[Samba] Kerberos Authentication problem "Username X is invalid on this system"

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 15 02:32:10 MST 2015


On 15/01/15 09:23, Rowland Penny wrote:
> On 14/01/15 23:33, Shaun Anderson wrote:
>> This is a new Samba config that has not yet worked.  I have installed 
>> sernet-samba 4.1.14.
>>
>> [root at sltltfsee samba]# rpm -qa | grep sernet
>> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
>> sernet-samba-common-4.1.14-10.el6.x86_64
>> sernet-samba-4.1.14-10.el6.x86_64
>> sernet-samba-libs-4.1.14-10.el6.x86_64
>> sernet-samba-winbind-4.1.14-10.el6.x86_64
>> sernet-samba-client-4.1.14-10.el6.x86_64
>>
>> I have been added to the domain and all of that appears to work 
>> fine.  I have created shares, however am unable to access them.
>>
>> Here are the contents of nsswitch.conf:
>> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"
>>
>>
>> passwd:     compat winbindd files
>> shadow:     compat files
>> group:      compat winbind files
>> hosts:      files dns wins
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers:     db files
>> netmasks:   files
>> networks:   files dns
>> protocols:  db files
>> rpc:        files
>> services:   files
>> netgroup:   files
>> publickey:  nisplus
>> automount:  files
>> aliases:    files nisplus
>>
>> krb.conf file:
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = MYDOMAIN.ORG
>> dns_lookup_realm = true
>> ;dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ;dns_lookup_kdc = false
>> ticket_lifetime = 600
>> renew_lifetime = 7d
>> forwardable = true
>>
>> [realms]
>> MYDOMAIN.ORG = {
>>    kdc = SL1TDC3.MYDOMAIN.ORG
>>    kdc = SL1DC5.MYDOMAIN.ORG
>>    admin_server = SL1TDC3.MYDOMAIN.ORG
>>    default_domain = MYDOMAIN.ORG
>> }
>>
>> [domain_realm]
>> .mydomain.org = MYDOMAIN.ORG
>> mydomain.org = MYDOMAIN.ORG
>> MYDOMAIN.org = MYDOMAIN.ORG
>> .MYDOMAIN.org = MYDOMAIN.ORG
>>
>> Smb.conf file:
>> [root at sltltfsee samba]# cat /etc/samba/smb.conf
>> [global]
>>
>>     workgroup = SL1
>>     netbios name = SLTLTFSEE
>>     server string = LTFSEE Server
>>     realm = SL1.MYDOMAIN.ORG
>>     security = ads
>>     encrypt passwords = yes
>>     idmap config * : range = 16777216-33554431
>>     idmap config * : backend = tdb
>>     template shell = /bash/bin
>>     allow trusted domains = Yes
>>     client ntlmv2 auth = yes
>>     force unknown acl user = yes
>>     auth methods = guest sam winbind
>>     passdb backend = tdbsam
>>     groupdb:backend = tdb
>>     interfaces = eth1 lo
>>     username map = /etc/samba/smbusers
>>     guest ok = yes
>>
>> #LOGGING
>> log level =3
>> log file = /var/log/samba/smb.ltfsee.log
>> max log size = 50
>>
>> #WINBIND
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind nested groups = Yes
>> winbind use default domain =true
>> winbind offline logon = true
>> winbind refresh tickets = Yes
>>
>>
>> #GPFS items
>>          gpfs:sharemodes = yes
>>          gpfs:prealloc = yes
>>          gpfs:dfreequota = yes
>>          gpfs:hsm = yes
>>          gpfs:winattr = yes
>>          gpfs:leases = yes
>>
>> #General FS items
>>     vfs objects = acl_xattr
>>     map acl inherit = Yes
>>     store dos attributes = yes
>>
>> #SHARES
>>
>> [general]
>>     path = /gpfs/ltfsee/general
>>     read only = no
>>     valid users = @"Domain Users"
>>
>> Things such as winbind lookups work just fine:
>> [root at sltltfsee samba]# wbinfo -a choatej%password
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> [root at sltltfsee samba]# wbinfo -i SL1\\choatej
>> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
>>
>> [root at sltltfsee samba]# wbinfo -U 16777216
>> S-1-5-21-1823944398-2898753305-4095703837-125569
>>
>> [root at sltltfsee samba]# wbinfo -s 
>> S-1-5-21-1823944398-2898753305-4095703837-125569
>> SL1\choatej 1
>>
>> User can authenticate using ntlm_auth:
>> [root at sltltfsee samba]# ntlm_auth --username=choatej
>> Password:
>> NT_STATUS_OK: Success (0x0)
>>
>> Attempting to access share from a windows client gives "Access is 
>> denied" message.
>>
>>  From the smb log "smb.ltfsee.log"
>> [2015/01/14 16:26:02.882034,  3] 
>> ../source3/smbd/negprot.c:672(reply_negprot)
>>    Selected protocol SMB 2.???
>> [2015/01/14 16:26:02.887418,  3] 
>> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>>    Selected protocol SMB2_10
>> [2015/01/14 16:26:02.990573,  3] 
>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>    Found account name from PAC: choatej [Choate, James]
>> [2015/01/14 16:26:02.990632,  3] 
