[Samba] How to use kerberos as the default auth in AD config?
lukebarone at gmail.com
Tue Aug 14 00:32:05 UTC 2018
Well, you know, a 2010 EOL-date isn't that old... :P
On Mon, Aug 13, 2018 at 7:41 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 13 Aug 2018 19:25:24 +0530
> Shyam Kaushik via samba <samba at lists.samba.org> wrote:
> > Hi Folks,
> > We have samba(4.8) deployed with following key parms
> > security = ADS
> > realm = TEST
> > client NTLMv2 auth = No
> > ntlm auth = disabled
> > We have a win2k user configured as a "Protected User"
> > (
> > -to-configure-protected-accounts)
> > When this user tries to connect to samba/winbind, we get this error
> > out & client is not able to connect
> > [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth]
> > ../source3/auth/auth.c:336(auth_check_ntlm_password)
> > check_ntlm_password: Authentication for user
> > [protecteduser] -> [protecteduser] FAILED with error
> > NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1
> > we can confirm the following behaviour (password hidden)
> > root at test-01:~# wbinfo -a TEST\protecteduser%XXXX'
> > plaintext password authentication failed
> > Could not authenticate user TEST\protecteduser%XXXX with
> > plaintext password
> > challenge/response password authentication failed
> > wbcAuthenticateUserEx(TEST\protecteduser): error code was
> > NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e)
> > error message was: Account restriction
> > Could not authenticate user TEST\protecteduser with
> > challenge/response
> > Whereas Kerberos auth works ok
> > root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX'
> > plaintext kerberos password authentication for
> > [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE)
> > credentials were put in: FILE:/tmp/krb5cc_0
> > when we have a regular user from the same win2k client that is not
> > part of "Protected User", plaintext/NTLM auth works ok
> > root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX'
> > plaintext password authentication succeeded
> > challenge/response password authentication succeeded
> > & client is able to work with samba share. Question is how do we force
> > samba to do only KRB auth & not attempt at NTLM auth as its showing
> > up in error with auth_check_ntlm_password? Any help appreciated!
> > Thanks.
> > --Shyam
> Have you thought of trying PAM to do this ?
> see 'man pam_winbind.conf' for more info, particularly
> You should also really not be using a win2k machine any more, they went
> EOL before XP did.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba