[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
Markus Jansen
jansen at schmitzmine.eu
Thu Oct 15 11:24:22 UTC 2020
Am 14.10.20 um 16:19 schrieb Rowland penny via samba:
> On 14/10/2020 15:07, Markus Jansen via samba wrote:
>> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba:
>>> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On 13/10/2020 15:01, Markus Jansen via samba wrote:
>>>>> Thank you very much for your hints.
>>>>>
>>>>> I got rid of SSSD and managed to get a successful kerberos
>>>>> authentication via wbinfo -K and the UPN.
>>>>>
>>>>> But accessing via SMB (using MAC OS' smbutil or Finder) still
>>>>> fails with
>>>>> "FAILED with error NT_STATUS_NO_SUCH_USER".
>>>>>
>>>>> As I'm using CentOS 8, I used authselect to configure winbind
>>>>> integration to PAM (do I really need this for SMB?) and enabled
>>>>> "with-krb5" and "with-pamaccess" - features to let
>>>>> /etc/pam.d/-files be
>>>>> configured automatically.
>>>>>
>>>>> I'm really confused. What's missing?
>>>>>
>>>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence
>>>> Centos8, I had to compile the Centos7 package and install it before I
>>>> could get Centos8 to work correctly.
>>>>
>>>> BIG NOTE: this is just my opinion.
>>>>
>>>> I really do not think that red-hat wants you to use Samba with
>>>> RHEL8, I
>>>> think they really want you to use sssd with freeipa instead. They have
>>>> removed openldap, smbldap-tools and libpam-krb5 that I am aware of,
>>>> there may be others.
>> Good hint. I switched to Debian Buster - same issue:
>>
>> Interestinly, "id tim-upn" (the userPrincipalname) works and refers to
>> the sAMAccountName.
>>
>> "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain
>> users),3001(storage-users),1000001(BUILTIN\users).
>>
>> "login tim-upn" works, "ssh tim-upn at localhost", too. Also: "smbclient
>> -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient
>> -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't.
>>
>> Still confused.
>>
> So am I, '3000' for Domain Users and '1000001' for BUILTIN\users.
> Might help if you post the smb.conf you are using.
>
> Rowland
I made a step backwards and figured out that authenticating via UPN DOES
work if I use a "legal" one with an "@domain"-suffix. Sorry for that
confusion.
But: I want to use login names without the "@domain"-suffix because, as
this looks like an email address, people could get irritated as their
email address may look different.
So I set the "winbind use default domain = yes" in the smb.conf and
"wbinfo -K test-storage01" works for user UPN test-storage01 at ad.adtest.de.
But smbclient (on Debian) or net use (on Windows) does not work if I
omit the "@ad.adtest.de". Am I right when I think that missing the '@'
leads to a fallback of DOMAIN\sAMAccountName - authentication because
winbind does not know how to navigate through the AD forest?
Interestingly, test-storage01 at ad.bnitm.de could be mapped to
BNITM\test-storage01-sam and authenticate.
(smb.log: "check_ntlm_password: authentication for user
[test-storage01 at ad.bnitm.de] -> [test-storage01 at ad.bnitm.de] ->
[BNITM\test-storage01-sam] succeeded")
Also: "getent passwd test-storage01 at ad.bnitm.de" ->
"test-storage01-sam:*:3000:3000:Test Storage
01:/home/BNITM/test-storage01-sam:/bin/false"
But "net use y: \\ip\example /user:test-storage01" leads to the
following smb.log entry:
"Auth: [SMB2,(null)] user [DESKTOP-9CASEDK]\[test-storage01] at [Thu, 15
Oct 2020 13:16:53.462240 CEST] with [NTLMv2] status
[NT_STATUS_NO_SUCH_USER] workstation [DESKTOP-9CASEDK] remote host
[ipv4:134.100.203.37:50737] mapped to
[DESKTOP-9CASEDK]\[test-storage01]. local host [ipv4:134.100.202.143:445]
{"timestamp": "2020-10-15T13:16:53.462447+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:134.100.202.143:445", "remoteAddress":
"ipv4:134.100.203.37:50737", "serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "DESKTOP-9CASEDK",
"clientAccount": "test-storage01", "workstation": "DESKTOP-9CASEDK",
"becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "test-storage01", "mappedDomain": "DESKTOP-9CASEDK",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":
5391}}
... while "net use y: \\ip\example /user:test-storage01 at ad.adtest.de" works.
I wonder how authentication without domain suffix could work at all.
My smb.conf:
[global]
workgroup = ADTEST
security = ADS
realm = AD.ADTEST.DE
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind expand groups = 4
winbind refresh tickets = Yes
winbind normalize names = Yes
winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = autorid
idmap config * : range = 1000000-1999999
idmap config * : rangesize = 1000000
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 3
[example]
path = /tmp/
comment = Example Share
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20201015/fe9f87d4/signature.sig>
More information about the samba
mailing list