[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Edouard Guigné eguigne at pasteur-cayenne.fr
Tue Jun 18 14:25:02 UTC 2019 

Winbind is installed and started :
/# yum list samba-winbind samba-winbind-clients pam_krb5
pam_krb5.x86_64 2.4.8-6.el7                  @base
samba-winbind.x86_64 4.8.3-4.el7                  @base
samba-winbind-clients.x86_64 4.8.3-4.el7                  @base
# systemctl status winbind -l
● winbind.service - Samba Winbind Daemon
    Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; 
vendor preset: disabled)
    Active: active (running) since mar. 2019-06-18 09:50:43 -03; 1h 
29min ago
      Docs: man:winbindd(8)
            man:samba(7)
            man:smb.conf(5)
  Main PID: 5430 (winbindd)
    Status: "winbindd: ready to serve connections..."
    CGroup: /system.slice/winbind.service
            ├─5430 /usr/sbin/winbindd --foreground --no-process-group
            ├─5478 /usr/sbin/winbindd --foreground --no-process-group
            ├─5535 /usr/sbin/winbindd --foreground --no-process-group
            ├─5538 /usr/sbin/winbindd --foreground --no-process-group
            └─5540 /usr/sbin/winbindd --foreground --no-process-group

juin 18 09:50:43 myserver systemd[1]: Starting Samba Winbind Daemon...
juin 18 09:50:43 myserver winbindd[5430]: [2019/06/18 09:50:43.238610,  
0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
juin 18 09:50:43 myserver winbindd[5430]: initialize_winbindd_cache: 
clearing cache and re-creating with version number 2
juin 18 09:50:43 myserver systemd[1]: Started Samba Winbind Daemon.
juin 18 09:50:43 myserver winbindd[5430]: [2019/06/18 09:50:43.255256,  
0] ../lib/util/become_daemon.c:138(daemon_ready)
juin 18 09:50:43 myserver winbindd[5430]:   daemon_ready: STATUS=daemon 
'winbindd' finished starting up and ready to serve connections/

I did not changed smb.cnf :

[global]
         security = ads
         realm = MYDOMAIN.LOCAL
         workgroup = MYDOMAIN
         kerberos method = secrets and keytab
         server signing = mandatory
         client signing = mandatory

         hosts allow = 127. 10.X.X.
         hosts deny = 10.X.X.

         log level = 1 auth_audit:3
         local master = no
         domain master = no
         preferred master = no

         use sendfile = true

         load printers = no
         cups options = raw
         printcap name = /dev/null

        disable spoolss = yes

         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

     idmap config * : backend = tdb

     idmap config * : range = 15000-99999

         winbind nss info = rfc2307
         idmap config MYDOMAIN : backend = ad
         idmap config MYDOMAIN : schema_mode = rfc2307

         idmap config MYDOMAIN : range = 10000-14999

         idmap config MYDOMAIN : unix_nss_info = yes

         idmap config MYDOMAIN : unix_primary_group = yes

     client min protocol = SMB2

     username map = /etc/samba/user.map

[groups]
   comment = mycomment
   path = /var/datashared
   public = no
   writable = yes

   valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL"

   vfs objects = acl_xattr streams_xattr

[homes]
         comment = Home Directories
         read only = No
         create mask = 0700
         directory mask = 0700
         valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL"
         path = /home
         hide files = /~*.tmp/profile/desktop.ini/~$*/
         browseable = no
         public = no
         guest ok = no

[printers]
         comment = All Printers
         path = /var/tmp
         printable = Yes
         create mask = 0600
         browseable = No

[print$]
         comment = Printer Drivers
         path = /var/lib/samba/drivers
         write list = root
         create mask = 0664
         directory mask = 0775



Le 18/06/2019 à 11:06, Rowland penny via samba a écrit :
> On 18/06/2019 14:35, Edouard Guigné via samba wrote:
>> Hello,
>>
>> On my system, nssswitch is like this :
>> passwd:     files sss
>> shadow:     files sss
>> group:      files sss
>>
>> So I assumed that it works with SSSD, I do not notice any issue with 
>> Samba.
>> My share is accessible, permissions acls are working.
>> The only thing I noticed is maybe NTLMv2 is always used by default 
>> with Samba.
>> /[2019/06/18 09:51:44.542476,  3] 
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)//
>> //  Auth: [SMB2,(null)] user [MYDOMAIN]\[usertest] at [mar., 18 juin 
>> 2019 09:51:44.542436 -03] with [*NTLMv2*] status [NT_STATUS_OK] 
>> workstation [WORKSTATIONTEST] remote host [ipv4:x.x.x.x:53352] became 
>> [MYDOMAIN]\[usertest] [S-1-5-21-88155730-3905377117-2757874379-2078]. 
>> local host [ipv4:x.x.x.x:445]/
>>
>> I changed to :
>>
>> passwd:     files *winbind *
>> shadow:     files
>> group:      files *winbind *
>>
>> N.B. : According to 
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> "/Do not add the //|winbind|//entry to the NSS //|shadow|//database. 
>> This can cause the //|wbinfo|//utility fail./"
>> Is that still true ?
>>
>> But now, I cannot connect to the share at all with winbind instead of 
>> sss in nsswitch.conf
>>
>> I log, I get :
>> */[2019/06/18 09:51:44.511561,  1] 
>> ../source3/lib/util.c:1699(name_to_fqdn)/**/
>> /**/  getaddrinfo: temporary failure in name resolution/*
>>
>> However, I well join my linux station to MYDOMAIN with "realm join" 
>> command
>>
>> and
>>
>> # realm list
>> mydomain.local
>>   type: kerberos
>>   realm-name: MYDOMAIN.LOCAL
>>   domain-name: mydomain.local
>>   configured: kerberos-member
>>   server-software: active-directory
>>   client-software: winbind
>>   required-package: oddjob-mkhomedir
>>   required-package: oddjob
>>   required-package: samba-winbind-clients
>>   required-package: samba-winbind
>>   required-package: samba-common-tools
>>   login-formats: MYDOMAIN\%U
>>   login-policy: allow-any-login
>> mydomain.local
>>   type: kerberos
>>   realm-name: MYDOMAIN.LOCAL
>>   domain-name: mydomain.local
>>   configured: kerberos-member
>>   server-software: active-directory
>>   client-software: sssd
>>   required-package: oddjob
>>   required-package: oddjob-mkhomedir
>>   required-package: sssd
>>   required-package: adcli
>>   required-package: samba-common-tools
>>   login-formats: %U
>>   login-policy: allow-realm-logins
>>
>> I checked /etc/resolv.conf, for me everything is correct ; the DNS 
>> IPs are the IPs of the domain controllers on where DNS services are 
>> running.
>>
>> I do not want to annoy anymore with my problem of a mixed 
>> configuration SSSD / Winbindd ; but I would like to understand why 
>> this is working only with SSSD and not with winbindd.
>> Maybe because I first join my linux station to the domain with SSSD ? 
>> And then rejoined it to the domain with winbindd ?
>>
> When you changed 'sss' to 'winbind', did you also reconfigure smb.conf ?
>
> Is winbind installed ?
>
> Rowland
>
>
>

More information about the samba mailing list