[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

Rowland penny rpenny at samba.org
Mon Oct 5 15:45:24 UTC 2020 

On 05/10/2020 16:14, Markus Jansen via samba wrote:
> Dear all,
>
> i'm investigating the issue that I can't authenticate against a Samba (as Active-Directory Member) using the userPrincipalName (UPN). (Using Samba and sAMAccountName works fine.)
>
> After some research I'm quite sure that winbind is limited to the sAMAccountName and can't use UPN. So I deciced to use SSSD and configured the `ldap_user_name = userPrincipalName` in the sssd.conf
>
> Example:
>
> * sAMAccountName: timfin01
> * userPrincipalName: tim.finnigan
>
> "getent passwd tim.finnigan" works, i.e. returns "tim.finnigan:*:1238402723:1238400513:Tim Finnigan:/home/tim.finnigan at ad.adtest.de:/bin/bash", so I guess SSSD authentication using UPN should function.
>
> But Samba refuses to work. I increased the SSSD-Logging and examined, that authentication with UPN like "smbutil view -A
> //tim.finnigan at smb-test" doesn't lead to any entry in the logs. The SMB-Log instead shows the following:
>
>
> [2020/09/29 16:08:42.196546,  3] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user [ADTEST]\[tim.finnigan]@[MJBOOK] with the new password interface
> [2020/09/29 16:08:42.196559,  3] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
>    check_ntlm_password:  mapped user is: [ADTEST]\[tim.finnigan]@[MJBOOK]
> [2020/09/29 16:08:42.196573,  4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2020/09/29 16:08:42.196584,  4] ../../source3/smbd/uid.c:576(push_conn_ctx)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2020/09/29 16:08:42.196594,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2020/09/29 16:08:42.198802,  4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2020/09/29 16:08:42.198849,  2] ../../source3/auth/auth.c:346(auth_check_ntlm_password)
>    check_ntlm_password:  Authentication for user [tim.finnigan] -> [tim.finnigan] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> [2020/09/29 16:08:42.198916,  2] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
>    Auth: [SMB2,(null)] user [ADTEST]\[tim.finnigan] at [Tue, 29 Sep 2020 16:08:42.198899 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MJBOOK] remote host [ipv4:10.10.230.10:51669] mapped to [ADTEST]\[tim.finnigan]. local host [ipv4:134.100.203.47:445]
>    {"timestamp": "2020-09-29T16:08:42.198974+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:134.100.203.47:445", "remoteAddress": "ipv4:10.10.230.10:51669", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ADTEST", "clientAccount": "tim.finnigan", "workstation": "MJBOOK", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "tim.finnigan", "mappedDomain": "ADTEST", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 77558}}
> [2020/09/29 16:08:42.199043,  4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
>
>
> When authenticating via "smbutil view -A //timfin01 at smb-test" it works when setting the "ldap_user_name = sAMAccountName" in the sssd.conf for test purposes. Then, I can also see that SSSD is used for authentication in the SSSD logs.
>
> I guess Samba has a kind of fallback to NTLM, that isn't supported by SSSD. And Samba first checks the username existence before using the authentication backend (SSSD). My smb.conf:
>
> [global]
>          workgroup = ADTEST
>          security = ads
>          encrypt passwords = yes
>          client signing = yes
>          client use spnego = yes
>          kerberos method = system keytab
>          #kerberos method = secrets and keytab
>          log file = /var/log/samba/%m.log
>          # password server =
>          realm = ad.adtest.de
>          idmap config * : backend = sss
>          idmap config * : range = 200000-2147483647
>          unix extensions = no
>          log level = 4 winbind:5 nmbd:3
>          log file = /var/log/samba/%m.log
>
> [share1]
>          vfs objects = fileid
>          fielid:algorithm = fsname
>          path = /share1
>          browseable = yes
>          writeable = yes
>          guest ok = no
>          public = yes
>          wide links = yes
>
>
> Finally, the sssd.conf:
>
> [sssd]
> config_file_version = 2
> domains = ad.adtest.de
> services = nss, pam
>
> [domain/ad.adtest.de]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> ad_domain = ad.adtest.de
> krb5_realm = ad.adtest.de
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> # ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u@%d
> ldap_user_name = userPrincipalName
> debug_level = 9
>
> I'm using Samba 4.10.4-11.el7_8 on CentOS 8.
>
> I'm not sure if I understand this right, but if so, is there a way to force Samba to use SSSD? Any hints are very appreciated.
You cannot use sssd with Samba >= 4.8.0 even red-hat tells you this.

On top of which, you should be able to authentication using a UPN:

pi at raspberrypi:~ $ wbinfo -K SAMDOM\\rowland at samdom.example.com
Enter SAMDOM\rowland at samdom.example.com's password:
plaintext kerberos password authentication for 
[SAMDOM\rowland at samdom.example.com] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1000

Rowland

More information about the samba mailing list