[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

Markus Jansen jansen at schmitzmine.eu
Thu Oct 15 11:24:22 UTC 2020

Am 14.10.20 um 16:19 schrieb Rowland penny via samba:
> On 14/10/2020 15:07, Markus Jansen via samba wrote:
>> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba:
>>> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On 13/10/2020 15:01, Markus Jansen via samba wrote:
>>>>> Thank you very much for your hints.
>>>>> I got rid of SSSD and managed to get a successful kerberos
>>>>> authentication via wbinfo -K and the UPN.
>>>>> But accessing via SMB (using MAC OS' smbutil or Finder) still
>>>>> fails with
>>>>> "FAILED with error NT_STATUS_NO_SUCH_USER".
>>>>> As I'm using CentOS 8, I used authselect to configure winbind
>>>>> integration to PAM (do I really need this for SMB?) and enabled
>>>>> "with-krb5" and "with-pamaccess" - features to let
>>>>> /etc/pam.d/-files be
>>>>> configured automatically.
>>>>> I'm really confused. What's missing?
>>>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence
>>>> Centos8, I had to compile the Centos7 package and install it before I
>>>> could get Centos8 to work correctly.
>>>> BIG NOTE: this is just my opinion.
>>>> I really do not think that red-hat wants you to use Samba with
>>>> RHEL8, I
>>>> think they really want you to use sssd with freeipa instead. They have
>>>> removed openldap, smbldap-tools  and libpam-krb5 that I am aware of,
>>>> there may be others.
>> Good hint. I switched to Debian Buster - same issue:
>> Interestinly, "id tim-upn" (the userPrincipalname) works and refers to
>> the sAMAccountName.
>> "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain
>> users),3001(storage-users),1000001(BUILTIN\users).
>> "login tim-upn" works, "ssh tim-upn at localhost", too.  Also: "smbclient
>> -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient
>> -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't.
>> Still confused.
> So am I, '3000' for Domain Users and '1000001' for BUILTIN\users.
> Might help if you post the smb.conf you are using.
> Rowland
I made a step backwards and figured out that authenticating via UPN DOES
work if I use a "legal" one with an "@domain"-suffix. Sorry for that

But: I want to use login names without the "@domain"-suffix because, as
this looks like an email address, people could get irritated as their
email address may look different.
So I set the "winbind use default domain = yes" in the smb.conf and
"wbinfo -K test-storage01" works for user UPN test-storage01 at ad.adtest.de.

But smbclient (on Debian) or net use (on Windows) does not work if I
omit the "@ad.adtest.de". Am I right when I think that missing the '@'
leads to a fallback of DOMAIN\sAMAccountName - authentication because
winbind does not know how to navigate through the AD forest?
Interestingly, test-storage01 at ad.bnitm.de could be mapped to
BNITM\test-storage01-sam and authenticate.
(smb.log: "check_ntlm_password:  authentication for user
[test-storage01 at ad.bnitm.de] -> [test-storage01 at ad.bnitm.de] ->
[BNITM\test-storage01-sam] succeeded")

Also: "getent passwd test-storage01 at ad.bnitm.de" ->
"test-storage01-sam:*:3000:3000:Test Storage

But "net use y: \\ip\example /user:test-storage01" leads to the
following smb.log entry:
"Auth: [SMB2,(null)] user [DESKTOP-9CASEDK]\[test-storage01] at [Thu, 15
Oct 2020 13:16:53.462240 CEST] with [NTLMv2] status
[NT_STATUS_NO_SUCH_USER] workstation [DESKTOP-9CASEDK] remote host
[ipv4:] mapped to
[DESKTOP-9CASEDK]\[test-storage01]. local host [ipv4:]
  {"timestamp": "2020-10-15T13:16:53.462447+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:", "remoteAddress":
"ipv4:", "serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "DESKTOP-9CASEDK",
"clientAccount": "test-storage01", "workstation": "DESKTOP-9CASEDK",
"becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": "test-storage01", "mappedDomain": "DESKTOP-9CASEDK",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":

... while "net use y: \\ip\example /user:test-storage01 at ad.adtest.de" works.

I wonder how authentication without domain suffix could work at all.
My smb.conf:

   workgroup = ADTEST
   security = ADS
   realm = AD.ADTEST.DE

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind expand groups = 4
   winbind refresh tickets = Yes
   winbind normalize names = Yes
   winbind nss info = rfc2307
   winbind use default domain = yes

   winbind enum users = yes
   winbind enum groups = yes

   idmap config * : backend = autorid
   idmap config * : range = 1000000-1999999
   idmap config * : rangesize = 1000000

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   log level = 3

  path = /tmp/

  comment = Example Share


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20201015/fe9f87d4/signature.sig>

More information about the samba mailing list