L.P.H. van Belle
2017-Feb-01 11:26 UTC
[Samba] winbind question. (challenge/response password authentication)
Hai, Im setting up a new proxy and im testing a bit around. Goal is, get everyting working with minimal changes to the system. Setup: Debian 8 with NFS nfsv3 and v4 (krb) automounts, winbind 4.5.3 , squid 3.5.24 (with ssl support) Which is basicly a copy of my other proxy but a new install with more systemd and less packages used. Working: - ssh logins with AD users. Userdirs nfsv4. - NFSv3 and NFSv4 (krb5) (with systemd with automount for user home dirs ) - Squid with basic auth. ( over ldap ssl) - Put needed SPN in the keytab file. o bug found : samba-tool spn add HTTP/hostname.domain.tld at REALM proxy2$ ) § keytab result is http/ not HTTP/ squid needs HTTP ! Not working : - Winbind user tests. - Kerberos Auth for squid. Need to fix keytab first. The setup/config The running smb.conf [global] workgroup = NTDOM security = ads realm = REALM netbios name = PROXY2 preferred master = no domain master = no host msdfs = no interfaces = 192.168.0.2 127.0.0.1 bind interfaces only = yes dns proxy = yes #Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/local/private/p2.pem tls certfile = /etc/ssl/local/certs/p2.pem tls cafile = /etc/ssl/certs/company-ca.pem ## map id's outside to domain to tdb files. idmap config * :backend = tdb idmap config * :range = 2000-9999 ## map ids from the domain the range may not overlap ! idmap config NTDOM : backend = ad idmap config NTDOM : schema_mode = rfc2307 idmap config NTDOM : range = 10000-3999999 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes # Use home directory and shell information from AD winbind nss info = rfc2307 # no NTDOM\user at hostname: but user at hostname as prompt with ssh logins winbind use default domain = yes winbind trusted domains only = no winbind cache time = 15 winbind enum users = yes winbind enum groups = yes # enable offline logins winbind offline logon = yes # check depth of nested groups, ! slows down you samba, if to much groups depth winbind expand groups = 4 # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershares creating, when set empty no error log messages. usershare path # Disable printing completely, when set empty no error log messages. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes Output of my keytab file. klist -ke /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/proxy2.internal.domain.tld @REALM (des-cbc-crc) 3 host/proxy2 at REALM (des-cbc-crc) 3 host/proxy2.internal.domain.tld at REALM (des-cbc-md5) 3 host/proxy2 at REALM (des-cbc-md5) 3 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 3 host/proxy2 at REALM (aes128-cts-hmac-sha1-96) 3 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 3 host/proxy2 at REALM (aes256-cts-hmac-sha1-96) 3 host/proxy2.internal.domain.tld at REALM (arcfour-hmac) 3 host/proxy2 at REALM (arcfour-hmac) 3 proxy2$@REALM (des-cbc-crc) 3 proxy2$@REALM (des-cbc-md5) 3 proxy2$@REALM (aes128-cts-hmac-sha1-96) 3 proxy2$@REALM (aes256-cts-hmac-sha1-96) 3 proxy2$@REALM (arcfour-hmac) 3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc) 3 nfs/proxy2 at REALM (des-cbc-crc) 3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5) 3 nfs/proxy2 at REALM (des-cbc-md5) 3 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 3 nfs/proxy2 at REALM (aes128-cts-hmac-sha1-96) 3 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 3 nfs/proxy2 at REALM (aes256-cts-hmac-sha1-96) 3 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac) 3 nfs/proxy2 at REALM (arcfour-hmac) 3 http/proxy2.internal.domain.tld at REALM (des-cbc-crc) 3 http/proxy2 at REALM (des-cbc-crc) 3 http/proxy2.internal.domain.tld at REALM (des-cbc-md5) 3 http/proxy2 at REALM (des-cbc-md5) 3 http/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) 3 http/proxy2 at REALM (aes128-cts-hmac-sha1-96) 3 http/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) 3 http/proxy2 at REALM (aes256-cts-hmac-sha1-96) 3 http/proxy2.internal.domain.tld at REALM (arcfour-hmac) 3 http/proxy2 at REALM (arcfour-hmac) And i?m having a hard time getting this explained. ( see below. ) So maybe someone on the list can explain this more to me. And I found also in list already : same problem/subjects. 28-12-2016 : Re: [Samba] Error with samba update in debian. 3?9-2016 : [Samba] challenge/response password authentication seems to be broken My tests: 1 ntlm_auth --request-nt-key --username=username Password: NT_STATUS_OK: Success (0x0) 2 ntlm_auth --request-lm-key --username=username Password: NT_STATUS_OK: Success (0x0) 3 ntlm_auth --username=username --ntlmv2 Password: NT_STATUS_OK: Success (0x0) 4 ntlm_auth --username=username --lanman Password: NT_STATUS_OK: Success (0x0) 5 ntlm_auth --username=username --krb5auth=username Password: NT_STATUS_OK: Success (0x0) But... 6 ntlm_auth --diagnostics --username=username Password: Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) 7 wbinfo -a username Enter username's password: plaintext password authentication failed Could not authenticate user username with plaintext password Enter username 's password: challenge/response password authentication failed wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user username with challenge/response 8 wbinfo --krb5auth=username Enter username's password: plaintext kerberos password authentication for [username] failed (requesting cctype: FILE) wbcLogonUser(username): error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error