[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE

Jacek wampir990 at gmail.com
Thu Oct 29 21:00:52 UTC 2020 

My OS Gentoo Linux

Samba & krb5 version:

app-crypt/heimdal-7.6.0  abi_x86_32 abi_x86_64 berkdb caps ipv6 libressl 
lmdb selinux ssl static-libs
net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg 
json ldap pam profiling-data python python_single_target_python3_7 quota 
selinux syslog system-heimdal winbind


My /etc/samba/smb.conf (testparm)

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
WARNING: 'workgroup' and 'netbios name' must differ.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
     bind interfaces only = Yes
     client ipc min protocol = SMB3
     client max protocol = SMB3
     client min protocol = SMB3
     client signing = if_required
     dns proxy = No
     interfaces = lo net
     log file = /var/log/samba/samba.log
     max log size = 50
     passdb backend = smbpasswd
     security = USER
     server min protocol = SMB3
     server role = standalone server
     server signing = if_required
     server string = Domek
     smb passwd file = /etc/samba/smbpasswd
     time server = Yes
     tls cafile = /etc/ssl/server/serverCA.crt
     tls certfile = /etc/ssl/server/samba.cer
     tls dh params file = /etc/ssl/server/dh4096.pem
     tls keyfile = /etc/ssl/serwer/samba.key
     workgroup = DOMEK
     idmap config * : backend = tdb
     dos filemode = Yes
     force create mode = 0060
     force directory mode = 0700
     hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60
     smb encrypt = required


[homes]
     browseable = No
     comment = Home Directories
     create mask = 0750
     read only = No
     valid users = %S
     veto files = /.*/


# user ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: user at DOMAIN.TLD

   Issued                Expires               Principal
Oct 29 21:02:19 2020  Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD

# user ~> hostname
domek


# user ~>  smbclient -L domek -U user%PaSsWoRd
session setup failed: NT_STATUS_LOGON_FAILURE


# user ~> klist
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: user at DOMAIN.TLD

   Issued                Expires               Principal
Oct 29 21:02:19 2020  Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD


# user ~> rm -f /tmp/krb5cc_1001


# user ~> klist
klist: No ticket file: /tmp/krb5cc_1001



# user ~>  smbclient -L domek -U user%PaSsWoRd

     Sharename       Type      Comment
     ---------       ----      -------
     IPC$            IPC       IPC Service (Domek)
     user            Disk      Home Directories
SMB1 disabled -- no workgroup available


# user ~>

I don't know if this is a bug or a new feature, but please choose one of 
the options. ;)

If Samba in Standalone mode is working with kerberos then it's time to 
enable optional kerberos authorization in optional or required mode, 
(with the possibility to set these parameters in smb.conf)
in my opinion this requires adding  parameters to smb.conf:
location of krb5.keytab (default /etc/krb5.keytab)
and kerberos auth = (none, optional, or required).

Cheers

More information about the samba mailing list