[Samba] auth problem

L.P.H. van Belle belle at bazuin.nl
Mon Oct 15 11:59:47 UTC 2018


You config/setup. 
If you use the server only for squid and  only for auth and proxying. 
( so no file sharing ) 

apt-get install squid winbind libnss-winbind libpam-winbind (optional samba )
systemctl stop samba-ad-dc samba nmbd smbd
systemctl disable samba-ad-dc samba nmbd smbd
systemctl mask samba-ad-dc samba nmbd smbd

# add the proxy user to winbindd_priv. Or your auth wont work. 
adduser  proxy winbindd_priv

( remove the smbd if you need filesharing ) 
systemctl enable winbind
systemctl start winbind

Read https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>     winbind uid = 10000-20000
>     winbind gid = 10000-20000
And see that above is wrong. 

Correct the winbind uid/gid settings. 
    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config MY: backend = rid
    idmap config MY: range = 10000-3999999


>     winbind enum users  = yes
>     winbind enum groups = yes
Set these to no, when you done testing, it only slows down you server. 

Then for you client connection. 

apt-get install smbclient cifs-utils

Add this to libdefault in krb5.conf
; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn )
        default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

And test again with 

smbclient -mSMB2  \\server.domain.tld\share 

That should do the trick.
If you google a bit more for squid and the samba list, you see more of things i posted. 
You can use that also. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> Gutiérrez Martínez via samba
> Verzonden: maandag 15 oktober 2018 13:23
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] auth problem
> 
> I'm using Ubuntu 18.04 and try to connect a local *samba 
> client* to my 
> Windows AD. I use the packages squid samba winbind 
> libnss-winbind. Both 
> machines are already using an *ntp* server for sync.
> 
> 
> this is my samba config
> 
> 
> [global]
>     netbios name = sqntlm
>     workgroup = MY
>     security = ADS
>     realm = MY.CU
>     encrypt passwords = yes
>     min protocol = SMB2
>     max protocol = SMB3_11
>     client min protocol = SMB2
>     client max protocol = SMB3_11
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind uid = 10000-20000
>     winbind gid = 10000-20000
> 
> 
> I integrate the client to the AD without problems, i can 
> mount folders 
> and i can also share folders without problems, but when y try the 
> command *wbinfo -a MY\\user1%'123*/'*  it show:
> 
> *plaintext password authentication succeeded**
> **challenge/response password authentication failed**
> **Could not authenticate user MY\user1 with challenge/response*
> 
> 
> Can someone be so nice to explain why this is happening.
> 
> -- 
> Saludos Cordiales
> 
> Lic. Alex Gutiérrez Martínez
> 
> Tel. +53 7 2710327
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list