[Samba] winbind question. (challenge/response password authentication)
mathias dufresne
infractory at gmail.com
Wed Feb 1 16:32:08 UTC 2017
Hi Louis,
First sorry I haven't understood fully what was the question(s) related to
all these tests. I won't try to help on that.
A small question about lower case service part of SPN: you wrote that when
adding into AD some SPN with HTTP in upper case then you have "http" in
place of "HTTP" in the keytab.
As you:
1 - add SPN into some DB
2 - use some tool to extract info from that DB to create a keytab
3 - use another tool to read the keytab
I'm wondering what contains you AD database. Is it "HTTP/..." or
"http/...". I mean I wonder if this problem comes from 1°)
If AD contains lower case when you have added an upper case SPN, the error
seems to comes from the way SPN is added into AD. Perhaps you can use
ldbedit to change that lower case SPN to upper case SPN.
If SPN is still upper case after that ldbedit, you can retry to create the
keytab.
Perhaps it comes from 2°, so the tool used to create the keytab. You could
try to use ktutil I suppose to create keytabs.
I don't really believe it comes from 3° : )
Anyway you can "cat /parth/to/http.keytab" to check if it contains UPPER or
lower case...
Just ideas pushed like that... that does not implies they are good ideas :p
2017-02-01 12:26 GMT+01:00 L.P.H. van Belle via samba <samba at lists.samba.org
>:
> Hai,
>
>
>
> Im setting up a new proxy and im testing a bit around.
>
> Goal is, get everyting working with minimal changes to the system.
>
>
>
> Setup: Debian 8 with NFS nfsv3 and v4 (krb) automounts, winbind 4.5.3 ,
> squid 3.5.24 (with ssl support)
>
> Which is basicly a copy of my other proxy but a new install with more
> systemd and less packages used.
>
>
>
> Working:
>
> - ssh logins with AD users. Userdirs nfsv4.
>
> - NFSv3 and NFSv4 (krb5) (with systemd with automount for user
> home dirs )
>
> - Squid with basic auth. ( over ldap ssl)
>
> - Put needed SPN in the keytab file.
>
> o bug found : samba-tool spn add HTTP/hostname.domain.tld at REALM
> proxy2$ )
>
> § keytab result is http/ not HTTP/ squid needs HTTP !
>
>
>
>
>
> Not working :
>
> - Winbind user tests.
>
> - Kerberos Auth for squid. Need to fix keytab first.
>
>
>
>
>
> The setup/config
>
>
>
> The running smb.conf
>
> [global]
>
> workgroup = NTDOM
>
> security = ads
>
> realm = REALM
>
>
>
> netbios name = PROXY2
>
> preferred master = no
>
> domain master = no
>
> host msdfs = no
>
>
>
> interfaces = 192.168.0.2 127.0.0.1
>
> bind interfaces only = yes
>
> dns proxy = yes
>
>
>
> #Add and Update TLS Key
>
> tls enabled = yes
>
> tls keyfile = /etc/ssl/local/private/p2.pem
>
> tls certfile = /etc/ssl/local/certs/p2.pem
>
> tls cafile = /etc/ssl/certs/company-ca.pem
>
>
>
> ## map id's outside to domain to tdb files.
>
> idmap config * :backend = tdb
>
> idmap config * :range = 2000-9999
>
>
>
> ## map ids from the domain the range may not overlap !
>
> idmap config NTDOM : backend = ad
>
> idmap config NTDOM : schema_mode = rfc2307
>
> idmap config NTDOM : range = 10000-3999999
>
>
>
> dedicated keytab file = /etc/krb5.keytab
>
> kerberos method = secrets and keytab
>
>
>
> # renew the kerberos ticket
>
> winbind refresh tickets = yes
>
>
>
> # Use home directory and shell information from AD
>
> winbind nss info = rfc2307
>
>
>
> # no NTDOM\user at hostname: but user at hostname as prompt with ssh logins
>
> winbind use default domain = yes
>
>
>
> winbind trusted domains only = no
>
> winbind cache time = 15
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
>
>
> # enable offline logins
>
> winbind offline logon = yes
>
>
>
> # check depth of nested groups, ! slows down you samba, if to much
> groups depth
>
> winbind expand groups = 4
>
>
>
> # user Administrator workaround, without it you are unable to set
> privileges
>
> username map = /etc/samba/samba_usermapping
>
>
>
> # disable usershares creating, when set empty no error log messages.
