[Samba] Regular users can't log in to Samba AD DC from Windows
Alnis Morics
alnis.moritz at gmail.com
Mon Feb 6 08:07:18 UTC 2017
Hi,
I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built
from sources. (Actually, OS type and Samba version don't matter so much,
as I have the same problem with Debian Jessie and Samba 4.5.5)
I followed the Wiki very close. Some details from provisioning:
...
Realm [RW.LAN]:
Domain [RW]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
...
Server Role: active directory domain controller
Hostname: samba4-pfbsd
NetBIOS Domain: RW
DNS Domain: rw.lan
DOMAIN SID: S-1-5-21-324325147-3161353582-651567851
The generated smb.conf file (I only add a user shell definition and a
file share):
# Global parameters
[global]
netbios name = SAMBA4-PFBSD
realm = RW.LAN
workgroup = RW
dns forwarder = 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
template shell = /usr/sbin/nologin
[netlogon]
path = /usr/local/samba/var/locks/sysvol/rw.lan/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[samba-share]
path = /samba-share
read only = no
The generated krb5.conf:
[libdefaults]
default_realm = RW.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/nsswitch.conf:
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
group: files winbind
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
All suggested tests (LDAP, SRV, A, Kerberos) passed; I also created a
reverse DNS zone and a test user "user1"
Next, I successfully joined a Windows 10 Enterprise machine and logged
in as a domain administrator. I can access the file share, write to it,
set Windows permissions.
But when I open ADUC and click a user properties, I only have 5 tabs
there (Environment, Sessions, Remote control, Remote Desktop Service
Profile, COM+), and I can't add any other user. Windows just says
nothing but from Samba logs I see something like this:
...
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
ldb_request BASE dn=CN=Users,DC=rw,DC=lan filter=(objectClass=*)
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 16:44:01 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
...
And I can't log in from the Windows machine to the domain with user1.
Windows says, "Username or password is incorrect", and in Samba logs I see:
...
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56084 for
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56085 for
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN (enctype
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after
wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ user1\@RW.LAN at RW.LAN from ipv4:192.168.0.102:56086 for
krbtgt/RW.LAN at RW.LAN
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN at RW.LAN
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN (enctype
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after
wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN at RW.LAN
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
added interface rl0 ip=192.168.0.192 bcast=192.168.0.255
netmask=255.255.255.0
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:15 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:20 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:25 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:30 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:35 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:40 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb 5 17:08:45 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
...
Am I missing something basic here?
Thanks,
Alnis
More information about the samba
mailing list