[Samba] Can't authenticate to AD using Samba with SSSD
L.P.H. van Belle
belle at bazuin.nl
Mon Mar 4 09:07:08 UTC 2019
Quick look showed a error in rfc2307, so try fixing the smb.conf
This one.
> > doing parameter idmap config YALE:schema_mode = rfcc2307
rfcc2307 ?? cc ?
rfc2307
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: zaterdag 2 maart 2019 10:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can't authenticate to AD using Samba with SSSD
>
> On Fri, 1 Mar 2019 21:57:42 +0000
> "Paquin, Brian via samba" <samba at lists.samba.org> wrote:
>
> > Would someone please tell me where I can find some good
> > troubleshooting documents to resolve AD authentication issues when
> > using Samba? Is this mailing list the best place?
> >
> >
> > I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but
> > I am required to use SSSD on a different CentOS 7.6 server. Using a
> > test VM, I can get services running, but I can't authenticate from a
> > Mac or smbclient.
> >
> >
> > Partial output of /var/log/samba/log.10.84.2.148 (the Mac client):
> >
> > [2019/03/01 15:53:46.544858,
> > 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> >
> > Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24
> > len2=224
> >
> > [2019/03/01 15:53:46.544907,
> > 3] ../source3/param/loadparm.c:3868(lp_load_ex)
> >
> > lp_load_ex: refreshing parameters
> >
> > [2019/03/01 15:53:46.544956,
> > 3] ../source3/param/loadparm.c:547(init_globals)
> >
> > Initialising global parameters
> >
> > [2019/03/01 15:53:46.545088,
> > 3] ../source3/param/loadparm.c:2782(lp_do_section)
> >
> > Processing section "[global]"
> >
> > doing parameter workgroup = YALE
> >
> > doing parameter realm = YU.YALE.EDU
> >
> > doing parameter security = ads
> >
> > doing parameter idmap config * : range = 1677216-33554431
> >
> > doing parameter idmap config YALE:schema_mode = rfcc2307
> >
> > doing parameter idmap config YALE:range = 100000-199999
> >
> > doing parameter idmap config YALE:backend = rid
> >
> > doing parameter idmap * : backend = tbd
> >
> > doing parameter dedicated keytab file = /etc/krb5.keytab
> >
> > doing parameter log file = /var/log/samba/log.%m
> >
> > doing parameter log level = 4
> >
> > doing parameter guest account = nobody
> >
> > doing parameter guest ok = no
> >
> > doing parameter template shell = /sbin/nologin
> >
> > doing parameter kerberos method = system keytab
> >
> > doing parameter store dos attributes = yes
> >
> > doing parameter vfs objects = acl_xattr
> >
> > [2019/03/01 15:53:46.545450,
> > 2] ../source3/param/loadparm.c:2799(lp_do_section)
> >
> > Processing section "[testshare]"
> >
> > doing parameter comment = testshare
> >
> > doing parameter path = /testshare
> >
> > doing parameter valid users = @pathology_its
> >
> > doing parameter writable = yes
> >
> > doing parameter read only = No
> >
> > [2019/03/01 15:53:46.545573,
> > 4] ../source3/param/loadparm.c:3910(lp_load_ex)
> >
> > pm_process() returned Yes
> >
> > [2019/03/01 15:53:46.545604,
> > 3] ../source3/param/loadparm.c:1617(lp_add_ipc)
> >
> > adding IPC service
> >
> > [2019/03/01 15:53:46.545669,
> > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
> >
> > check_ntlm_password: Checking password for unmapped user
> > [YALE]\[btp4]@[PAQUIN3200] with the new password interface
> >
> > [2019/03/01 15:53:46.545691,
> > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> >
> > check_ntlm_password: mapped user is: [YALE]\[btp4]@[PAQUIN3200]
> >
> > [2019/03/01 15:53:46.545715,
> > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> >
> > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> >
> > [2019/03/01 15:53:46.545735,
> > 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> >
> > push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> >
> > [2019/03/01 15:53:46.545753,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> >
> > [2019/03/01 15:53:46.545807,
> > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> >
> > [2019/03/01 15:53:46.545828,
> > 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
> >
> > check_ntlm_password: Authentication for user [btp4] -> [btp4]
> > FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
> >
> > [2019/03/01 15:53:46.545864,
> > 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> >
> > Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019
> > 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
> > workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped
> > to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445]
> >
> > [2019/03/01 15:53:46.545899,
> > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >
> > [2019/03/01 15:53:46.545937,
> > 3]
> ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
> >
> > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login
> > failed: NT_STATUS_LOGON_FAILURE
> >
> > [2019/03/01 15:53:46.545965,
> > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> >
> > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> >
> > [2019/03/01 15:53:46.545985,
> > 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> >
> > push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> >
> > [2019/03/01 15:53:46.546002,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> >
> > [2019/03/01 15:53:46.546039,
> > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >
> > [2019/03/01 15:53:46.546067,
> > 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
> >
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_LOGON_FAILURE] ||
> > at ../source3/smbd/smb2_sesssetup.c:137
> >
> >
> > My workflow for setting up SSSD and Samba:
> >
> > 1) yum install -y sssd realmd adcli samba-common samba-common-tools
> > krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd
> > policycoreutils-python samba-client samba nano
> >
> > 2) realm join ... #shortened command; binding to specific OU; works
> > as expected
> >
> > 3) authconfig --enablesssdauth --enablesssd
> --enablemkhomedir --update
> >
> > 4) nano /etc/samba/smb.conf
> >
> > 5) testparm
> >
> > 6) mkdir /testshare
> >
> > 7) id btp4 at yu.yale.edu #works as expected
> >
> > 8) chown -R root:pathology_its at yu.yale.edu /testshare/
> >
> > 9) chcon -Rt samba_share_t /testshare/
> >
> > 10) kinit btp4
> >
> > 11) net ads join -k
> >
> > 12) kinit -k CENTOSSSSD$ #name of test server
> >
> > 13) /usr/bin/ldapsearch -H ... #shortened command; works
> as expected
> >
> > 14) systemctl enable smb
> >
> > 15) systemctl enable nmb
> >
> > 16) systemctl start smb
> >
> > 17) systemctl start nmb
> >
> > 18) firewall-cmd --add-service=samba --permanent
> >
> > 19) firewall-cmd --reload
> >
> >
> > I can provide contents of krb5.conf or sssd.conf if needed.
> >
>
> Sorry Brian, but you are asking in the wrong place. Samba does not
> supply sssd, so it cannot support it, try the sssd-users mailing
> list ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list