[Samba] winbind question. (challenge/response password authentication)
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 1 11:26:17 UTC 2017
Hai,
Im setting up a new proxy and im testing a bit around.
Goal is, get everyting working with minimal changes to the system.
Setup: Debian 8 with NFS nfsv3 and v4 (krb) automounts, winbind 4.5.3 , squid 3.5.24 (with ssl support)
Which is basicly a copy of my other proxy but a new install with more systemd and less packages used.
Working:
- ssh logins with AD users. Userdirs nfsv4.
- NFSv3 and NFSv4 (krb5) (with systemd with automount for user home dirs )
- Squid with basic auth. ( over ldap ssl)
- Put needed SPN in the keytab file.
o bug found : samba-tool spn add HTTP/hostname.domain.tld at REALM proxy2$ )
§ keytab result is http/ not HTTP/ squid needs HTTP !
Not working :
- Winbind user tests.
- Kerberos Auth for squid. Need to fix keytab first.
The setup/config
The running smb.conf
[global]
workgroup = NTDOM
security = ads
realm = REALM
netbios name = PROXY2
preferred master = no
domain master = no
host msdfs = no
interfaces = 192.168.0.2 127.0.0.1
bind interfaces only = yes
dns proxy = yes
#Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/p2.pem
tls certfile = /etc/ssl/local/certs/p2.pem
tls cafile = /etc/ssl/certs/company-ca.pem
## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOM : backend = ad
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# Use home directory and shell information from AD
winbind nss info = rfc2307
# no NTDOM\user at hostname: but user at hostname as prompt with ssh logins
winbind use default domain = yes
winbind trusted domains only = no
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups, ! slows down you samba, if to much groups depth
winbind expand groups = 4
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely, when set empty no error log messages.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Output of my keytab file.
klist -ke /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/proxy2.internal.domain.tld @REALM (des-cbc-crc)
3 host/proxy2 at REALM (des-cbc-crc)
3 host/proxy2.internal.domain.tld at REALM (des-cbc-md5)
3 host/proxy2 at REALM (des-cbc-md5)
3 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
3 host/proxy2 at REALM (aes128-cts-hmac-sha1-96)
3 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
3 host/proxy2 at REALM (aes256-cts-hmac-sha1-96)
3 host/proxy2.internal.domain.tld at REALM (arcfour-hmac)
3 host/proxy2 at REALM (arcfour-hmac)
3 proxy2$@REALM (des-cbc-crc)
3 proxy2$@REALM (des-cbc-md5)
3 proxy2$@REALM (aes128-cts-hmac-sha1-96)
3 proxy2$@REALM (aes256-cts-hmac-sha1-96)
3 proxy2$@REALM (arcfour-hmac)
3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc)
3 nfs/proxy2 at REALM (des-cbc-crc)
3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5)
3 nfs/proxy2 at REALM (des-cbc-md5)
3 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
3 nfs/proxy2 at REALM (aes128-cts-hmac-sha1-96)
3 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
3 nfs/proxy2 at REALM (aes256-cts-hmac-sha1-96)
3 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac)
3 nfs/proxy2 at REALM (arcfour-hmac)
3 http/proxy2.internal.domain.tld at REALM (des-cbc-crc)
3 http/proxy2 at REALM (des-cbc-crc)
3 http/proxy2.internal.domain.tld at REALM (des-cbc-md5)
3 http/proxy2 at REALM (des-cbc-md5)
3 http/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
3 http/proxy2 at REALM (aes128-cts-hmac-sha1-96)
3 http/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
3 http/proxy2 at REALM (aes256-cts-hmac-sha1-96)
3 http/proxy2.internal.domain.tld at REALM (arcfour-hmac)
3 http/proxy2 at REALM (arcfour-hmac)
And i?m having a hard time getting this explained. ( see below. )
So maybe someone on the list can explain this more to me.
And I found also in list already : same problem/subjects.
28-12-2016 : Re: [Samba] Error with samba update in debian.
3?9-2016 : [Samba] challenge/response password authentication seems to be broken
My tests:
1
ntlm_auth --request-nt-key --username=username
Password:
NT_STATUS_OK: Success (0x0)
2
ntlm_auth --request-lm-key --username=username
Password:
NT_STATUS_OK: Success (0x0)
3
ntlm_auth --username=username --ntlmv2
Password:
NT_STATUS_OK: Success (0x0)
4
ntlm_auth --username=username --lanman
Password:
NT_STATUS_OK: Success (0x0)
5
ntlm_auth --username=username --krb5auth=username
Password:
NT_STATUS_OK: Success (0x0)
But...
6
ntlm_auth --diagnostics --username=username
Password:
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
7
wbinfo -a username
Enter username's password:
plaintext password authentication failed
Could not authenticate user username with plaintext password
Enter username 's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user username with challenge/response
8
wbinfo --krb5auth=username
Enter username's password:
plaintext kerberos password authentication for [username] failed (requesting cctype: FILE)
wbcLogonUser(username): error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user [username] with Kerberos (ccache: FILE)
9
wbinfo --krb5auth='NTDOM\username'
Enter NTDOM\username's password:
plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
10
wbinfo --krb5auth='username at REALM'
Enter username at REALM's password:
plaintext kerberos password authentication for [username at REALM] failed (requesting cctype: FILE)
wbcLogonUser(username at REALM): error code was NT_STATUS_LOGON_FAILURE (0xc000006d)
error message was: Logon failure
Could not authenticate user [username at REALM] with Kerberos (ccache: FILE)
Now i enabled in smb.conf : winbind use default domain = yes
klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
1
ntlm_auth --request-nt-key --username=username
Password:
NT_STATUS_OK: Success (0x0)
2
ntlm_auth --request-lm-key --username=username
Password:
NT_STATUS_OK: Success (0x0)
3
ntlm_auth --username=username --ntlmv2
Password:
NT_STATUS_OK: Success (0x0)
4
ntlm_auth --username=username --lanman
Password:
NT_STATUS_OK: Success (0x0)
5
ntlm_auth --username=username --krb5auth=username
Password:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
6
ntlm_auth --diagnostics --username=username
Password:
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
7
wbinfo -a username
Enter username's password:
plaintext password authentication succeeded
Enter username's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user username with challenge/response
8
wbinfo --krb5auth=username
Enter username's password:
plaintext kerberos password authentication for [username] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
9
kdestroy -A
root at rtd-proxy2:~# wbinfo --krb5auth='NTDOM\username'
Enter NTDOM\username's password:
plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
10
kdestroy -A
root at rtd-proxy2:~# wbinfo --krb5auth='username at REALM'
Enter username at REALM's password:
plaintext kerberos password authentication for [username at REALM] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
What is missing in my config? Hints tips.
I know that the devs are working on more consistant results with winbind, i just dont know if its deployed yet.
Tests overview smb.conf winbind use default domain.
No Yes
1 Ok Ok
2 Ok Ok
3 Ok Ok
4 Ok Ok
5 Ok Fail
6 Fail Fail
7 Fail ½ ok ½ fail
8 Fail Ok
9 Ok Ok
10 Fail Ok
Strange are to me 5 :
ntlm_auth --username=username --krb5auth=username
I cant explain 6.
ntlm_auth --diagnostics --username=username
7
wbinfo -a username
with winbind default domain = yes,
plaintext password authentication succeeded but challenge/response password authentication failed.
kerberos related auth
8
wbinfo --krb5auth=username
9
wbinfo --krb5auth='NTDOM\username'
10
wbinfo --krb5auth='username at REALM'
so im wondering, if im getting a better result with
winbind use default domain =yes
Greetz,
Louis
More information about the samba
mailing list