[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

Markus Jansen jansen at schmitzmine.eu
Mon Oct 5 15:14:08 UTC 2020 

Dear all,

i'm investigating the issue that I can't authenticate against a Samba (as Active-Directory Member) using the userPrincipalName (UPN). (Using Samba and sAMAccountName works fine.)

After some research I'm quite sure that winbind is limited to the sAMAccountName and can't use UPN. So I deciced to use SSSD and configured the `ldap_user_name = userPrincipalName` in the sssd.conf

Example:

* sAMAccountName: timfin01
* userPrincipalName: tim.finnigan

"getent passwd tim.finnigan" works, i.e. returns "tim.finnigan:*:1238402723:1238400513:Tim Finnigan:/home/tim.finnigan at ad.adtest.de:/bin/bash", so I guess SSSD authentication using UPN should function.

But Samba refuses to work. I increased the SSSD-Logging and examined, that authentication with UPN like "smbutil view -A
//tim.finnigan at smb-test" doesn't lead to any entry in the logs. The SMB-Log instead shows the following:


[2020/09/29 16:08:42.196546,  3] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [ADTEST]\[tim.finnigan]@[MJBOOK] with the new password interface
[2020/09/29 16:08:42.196559,  3] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [ADTEST]\[tim.finnigan]@[MJBOOK]
[2020/09/29 16:08:42.196573,  4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2020/09/29 16:08:42.196584,  4] ../../source3/smbd/uid.c:576(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2020/09/29 16:08:42.196594,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2020/09/29 16:08:42.198802,  4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/09/29 16:08:42.198849,  2] ../../source3/auth/auth.c:346(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [tim.finnigan] -> [tim.finnigan] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2020/09/29 16:08:42.198916,  2] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [ADTEST]\[tim.finnigan] at [Tue, 29 Sep 2020 16:08:42.198899 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MJBOOK] remote host [ipv4:10.10.230.10:51669] mapped to [ADTEST]\[tim.finnigan]. local host [ipv4:134.100.203.47:445]
  {"timestamp": "2020-09-29T16:08:42.198974+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:134.100.203.47:445", "remoteAddress": "ipv4:10.10.230.10:51669", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ADTEST", "clientAccount": "tim.finnigan", "workstation": "MJBOOK", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "tim.finnigan", "mappedDomain": "ADTEST", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 77558}}
[2020/09/29 16:08:42.199043,  4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)


When authenticating via "smbutil view -A //timfin01 at smb-test" it works when setting the "ldap_user_name = sAMAccountName" in the sssd.conf for test purposes. Then, I can also see that SSSD is used for authentication in the SSSD logs.

I guess Samba has a kind of fallback to NTLM, that isn't supported by SSSD. And Samba first checks the username existence before using the authentication backend (SSSD). My smb.conf:

[global]
        workgroup = ADTEST
        security = ads
        encrypt passwords = yes
        client signing = yes
        client use spnego = yes
        kerberos method = system keytab
        #kerberos method = secrets and keytab
        log file = /var/log/samba/%m.log
        # password server =
        realm = ad.adtest.de
        idmap config * : backend = sss
        idmap config * : range = 200000-2147483647
        unix extensions = no
        log level = 4 winbind:5 nmbd:3
        log file = /var/log/samba/%m.log

[share1]
        vfs objects = fileid
        fielid:algorithm = fsname
        path = /share1
        browseable = yes
        writeable = yes
        guest ok = no
        public = yes
        wide links = yes


Finally, the sssd.conf:

[sssd]
config_file_version = 2
domains = ad.adtest.de
services = nss, pam

[domain/ad.adtest.de]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_domain = ad.adtest.de
krb5_realm = ad.adtest.de
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
# ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
ldap_user_name = userPrincipalName
debug_level = 9

I'm using Samba 4.10.4-11.el7_8 on CentOS 8.

I'm not sure if I understand this right, but if so, is there a way to force Samba to use SSSD? Any hints are very appreciated.

More information about the samba mailing list