[Samba] problems with authentication

L.P.H. van Belle belle at bazuin.nl
Mon Aug 5 07:24:27 UTC 2019 

Hai, 

I think this is an old bug.. ( pretty sure about it ) 
And i suggest to dont change anything except smb.conf.

Your trying to use kerbereros usersname. 
wbinfo -a marcio at EMPRESA.COM.BR 
Enter marcio at EMPRESA.COM.BR's password: 

And you using:    
	winbind use default domain = yes
This is and old bug somewhere in 4.5/4/6 i believe. 

Only change these, yes only slows down you server. 
   winbind enum users = no
   winbind enum groups = no

And then try this: 
wbinfo -a marcio


I'll bet that works. 

If you setting up a squid proxy. ( im guessing based on your server hostname ), 
with SSO and squid kerberos auth on Debian Buster. My new setting/setup for it. 

Use this, i find this is the most easy way to setup squid + kerberos SSO auth and winbind
Minimal to install : winbind squid krb5-user
You need SSO logins ( ssh ) 
Enable : in /etc/ssh/sshd_config ( mininal ) 
# GSSAPI options
GSSAPIAuthentication yes
#(optional)
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes


( kerberos auth in squid ) 
kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab

And use this for the squid authentication. 

### Negotiate (Kerberos and NTLM) authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP-CHANGE_To_HOSTNAME-S_HERE.keytab \
      -s HTTP/HTTP-CHANGE_TO_HOSTNAME-S_HERE at REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM-HERE
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on

### Pure NTLM authentication
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM-HERE
# Optional add : --allow-mschapv2 
#auth_param ntlm children 10
#auth_param ntlm keep_alive on

# Basic LDAP authentication
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 -b "dc=your,dc=ldap,dc=domain" \
	-D a_service_account_for_ldap_searches at dnsdomain.tld -W /etc/squid/private/ldap-bind \
	-f sAMAccountName=%s \
	-H ldaps://dc2.dnsdomain.tld -H ldaps://dc1.dnsdomain.tld

auth_param basic children 5 startup=1 idle=1
auth_param basic children 10
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 1 hours

authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: maandag 5 augustus 2019 9:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] problems with authentication
> 
> On 04/08/2019 23:18, Marcio Demetrio Bacci via samba wrote:
> > Hi,
> >
> > I set up a samba 4 in Debian 9.9 as a Domain member server, but
> > authentication is not working as follows:
> >
> > root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR
> > Enter marcio at EMPRESA.COM.BR's password:
> > plaintext password authentication succeeded
> > Enter marcio at EMPRESA.COM.BR's password:
> > challenge/response password authentication failed
> > wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was
> > NT_STATUS_WRONG_PASSWORD (0xc000006a)
> > error message was: Wrong Password
> > Could not authenticate user marcio at EMPRESA.COM.BR with 
> challenge/response
> >
> > My password is correct!
> > #############################################
> > My DC are:
> > Primary: Samba 4 DC (Debian 9.9)
> > Secondary: Windows Server 2008
> >
> > Follows my configurations files:
> >
> > SMB.CONF
> >
> > [global]
> >    netbios name = SRV-PROXY
> >    workgroup = EMPRESA
> >    security = ADS
> >    realm = EMPRESA.COM.BR
> >    encrypt passwords = yes
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 3000-7999
> >    idmap config EMPRESA:backend = ad
> >    idmap config EMPRESA:schema_mode = rfc2307
> >    idmap config EMPRESA:range = 100000-999999
> >
> >    winbind nss info = rfc2307
> >    winbind trusted domains only = no
> >    winbind use default domain = yes
> >    winbind enum users = yes
> >    winbind enum groups = yes
> >
> >    vfs objects = acl_xattr
> >    map acl inherit = Yes
> >    store dos attributes = Yes
> >
> > ##############################################
> >
> > NSSWITCH.CONF
> >
> > root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd:         compat winbind
> > group:          compat winbind
> > shadow:         compat winbind
> > gshadow:        files
> >
> > hosts:          files dns
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> > 
> ##############################################################
> ##########
> >
> > root at srv-proxy:/etc# net ads join -Uadministrator
> > Enter marcio's password:
> > Using short domain name -- EMPRESA
> > Joined 'SRV-PROXY' to dns domain 'empresa.com.br'
> >
> > root at srv-proxy:/etc# net ads testjoin
> > Join is OK
> >
> >
> > root at srv-proxy:/etc/samba# kinit marcio
> > Password for marcio at EMPRESA.COM.BR:
> > root at srv-proxy:/etc/samba# klist -l
> > Principal name                 Cache name
> > --------------                 ----------
> > marcio at EMPRESA.COM.BR      FILE:/tmp/krb5cc_0
> >
> > 
> #####################################################################
> >
> > The wbinfo -g and wbinfo -u commands are working properly.
> >
> >
> > Could anybody help me?
> >
> > Regards,
> >
> > Márcio Bacci
> 
> Remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf
> 
> Have you given your users a uidNumber attribute containing a unique 
> number inside the range '100000-999999' ?
> 
> Have you also given 'Domain Users' a gidNumber attribute containing a 
> number inside the same range ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list