[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE

Jacek wampir990 at gmail.com
Fri Oct 30 02:05:50 UTC 2020


 >
I do not understand why you are doing this, for kerberos to work 
correctly, you need to be able to find everything easily and everything 
must be using the same time. So, you need kerberos, a dns server and an 
ntp server and if you want more than authentication, you need a 
fileserver. OH look, I just described Active Directory 😁

Not saying you cannot get this setup to work, but why are you attempting 
to reinvent the wheel ?

Rowland


  He did not reinvent the wheel.
  I tested Samba DC out of curiosity, but it had too many bugs to use, 
so I quit DC and went back to Standalone.

  But since I had Heimdal-kerberos installed with Samba, I turned on the 
kdc and kadmin daemons, added a domain, and started kinit.
  Then it turned out that although Samba in standalone mode does not 
support kerberos, the very fact of the existence of the Credentials 
cache with the KDC daemon enabled blocks logging into Samba in the 
Security User mode.
  So samba in standalone mode does not support but also kerberos work?

  Heimdal-kdc log:

  2020-10-30T03:00:16 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
krbtgt/DOMAIN.TLD at DOMAIN.TLD
  2020-10-30T03:00:16 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
  2020-10-30T03:00:16 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
krbtgt/DOMAIN.TLD at DOMAIN.TLD
  2020-10-30T03:00:16 Client sent patypes: ENC-TS
  2020-10-30T03:00:16 ENC-TS pre-authentication succeeded -- user at DOMAIN.TLD
  2020-10-30T03:00:16 Client supported enctypes: 
aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, 
des3-cbc-md5, arcfour-hmac-md5, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
  2020-10-30T03:00:16 Requested flags: canonicalize, forwardable
  2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD [canonicalize]
  2020-10-30T03:00:16 Searching referral for domek
  2020-10-30T03:00:16 Server not found in database: 
cifs/domek at DOMAIN.TLD: Unknown code hdb 3
  2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD
  2020-10-30T03:00:16 Server not found in database: 
cifs/domek at DOMAIN.TLD: no such entry found in hdb
  2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD [canonicalize]
  2020-10-30T03:00:16 Searching referral for domek
  2020-10-30T03:00:16 Server not found in database: 
cifs/domek at DOMAIN.TLD: Unknown code hdb 3
  2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD
  2020-10-30T03:00:16 Server not found in database: 
cifs/domek at DOMAIN.TLD: no such entry found in hdb
  2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:24 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
krbtgt/DOMAIN.TLD at DOMAIN.TLD
  2020-10-30T03:00:24 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
  2020-10-30T03:00:24 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
krbtgt/DOMAIN.TLD at DOMAIN.TLD
  2020-10-30T03:00:24 Client sent patypes: ENC-TS
  2020-10-30T03:00:24 ENC-TS pre-authentication succeeded -- user at DOMAIN.TLD
  2020-10-30T03:00:24 Client supported enctypes: 
aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, 
des3-cbc-md5, arcfour-hmac-md5, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
  2020-10-30T03:00:24 Requested flags: canonicalize, forwardable
  2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD [canonicalize]
  2020-10-30T03:00:24 Searching referral for domek
  2020-10-30T03:00:24 Server not found in database: 
cifs/domek at DOMAIN.TLD: Unknown code hdb 3
  2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD
  2020-10-30T03:00:24 Server not found in database: 
cifs/domek at DOMAIN.TLD: no such entry found in hdb
  2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD [canonicalize]
  2020-10-30T03:00:24 Searching referral for domek
  2020-10-30T03:00:24 Server not found in database: 
cifs/domek at DOMAIN.TLD: Unknown code hdb 3
  2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10
  2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for 
cifs/domek at DOMAIN.TLD
  2020-10-30T03:00:24 Server not found in database: 
cifs/domek at DOMAIN.TLD: no such entry found in hdb
  2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10

