inveniam aut faciam"
>>
>>
>>
>>
>> DISCLAIMER: The information in this message (and any attachments
>> hereto) may be
>> confidential and protected from disclosure. If the reader of this
>> message is
>> neither the intended recipient nor an agent responsible for
>> delivering the
>> message to the intended recipient, you are hereby notified that any
>> unauthorized
>> disclosure of this information is strictly prohibited. Any unauthorized
>> disclosure may cause the breaching party to be liable to ConvergeOne
>> Holdings
>> Corp. and/or its subsidiaries and affiliates for damages. If you
>> have received
>> this message in error, please notify the sender by replying to the
>> e-mail
>> message, and delete it from your computer without reading it or
>> saving it in any
>> manner.
>
> Don't think this is going to work, you have 'default_realm =
> MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in
> smb.conf.
> You don't have *anything* in smb.conf to pull from the domain, you
> pull from outside the domain.
> Do you realise that 'passwd: compat winbindd files' means
> 'passwd: files winbindd files' ?
>
> Change /etc/nsswitch.conf to this:
>
> passwd: compat winbindd
> shadow: compat files
> group: compat winbind
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> bootparams: nisplus [NOTFOUND=return] files
> netmasks: files
> publickey: nisplus
> automount: files
> aliases: files nisplus
>
> Change /etc/krb5.conf to:
>
> [libdefaults]
> default_realm = SL1.MYDOMAIN.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Change /etc/samba/smb.conf to:
>
> [global]
> workgroup = SL1
> security = ADS
> realm = SL1.MYDOMAIN.ORG
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = LTFSEE Server
> #WINBIND
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> #IDMAP
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config SL1 : backend = ad
> idmap config SL1 : range = 16777216-33554431
> idmap config SL1 : schema_mode = rfc2307
> template shell = /bash/bin
> interfaces = eth1 lo
> username map = /etc/samba/smbusers
> guest ok = yes
> printcap name = cups
> cups options = raw
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
>
> #LOGGING
> log level = 3
> log file = /var/log/samba/smb.ltfsee.log
> max log size = 50
>
> #General FS items
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = yes
>
> #SHARES
>
> [general]
> path = /gpfs/ltfsee/general
> read only = no
> valid users = @"Domain Users"
>
> The above are based on my *working* laptop.
>
> It might be better if you leave the domain before changing the files,
> delete /etc/krb5.keytab if it exists, then rejoin the domain.
>
> Rowland
>
OOPS, I missed something else:
You have this in /etc/nsswitch.conf: 'passwd: compat winbindd files', it
should be 'passwd: compat winbind' #NOTE only one 'd' at the end.
Rowland
More information about the samba
mailing list