[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE
Jacek
wampir990 at gmail.com
Thu Oct 29 21:00:52 UTC 2020
My OS Gentoo Linux
Samba & krb5 version:
app-crypt/heimdal-7.6.0 abi_x86_32 abi_x86_64 berkdb caps ipv6 libressl
lmdb selinux ssl static-libs
net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg
json ldap pam profiling-data python python_single_target_python3_7 quota
selinux syslog system-heimdal winbind
My /etc/samba/smb.conf (testparm)
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
WARNING: 'workgroup' and 'netbios name' must differ.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
client ipc min protocol = SMB3
client max protocol = SMB3
client min protocol = SMB3
client signing = if_required
dns proxy = No
interfaces = lo net
log file = /var/log/samba/samba.log
max log size = 50
passdb backend = smbpasswd
security = USER
server min protocol = SMB3
server role = standalone server
server signing = if_required
server string = Domek
smb passwd file = /etc/samba/smbpasswd
time server = Yes
tls cafile = /etc/ssl/server/serverCA.crt
tls certfile = /etc/ssl/server/samba.cer
tls dh params file = /etc/ssl/server/dh4096.pem
tls keyfile = /etc/ssl/serwer/samba.key
workgroup = DOMEK
idmap config * : backend = tdb
dos filemode = Yes
force create mode = 0060
force directory mode = 0700
hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60
smb encrypt = required
[homes]
browseable = No
comment = Home Directories
create mask = 0750
read only = No
valid users = %S
veto files = /.*/
# user ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: user at DOMAIN.TLD
Issued Expires Principal
Oct 29 21:02:19 2020 Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
# user ~> hostname
domek
# user ~> smbclient -L domek -U user%PaSsWoRd
session setup failed: NT_STATUS_LOGON_FAILURE
# user ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: user at DOMAIN.TLD
Issued Expires Principal
Oct 29 21:02:19 2020 Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
# user ~> rm -f /tmp/krb5cc_1001
# user ~> klist
klist: No ticket file: /tmp/krb5cc_1001
# user ~> smbclient -L domek -U user%PaSsWoRd
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Domek)
user Disk Home Directories
SMB1 disabled -- no workgroup available
# user ~>
I don't know if this is a bug or a new feature, but please choose one of
the options. ;)
If Samba in Standalone mode is working with kerberos then it's time to
enable optional kerberos authorization in optional or required mode,
(with the possibility to set these parameters in smb.conf)
in my opinion this requires adding parameters to smb.conf:
location of krb5.keytab (default /etc/krb5.keytab)
and kerberos auth = (none, optional, or required).
Cheers
More information about the samba
mailing list