[Samba] Regular users can't log in to Samba AD DC from Windows

Alnis Morics alnis.moritz at gmail.com
Mon Feb 6 08:07:18 UTC 2017 

Hi,

I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built 
from sources. (Actually, OS type and Samba version don't matter so much, 
as I have the same problem with Debian Jessie and Samba 4.5.5)

I followed the Wiki very close. Some details from provisioning:
...
Realm [RW.LAN]:
  Domain [RW]:
  Server Role (dc, member, standalone) [dc]:
  DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) 
[SAMBA_INTERNAL]:
  DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
...
Server Role:           active directory domain controller
Hostname:              samba4-pfbsd
NetBIOS Domain:        RW
DNS Domain:            rw.lan
DOMAIN SID:            S-1-5-21-324325147-3161353582-651567851

The generated smb.conf file (I only add a user shell definition and a 
file share):

# Global parameters
[global]
     netbios name = SAMBA4-PFBSD
     realm = RW.LAN
     workgroup = RW
     dns forwarder = 8.8.8.8
     server role = active directory domain controller
     idmap_ldb:use rfc2307 = yes
     template shell = /usr/sbin/nologin

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/rw.lan/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

[samba-share]
        path = /samba-share
        read only = no

The generated krb5.conf:
[libdefaults]
     default_realm = RW.LAN
     dns_lookup_realm = false
     dns_lookup_kdc = true

/etc/nsswitch.conf:

# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z 
markj $
#
group: files winbind
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

All suggested tests (LDAP, SRV, A, Kerberos) passed; I also created a 
reverse DNS zone and a test user "user1"

Next, I successfully joined a Windows 10 Enterprise machine and logged 
in as a domain administrator. I can access the file share, write to it, 
set Windows permissions.

But when I open ADUC and click a user properties, I only have 5 tabs 
there (Environment, Sessions, Remote control, Remote Desktop Service 
Profile, COM+), and I can't add any other user. Windows just says 
nothing but from Samba logs I see something like this:
...
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
ldb_request BASE dn=CN=Users,DC=rw,DC=lan filter=(objectClass=*)
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 16:44:01 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
...

And I can't log in from the Windows machine to the domain with user1. 
Windows says, "Username or password is incorrect", and in Samba logs I see:
...
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56084 for 
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56085 for 
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after 
wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56086 for 
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after 
wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
added interface rl0 ip=192.168.0.192 bcast=192.168.0.255 
netmask=255.255.255.0
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:15 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:20 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:25 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:30 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:35 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:40 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:45 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
...

Am I missing something basic here?

Thanks,
Alnis

More information about the samba mailing list