>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>    Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
>> [2015/01/14 16:26:02.991491,  1] 
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>    Username SL1\choatej is invalid on this system
>> [2015/01/14 16:26:02.991554,  1] 
>> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>>    Failed to map kerberos principal to system user 
>> (NT_STATUS_LOGON_FAILURE)
>> [2015/01/14 16:26:02.996300,  3] 
>> ../source3/smbd/server_exit.c:221(exit_server_common)
>>    Server exit (NT_STATUS_CONNECTION_RESET)
>>
>>
>> Kerberos ticket was generated using 'net ads kerberos kinit -P'
>>
>> [root at sltltfsee samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
>>
>> Valid starting     Expires            Service principal
>> 01/14/15 15:52:23  01/14/15 16:02:23 
>> krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
>>          renew until 01/21/15 15:52:23
>>
>>
>> I'm by no means a kerberos expert, but if I have a generated ticket 
>> then what is being missed?  Where is the 'Username X is invalid on 
>> this system" message coming from?
>>
>>
>> Regards,
>>
>> Shaun Anderson
>> "Aut viam inveniam aut faciam"
>>
>>
>>
>>
>> DISCLAIMER: The information in this message (and any attachments 
>> hereto) may be
>> confidential and protected from disclosure. If the reader of this 
>> message is
>> neither the intended recipient nor an agent responsible for 
>> delivering the
>> message to the intended recipient, you are hereby notified that any 
>> unauthorized
>> disclosure of this information is strictly prohibited. Any unauthorized
>> disclosure may cause the breaching party to be liable to ConvergeOne 
>> Holdings
>> Corp. and/or its subsidiaries and affiliates for damages.  If you 
>> have received
>> this message in error, please notify the sender by replying to the 
>> e-mail
>> message, and delete it from your computer without reading it or 
>> saving it in any
>> manner.
>
> Don't think this is going to work, you have 'default_realm = 
> MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in 
> smb.conf.
> You don't have *anything* in smb.conf to pull from the domain, you 
> pull from outside the domain.
> Do you realise that 'passwd:     compat winbindd files' means 
> 'passwd:     files winbindd files' ?
>
> Change /etc/nsswitch.conf to this:
>
> passwd:     compat winbindd
> shadow:     compat files
> group:      compat winbind
>
> hosts:      files dns
> networks:   files
>
> protocols:  db files
> services:   db files
> ethers:     db files
> rpc:        db files
>
> netgroup:   nis
> bootparams: nisplus [NOTFOUND=return] files
> netmasks:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
>
> Change /etc/krb5.conf to:
>
> [libdefaults]
> default_realm = SL1.MYDOMAIN.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Change /etc/samba/smb.conf to:
>
> [global]
>    workgroup = SL1
>    security = ADS
>    realm = SL1.MYDOMAIN.ORG
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    server string = LTFSEE Server
>    #WINBIND
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
>    winbind expand groups = 4
>    winbind nss info = rfc2307
>    winbind offline logon = Yes
>    winbind refresh tickets = Yes
>    winbind normalize names = Yes
>    #IDMAP
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-9999
>    idmap config SL1 : backend  = ad
>    idmap config SL1 : range = 16777216-33554431
>    idmap config SL1 : schema_mode = rfc2307
>    template shell = /bash/bin
>    interfaces = eth1 lo
>    username map = /etc/samba/smbusers
>    guest ok = yes
>    printcap name = cups
>    cups options = raw
>    domain master = no
>    local master = no
>    preferred master = no
>    os level = 20
>    map to guest = bad user
>
>    #LOGGING
>    log level = 3
>    log file = /var/log/samba/smb.ltfsee.log
>    max log size = 50
>
>    #General FS items
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = yes
>
> #SHARES
>
> [general]
>    path = /gpfs/ltfsee/general
>    read only = no
>    valid users = @"Domain Users"
>
> The above are based on my *working* laptop.
>
> It might be better if you leave the domain before changing the files, 
> delete /etc/krb5.keytab if it exists, then rejoin the domain.
>
> Rowland
>

OOPS, I missed something else:

You have this in /etc/nsswitch.conf: 'passwd: compat winbindd files', it 
should be 'passwd: compat winbind' #NOTE only one 'd' at the end.

Rowland



More information about the samba mailing list