[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

Rowland penny rpenny at samba.org
Thu Oct 15 12:04:12 UTC 2020


On 15/10/2020 12:24, Markus Jansen via samba wrote:
>
> But smbclient (on Debian) or net use (on Windows) does not work if I
> omit the "@ad.adtest.de".

It does work:

rowland at raspberrypi:~ $ smbclient //devstation/Demo -k -d5
<SNIP>
Netbios name list:-
my_netbios_names[0]="RASPBERRYPI"
Client started (version 4.12.6-Debian).
sitename_fetch: No stored sitename for realm 'SAMDOM.EXAMPLE.COM'
name devstation#20 found.
Connecting to 192.168.0.49 at port 445
  negotiated dialect[SMB3_11] against server[devstation]
cli_session_setup_spnego_send: Connect to devstation as 
rowland at SAMDOM.EXAMPLE.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
  session setup ok
signed SMB2 message
  tconx ok
Try "help" to get a list of possible commands.
smb: \>

> Am I right when I think that missing the '@'
> leads to a fallback of DOMAIN\sAMAccountName - authentication because
> winbind does not know how to navigate through the AD forest?
> Interestingly, test-storage01 at ad.bnitm.de could be mapped to
> BNITM\test-storage01-sam and authenticate.
> (smb.log: "check_ntlm_password:  authentication for user
> [test-storage01 at ad.bnitm.de] -> [test-storage01 at ad.bnitm.de] ->
> [BNITM\test-storage01-sam] succeeded")
Sort of, it falls back to NTLM.
> Also: "getent passwd test-storage01 at ad.bnitm.de" ->
> "test-storage01-sam:*:3000:3000:Test Storage
> 01:/home/BNITM/test-storage01-sam:/bin/false"
>
> But "net use y: \\ip\example /user:test-storage01" leads to the
> following smb.log entry:
> "Auth: [SMB2,(null)] user [DESKTOP-9CASEDK]\[test-storage01] at [Thu, 15
> Oct 2020 13:16:53.462240 CEST] with [NTLMv2] status
> [NT_STATUS_NO_SUCH_USER] workstation [DESKTOP-9CASEDK] remote host
> [ipv4:134.100.203.37:50737] mapped to
> [DESKTOP-9CASEDK]\[test-storage01]. local host [ipv4:134.100.202.143:445]
>    {"timestamp": "2020-10-15T13:16:53.462447+0200", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress":
> "ipv4:134.100.202.143:445", "remoteAddress":
> "ipv4:134.100.203.37:50737", "serviceDescription": "SMB2",
> "authDescription": null, "clientDomain": "DESKTOP-9CASEDK",
> "clientAccount": "test-storage01", "workstation": "DESKTOP-9CASEDK",
> "becameAccount": null, "becameDomain": null, "becameSid": null,
> "mappedAccount": "test-storage01", "mappedDomain": "DESKTOP-9CASEDK",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
> "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration":
> 5391}}
>
>
> ... while "net use y: \\ip\example /user:test-storage01 at ad.adtest.de" works.
Using the IP turns of kerberos
>
> I wonder how authentication without domain suffix could work at all.
> My smb.conf:
>
> [global]
>     workgroup = ADTEST
>     security = ADS
>     realm = AD.ADTEST.DE
>
>     winbind refresh tickets = Yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind expand groups = 4
>     winbind refresh tickets = Yes
>     winbind normalize names = Yes
>     winbind nss info = rfc2307
>     winbind use default domain = yes
>
>     winbind enum users = yes
>     winbind enum groups = yes
>
>     idmap config * : backend = autorid
>     idmap config * : range = 1000000-1999999
>     idmap config * : rangesize = 1000000

And here is your problem, 'autorid' is designed for multiple domains and 
as such you cannot use 'winbind use default domain = yes'

If you just want to use the username (without the domain component), you 
can either user the 'ad' backend (which requires uidNumber & gidNumber 
attributes in AD) or the 'rid' backend.

>
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>     log level = 3
>
> [example]
>    path = /tmp/
>
>    comment = Example Share

I do hope you realise that your 'example' share is read only.

Rowland





More information about the samba mailing list