>
> usershare path =
>
>
>
> # Disable printing completely, when set empty no error log messages.
>
> load printers = no
>
> printing = bsd
>
> printcap name = /dev/null
>
> disable spoolss = yes
>
>
>
>
>
>
>
> Output of my keytab file.
>
> klist -ke /etc/krb5.keytab
>
> Keytab name: FILE:/etc/krb5.keytab
>
> KVNO Principal
>
> ---- ------------------------------------------------------------
> --------------
>
> 3 host/proxy2.internal.domain.tld @REALM (des-cbc-crc)
>
> 3 host/proxy2 at REALM (des-cbc-crc)
>
> 3 host/proxy2.internal.domain.tld at REALM (des-cbc-md5)
>
> 3 host/proxy2 at REALM (des-cbc-md5)
>
> 3 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
>
> 3 host/proxy2 at REALM (aes128-cts-hmac-sha1-96)
>
> 3 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
>
> 3 host/proxy2 at REALM (aes256-cts-hmac-sha1-96)
>
> 3 host/proxy2.internal.domain.tld at REALM (arcfour-hmac)
>
> 3 host/proxy2 at REALM (arcfour-hmac)
>
> 3 proxy2$@REALM (des-cbc-crc)
>
> 3 proxy2$@REALM (des-cbc-md5)
>
> 3 proxy2$@REALM (aes128-cts-hmac-sha1-96)
>
> 3 proxy2$@REALM (aes256-cts-hmac-sha1-96)
>
> 3 proxy2$@REALM (arcfour-hmac)
>
> 3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc)
>
> 3 nfs/proxy2 at REALM (des-cbc-crc)
>
> 3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5)
>
> 3 nfs/proxy2 at REALM (des-cbc-md5)
>
> 3 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
>
> 3 nfs/proxy2 at REALM (aes128-cts-hmac-sha1-96)
>
> 3 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
>
> 3 nfs/proxy2 at REALM (aes256-cts-hmac-sha1-96)
>
> 3 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac)
>
> 3 nfs/proxy2 at REALM (arcfour-hmac)
>
> 3 http/proxy2.internal.domain.tld at REALM (des-cbc-crc)
>
> 3 http/proxy2 at REALM (des-cbc-crc)
>
> 3 http/proxy2.internal.domain.tld at REALM (des-cbc-md5)
>
> 3 http/proxy2 at REALM (des-cbc-md5)
>
> 3 http/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96)
>
> 3 http/proxy2 at REALM (aes128-cts-hmac-sha1-96)
>
> 3 http/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)
>
> 3 http/proxy2 at REALM (aes256-cts-hmac-sha1-96)
>
> 3 http/proxy2.internal.domain.tld at REALM (arcfour-hmac)
>
> 3 http/proxy2 at REALM (arcfour-hmac)
>
>
>
>
>
>
>
> And i?m having a hard time getting this explained. ( see below. )
>
> So maybe someone on the list can explain this more to me.
>
>
>
> And I found also in list already : same problem/subjects.
>
> 28-12-2016 : Re: [Samba] Error with samba update in debian.
>
> 3?9-2016 : [Samba] challenge/response password authentication seems to be
> broken
>
>
>
> My tests:
>
> 1
>
> ntlm_auth --request-nt-key --username=username
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
>
>
> 2
>
> ntlm_auth --request-lm-key --username=username
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
>
>
> 3
>
> ntlm_auth --username=username --ntlmv2
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
>
>
> 4
>
> ntlm_auth --username=username --lanman
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
>
>
> 5
>
> ntlm_auth --username=username --krb5auth=username
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
>
>
>
>
> But...
