[Samba] krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2

Markus Spanner-Denzer markus.spanner-denzer at noris.de
Thu May 16 12:26:35 UTC 2019 

Hi,


in our setup, we have a number of AD domains with an exisiting one-way trust between the local domain of the system (which I will call LOCALDOM in the following) and the domain containing the user accounts (which I will call TRUSTEDDOM in the following). The domain controllers run Windows Server 2012.


Beginning with samba 4.4 we have an issue with authentication through pam_winbind on the Linux clients when krb5_auth is enabled in pam_winbind.conf (which worked in samba 4.2). Login to the Linux systems always fails with "No logon servers". The situation can also be reproduced with "wbinfo -K".


On samba >= 4.4 (tested on SLES12SP3 and RHEL7):

# wbinfo -K TRUSTEDDOM\\myaccount
Enter TRUSTEDDOM\myaccount's password:
plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] failed (requesting cctype: FILE)
wbcLogonUser(TRUSTEDDOM\myaccount): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user [TRUSTEDDOM\myaccount] with Kerberos (ccache: FILE)


The same worked with samba 4.2 (tested on SLES12SP1, identical configuration in samba.conf and krb5.conf):

# wbinfo -K TRUSTEDDOM\\myaccount
Enter TRUSTEDDOM\myaccount's password:
plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] succeeded (requesting cctype: FILE)


Authenticating users from the local domain works in all releases of samba:

# wbinfo -K LOCALDOM\\mylocalaccount
Enter LOCALDOM\\mylocalaccount's password:
plaintext kerberos password authentication for [LOCALDOM\\mylocalaccount] succeeded (requesting cctype: FILE)


Authenticating users without krb5 (i.e. wbinfo -a) also works in all releases. Therefore, disabling krb5_auth helps as a work-around, the user can then request a Kerberos ticket manually using kinit myaccount at TRUSTEDDOM

Both LOCALDOM and TRUSTEDDOM are configured in krb5.conf.


It seems like newer releases of samba(-winbind) cannot locate the correct KDC for trusted domains. Do you know of any change in samba-winbind's behavior between 4.2 and 4.4? Is there something which has to be changed in the configuration? Unfortunately, I didn't find any hint in the documentation.


Markus

--
Dipl.-Phys. Markus Spanner-Denzer
Senior IT Systems Engineer (Linux)
Systems & Applications

noris network AG
Thomas-Mann-Straße 16-20
90471 Nürnberg
Deutschland

Tel +49 911 9352 1126
Fax +49 911 9352 100
Email markus.spanner-denzer at noris.de

noris network AG - Mehr Leistung als Standard
Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Jürgen Städing
Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4180 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20190516/6114b6fa/smime.bin>

More information about the samba mailing list