[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE

Rowland penny rpenny at samba.org
Thu Oct 29 21:17:05 UTC 2020 

On 29/10/2020 21:00, Jacek via samba wrote:
> My OS Gentoo Linux
>
> Samba & krb5 version:
>
> app-crypt/heimdal-7.6.0  abi_x86_32 abi_x86_64 berkdb caps ipv6 
> libressl lmdb selinux ssl static-libs
> net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg 
> json ldap pam profiling-data python python_single_target_python3_7 
> quota selinux syslog system-heimdal winbind
>
>
> My /etc/samba/smb.conf (testparm)
>
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> WARNING: 'workgroup' and 'netbios name' must differ.
>
> Server role: ROLE_STANDALONE
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>     bind interfaces only = Yes
>     client ipc min protocol = SMB3
>     client max protocol = SMB3
>     client min protocol = SMB3
>     client signing = if_required
>     dns proxy = No
>     interfaces = lo net
>     log file = /var/log/samba/samba.log
>     max log size = 50
>     passdb backend = smbpasswd
>     security = USER
>     server min protocol = SMB3
>     server role = standalone server
>     server signing = if_required
>     server string = Domek
>     smb passwd file = /etc/samba/smbpasswd
>     time server = Yes
>     tls cafile = /etc/ssl/server/serverCA.crt
>     tls certfile = /etc/ssl/server/samba.cer
>     tls dh params file = /etc/ssl/server/dh4096.pem
>     tls keyfile = /etc/ssl/serwer/samba.key
>     workgroup = DOMEK
>     idmap config * : backend = tdb
>     dos filemode = Yes
>     force create mode = 0060
>     force directory mode = 0700
>     hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60
>     smb encrypt = required
>
>
> [homes]
>     browseable = No
>     comment = Home Directories
>     create mask = 0750
>     read only = No
>     valid users = %S
>     veto files = /.*/
>
>
> # user ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
>         Principal: user at DOMAIN.TLD
>
>   Issued                Expires               Principal
> Oct 29 21:02:19 2020  Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>
> # user ~> hostname
> domek
>
>
> # user ~>  smbclient -L domek -U user%PaSsWoRd
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> # user ~> klist
> Credentials cache: FILE:/tmp/krb5cc_1001
>         Principal: user at DOMAIN.TLD
>
>   Issued                Expires               Principal
> Oct 29 21:02:19 2020  Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>
>
> # user ~> rm -f /tmp/krb5cc_1001
>
>
> # user ~> klist
> klist: No ticket file: /tmp/krb5cc_1001
>
>
>
> # user ~>  smbclient -L domek -U user%PaSsWoRd
>
>     Sharename       Type      Comment
>     ---------       ----      -------
>     IPC$            IPC       IPC Service (Domek)
>     user            Disk      Home Directories
> SMB1 disabled -- no workgroup available
>
>
> # user ~>
>
> I don't know if this is a bug or a new feature, but please choose one 
> of the options. ;)
>
> If Samba in Standalone mode is working with kerberos then it's time to 
> enable optional kerberos authorization in optional or required mode, 
> (with the possibility to set these parameters in smb.conf)
> in my opinion this requires adding  parameters to smb.conf:
> location of krb5.keytab (default /etc/krb5.keytab)
> and kerberos auth = (none, optional, or required).
>
> Cheers
>
>
>
I do not understand why you are doing this, for kerberos to work 
correctly, you need to be able to find everything easily and everything 
must be using the same time. So, you need kerberos, a dns server and an 
ntp server and if you want more than authentication, you need a 
fileserver. OH look, I just described Active Directory 😁

Not saying you cannot get this setup to work, but why are you attempting 
to reinvent the wheel ?

Rowland

More information about the samba mailing list