[Samba] How to use kerberos as the default auth in AD config?
Shyam Kaushik
shyam at zadarastorage.com
Mon Aug 13 13:55:24 UTC 2018
Hi Folks,
We have samba(4.8) deployed with following key parms
security = ADS
realm = TEST
client NTLMv2 auth = No
ntlm auth = disabled
We have a win2k user configured as a "Protected User"
(https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how
-to-configure-protected-accounts)
When this user tries to connect to samba/winbind, we get this error out &
client is not able to connect
[2018/08/13 13:46:50.019094, 2, pid=7845, class=auth]
../source3/auth/auth.c:336(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [protecteduser] ->
[protecteduser] FAILED with error NT_STATUS_ACCOUNT_RESTRICTION,
authoritative=1
we can confirm the following behaviour (password hidden)
root at test-01:~# wbinfo -a TEST\protecteduser%XXXX'
plaintext password authentication failed
Could not authenticate user TEST\protecteduser%XXXX with plaintext
password
challenge/response password authentication failed
wbcAuthenticateUserEx(TEST\protecteduser): error code was
NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e)
error message was: Account restriction
Could not authenticate user TEST\protecteduser with
challenge/response
Whereas Kerberos auth works ok
root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX'
plaintext kerberos password authentication for
[TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
when we have a regular user from the same win2k client that is not part of
"Protected User", plaintext/NTLM auth works ok
root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX'
plaintext password authentication succeeded
challenge/response password authentication succeeded
& client is able to work with samba share. Question is how do we force
samba to do only KRB auth & not attempt at NTLM auth as its showing up in
error with auth_check_ntlm_password? Any help appreciated!
Thanks.
--Shyam
More information about the samba
mailing list