Cheers

W dniu 29.10.2020 o 22:17, Rowland penny via samba pisze:
> On 29/10/2020 21:00, Jacek via samba wrote:
>> My OS Gentoo Linux
>>
>> Samba & krb5 version:
>>
>> app-crypt/heimdal-7.6.0  abi_x86_32 abi_x86_64 berkdb caps ipv6 
>> libressl lmdb selinux ssl static-libs
>> net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg 
>> json ldap pam profiling-data python python_single_target_python3_7 
>> quota selinux syslog system-heimdal winbind
>>
>>
>> My /etc/samba/smb.conf (testparm)
>>
>> Load smb config files from /etc/samba/smb.conf
>> Loaded services file OK.
>> WARNING: 'workgroup' and 'netbios name' must differ.
>>
>> Server role: ROLE_STANDALONE
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>     bind interfaces only = Yes
>>     client ipc min protocol = SMB3
>>     client max protocol = SMB3
>>     client min protocol = SMB3
>>     client signing = if_required
>>     dns proxy = No
>>     interfaces = lo net
>>     log file = /var/log/samba/samba.log
>>     max log size = 50
>>     passdb backend = smbpasswd
>>     security = USER
>>     server min protocol = SMB3
>>     server role = standalone server
>>     server signing = if_required
>>     server string = Domek
>>     smb passwd file = /etc/samba/smbpasswd
>>     time server = Yes
>>     tls cafile = /etc/ssl/server/serverCA.crt
>>     tls certfile = /etc/ssl/server/samba.cer
>>     tls dh params file = /etc/ssl/server/dh4096.pem
>>     tls keyfile = /etc/ssl/serwer/samba.key
>>     workgroup = DOMEK
>>     idmap config * : backend = tdb
>>     dos filemode = Yes
>>     force create mode = 0060
>>     force directory mode = 0700
>>     hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60
>>     smb encrypt = required
>>
>>
>> [homes]
>>     browseable = No
>>     comment = Home Directories
>>     create mask = 0750
>>     read only = No
>>     valid users = %S
>>     veto files = /.*/
>>
>>
>> # user ~> klist
>> Credentials cache: FILE:/tmp/krb5cc_1001
>>         Principal: user at DOMAIN.TLD
>>
>>   Issued                Expires               Principal
>> Oct 29 21:02:19 2020  Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>>
>> # user ~> hostname
>> domek
>>
>>
>> # user ~>  smbclient -L domek -U user%PaSsWoRd
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>> # user ~> klist
>> Credentials cache: FILE:/tmp/krb5cc_1001
>>         Principal: user at DOMAIN.TLD
>>
>>   Issued                Expires               Principal
>> Oct 29 21:02:19 2020  Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>>
>>
>> # user ~> rm -f /tmp/krb5cc_1001
>>
>>
>> # user ~> klist
>> klist: No ticket file: /tmp/krb5cc_1001
>>
>>
>>
>> # user ~>  smbclient -L domek -U user%PaSsWoRd
>>
>>     Sharename       Type      Comment
>>     ---------       ----      -------
>>     IPC$            IPC       IPC Service (Domek)
>>     user            Disk      Home Directories
>> SMB1 disabled -- no workgroup available
>>
>>
>> # user ~>
>>
>> I don't know if this is a bug or a new feature, but please choose one 
>> of the options. ;)
>>
>> If Samba in Standalone mode is working with kerberos then it's time 
>> to enable optional kerberos authorization in optional or required 
>> mode, (with the possibility to set these parameters in smb.conf)
>> in my opinion this requires adding  parameters to smb.conf:
>> location of krb5.keytab (default /etc/krb5.keytab)
>> and kerberos auth = (none, optional, or required).
>>
>> Cheers
>>
>>
>>
> I do not understand why you are doing this, for kerberos to work 
> correctly, you need to be able to find everything easily and 
> everything must be using the same time. So, you need kerberos, a dns 
> server and an ntp server and if you want more than authentication, you 
> need a fileserver. OH look, I just described Active Directory 😁
>
> Not saying you cannot get this setup to work, but why are you 
> attempting to reinvent the wheel ?
>
> Rowland




More information about the samba mailing list