>
> 6
>
> ntlm_auth --diagnostics --username=username
>
> Password:
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
>
>
> 7
>
> wbinfo -a username
>
> Enter username's password:
>
> plaintext password authentication failed
>
> Could not authenticate user username with plaintext password
>
> Enter username 's password:
>
> challenge/response password authentication failed
>
> wbcAuthenticateUserEx(NTDOM\username): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a)
>
> error message was: Wrong Password
>
> Could not authenticate user username with challenge/response
>
>
>
> 8
>
> wbinfo --krb5auth=username
>
> Enter username's password:
>
> plaintext kerberos password authentication for [username] failed
> (requesting cctype: FILE)
>
> wbcLogonUser(username): error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>
> error message was: No such user
>
> Could not authenticate user [username] with Kerberos (ccache: FILE)
>
>
>
> 9
>
> wbinfo --krb5auth='NTDOM\username'
>
> Enter NTDOM\username's password:
>
> plaintext kerberos password authentication for [NTDOM\username] succeeded
> (requesting cctype: FILE)
>
> credentials were put in: FILE:/tmp/krb5cc_0
>
>
>
> 10
>
> wbinfo --krb5auth='username at REALM'
>
> Enter username at REALM's password:
>
> plaintext kerberos password authentication for [username at REALM] failed
> (requesting cctype: FILE)
>
> wbcLogonUser(username at REALM): error code was NT_STATUS_LOGON_FAILURE
> (0xc000006d)
>
> error message was: Logon failure
>
> Could not authenticate user [username at REALM] with Kerberos (ccache: FILE)
>
>
>
>
>
> Now i enabled in smb.conf : winbind use default domain = yes
>
>
>
> klist
>
> klist: Credentials cache file '/tmp/krb5cc_0' not found
>
> 1
>
> ntlm_auth --request-nt-key --username=username
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
> 2
>
> ntlm_auth --request-lm-key --username=username
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
> 3
>
> ntlm_auth --username=username --ntlmv2
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
> 4
>
> ntlm_auth --username=username --lanman
>
> Password:
>
> NT_STATUS_OK: Success (0x0)
>
> 5
>
> ntlm_auth --username=username --krb5auth=username
>
> Password:
>
> NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
>
> 6
>
> ntlm_auth --diagnostics --username=username
>
> Password:
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> Wrong Password (0xc000006a)
>
> 7
>
> wbinfo -a username
>
> Enter username's password:
>
> plaintext password authentication succeeded
>
> Enter username's password:
>
> challenge/response password authentication failed
>
> wbcAuthenticateUserEx(NTDOM\username): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a)
>
> error message was: Wrong Password
>
> Could not authenticate user username with challenge/response
>
> 8
>
> wbinfo --krb5auth=username
>
> Enter username's password:
>
> plaintext kerberos password authentication for [username] succeeded
> (requesting cctype: FILE)
>
> credentials were put in: FILE:/tmp/krb5cc_0
>
>
>
> 9
>
> kdestroy -A
>
> root at rtd-proxy2:~# wbinfo --krb5auth='NTDOM\username'
>
> Enter NTDOM\username's password:
>
> plaintext kerberos password authentication for [NTDOM\username] succeeded
> (requesting cctype: FILE)
>
> credentials were put in: FILE:/tmp/krb5cc_0
>
>
>
> 10
>
> kdestroy -A
>
> root at rtd-proxy2:~# wbinfo --krb5auth='username at REALM'
>
> Enter username at REALM's password:
>
> plaintext kerberos password authentication for [username at REALM] succeeded
> (requesting cctype: FILE)
>
> credentials were put in: FILE:/tmp/krb5cc_0
>
>
>
> What is missing in my config? Hints tips.
>
> I know that the devs are working on more consistant results with winbind,
> i just dont know if its deployed yet.
>
>
>
> Tests overview smb.conf winbind use default domain.
>
> No Yes
>
>
>
> 1 Ok Ok
>
> 2 Ok Ok
>
> 3 Ok Ok
>
> 4 Ok Ok
>
> 5 Ok Fail
>
> 6 Fail Fail
>
> 7 Fail ½ ok ½ fail
>
> 8 Fail Ok
>
> 9 Ok Ok
>
> 10 Fail Ok
>
>
>
>
>
> Strange are to me 5 :
>
> ntlm_auth --username=username --krb5auth=username
>
>
>
> I cant explain 6.
>
> ntlm_auth --diagnostics --username=username
>
>
>
> 7
>
> wbinfo -a username
>
> with winbind default domain = yes,
>
> plaintext password authentication succeeded but challenge/response
> password authentication failed.
>
>
>
> kerberos related auth
>
> 8
>
> wbinfo --krb5auth=username
>
>
>
> 9
>
> wbinfo --krb5auth='NTDOM\username'
>
>
>
> 10
>
> wbinfo --krb5auth='username at REALM'
>
>
>
> so im wondering, if im getting a better result with
>
> winbind use default domain =yes
>
>
>
>
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list