[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE
Rowland penny
rpenny at samba.org
Thu Oct 29 21:17:05 UTC 2020
On 29/10/2020 21:00, Jacek via samba wrote:
> My OS Gentoo Linux
>
> Samba & krb5 version:
>
> app-crypt/heimdal-7.6.0 abi_x86_32 abi_x86_64 berkdb caps ipv6
> libressl lmdb selinux ssl static-libs
> net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg
> json ldap pam profiling-data python python_single_target_python3_7
> quota selinux syslog system-heimdal winbind
>
>
> My /etc/samba/smb.conf (testparm)
>
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> WARNING: 'workgroup' and 'netbios name' must differ.
>
> Server role: ROLE_STANDALONE
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> bind interfaces only = Yes
> client ipc min protocol = SMB3
> client max protocol = SMB3
> client min protocol = SMB3
> client signing = if_required
> dns proxy = No
> interfaces = lo net
> log file = /var/log/samba/samba.log
> max log size = 50
> passdb backend = smbpasswd
> security = USER
> server min protocol = SMB3
> server role = standalone server
> server signing = if_required
> server string = Domek
> smb passwd file = /etc/samba/smbpasswd
> time server = Yes
> tls cafile = /etc/ssl/server/serverCA.crt
> tls certfile = /etc/ssl/server/samba.cer
> tls dh params file = /etc/ssl/server/dh4096.pem
> tls keyfile = /etc/ssl/serwer/samba.key
> workgroup = DOMEK
> idmap config * : backend = tdb
> dos filemode = Yes
> force create mode = 0060
> force directory mode = 0700
> hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60
> smb encrypt = required
>
>
> [homes]
> browseable = No
> comment = Home Directories
> create mask = 0750
> read only = No
> valid users = %S
> veto files = /.*/
>
>
> # user ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
> Principal: user at DOMAIN.TLD
>
> Issued Expires Principal
> Oct 29 21:02:19 2020 Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>
> # user ~> hostname
> domek
>
>
> # user ~> smbclient -L domek -U user%PaSsWoRd
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> # user ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
> Principal: user at DOMAIN.TLD
>
> Issued Expires Principal
> Oct 29 21:02:19 2020 Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>
>
> # user ~> rm -f /tmp/krb5cc_1001
>
>
> # user ~> klist
> klist: No ticket file: /tmp/krb5cc_1001
>
>
>
> # user ~> smbclient -L domek -U user%PaSsWoRd
>
> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (Domek)
> user Disk Home Directories
> SMB1 disabled -- no workgroup available
>
>
> # user ~>
>
> I don't know if this is a bug or a new feature, but please choose one
> of the options. ;)
>
> If Samba in Standalone mode is working with kerberos then it's time to
> enable optional kerberos authorization in optional or required mode,
> (with the possibility to set these parameters in smb.conf)
> in my opinion this requires adding parameters to smb.conf:
> location of krb5.keytab (default /etc/krb5.keytab)
> and kerberos auth = (none, optional, or required).
>
> Cheers
>
>
>
I do not understand why you are doing this, for kerberos to work
correctly, you need to be able to find everything easily and everything
must be using the same time. So, you need kerberos, a dns server and an
ntp server and if you want more than authentication, you need a
fileserver. OH look, I just described Active Directory 😁
Not saying you cannot get this setup to work, but why are you attempting
to reinvent the wheel ?
Rowland
More information about the samba
mailing list