message was: No such user Could not authenticate user [username] with Kerberos (ccache: FILE) 9 wbinfo --krb5auth='NTDOM\username' Enter NTDOM\username's password: plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 10 wbinfo --krb5auth='username at REALM' Enter username at REALM's password: plaintext kerberos password authentication for [username at REALM] failed (requesting cctype: FILE) wbcLogonUser(username at REALM): error code was NT_STATUS_LOGON_FAILURE (0xc000006d) error message was: Logon failure Could not authenticate user [username at REALM] with Kerberos (ccache: FILE) Now i enabled in smb.conf : winbind use default domain = yes klist klist: Credentials cache file '/tmp/krb5cc_0' not found 1 ntlm_auth --request-nt-key --username=username Password: NT_STATUS_OK: Success (0x0) 2 ntlm_auth --request-lm-key --username=username Password: NT_STATUS_OK: Success (0x0) 3 ntlm_auth --username=username --ntlmv2 Password: NT_STATUS_OK: Success (0x0) 4 ntlm_auth --username=username --lanman Password: NT_STATUS_OK: Success (0x0) 5 ntlm_auth --username=username --krb5auth=username Password: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) 6 ntlm_auth --diagnostics --username=username Password: Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) Wrong Password (0xc000006a) 7 wbinfo -a username Enter username's password: plaintext password authentication succeeded Enter username's password: challenge/response password authentication failed wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user username with challenge/response 8 wbinfo --krb5auth=username Enter username's password: plaintext kerberos password authentication for [username] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 9 kdestroy -A root at rtd-proxy2:~# wbinfo --krb5auth='NTDOM\username' Enter NTDOM\username's password: plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 10 kdestroy -A root at rtd-proxy2:~# wbinfo --krb5auth='username at REALM' Enter username at REALM's password: plaintext kerberos password authentication for [username at REALM] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 What is missing in my config? Hints tips. I know that the devs are working on more consistant results with winbind, i just dont know if its deployed yet. Tests overview smb.conf winbind use default domain. No Yes 1 Ok Ok 2 Ok Ok 3 Ok Ok 4 Ok Ok 5 Ok Fail 6 Fail Fail 7 Fail ½ ok ½ fail 8 Fail Ok 9 Ok Ok 10 Fail Ok Strange are to me 5 : ntlm_auth --username=username --krb5auth=username I cant explain 6. ntlm_auth --diagnostics --username=username 7 wbinfo -a username with winbind default domain = yes, plaintext password authentication succeeded but challenge/response password authentication failed. kerberos related auth 8 wbinfo --krb5auth=username 9 wbinfo --krb5auth='NTDOM\username' 10 wbinfo --krb5auth='username at REALM' so im wondering, if im getting a better result with winbind use default domain =yes Greetz, Louis
mathias dufresne
2017-Feb-01 16:32 UTC
[Samba] winbind question. (challenge/response password authentication)
Hi Louis, First sorry I haven't understood fully what was the question(s) related to all these tests. I won't try to help on that. A small question about lower case service part of SPN: you wrote that when adding into AD some SPN with HTTP in upper case then you have "http" in place of "HTTP" in the keytab. As you: 1 - add SPN into some DB 2 - use some tool to extract info from that DB to create a keytab 3 - use another tool to read the keytab I'm wondering what contains you AD database. Is it "HTTP/..." or "http/...". I mean I wonder if this problem comes from 1°) If AD contains lower case when you have added an upper case SPN, the error seems to comes from the way SPN is added into AD. Perhaps you can use ldbedit to change that lower case SPN to upper case SPN. If SPN is still upper case after that ldbedit, you can retry to create the keytab. Perhaps it comes from 2°, so the tool used to create the keytab. You could try to use ktutil I suppose to create keytabs. I don't really believe it comes from 3° : ) Anyway you can "cat /parth/to/http.keytab" to check if it contains UPPER or lower case... Just ideas pushed like that... that does not implies they are good ideas :p 2017-02-01 12:26 GMT+01:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> Hai, > > > > Im setting up a new proxy and im testing a bit around. > > Goal is, get everyting working with minimal changes to the system. > > > > Setup: Debian 8 with NFS nfsv3 and v4 (krb) automounts, winbind 4.5.3 , > squid 3.5.24 (with ssl support) > > Which is basicly a copy of my other proxy but a new install with more > systemd and less packages used. > > > > Working: > > - ssh logins with AD users. Userdirs nfsv4. > > - NFSv3 and NFSv4 (krb5) (with systemd with automount for user > home dirs ) > > - Squid with basic auth. ( over ldap ssl) > > - Put needed SPN in the keytab file. > > o bug found : samba-tool spn add HTTP/hostname.domain.tld at REALM > proxy2$ ) > > § keytab result is http/ not HTTP/ squid needs HTTP ! > > > > > > Not working : > > - Winbind user tests. > > - Kerberos Auth for squid. Need to fix keytab first. > > > > > > The setup/config > > > > The running smb.conf > > [global] > > workgroup = NTDOM > > security = ads > > realm = REALM > > > > netbios name = PROXY2 > > preferred master = no > > domain master = no > > host msdfs = no > > > > interfaces = 192.168.0.2 127.0.0.1 > > bind interfaces only = yes > > dns proxy = yes > > > > #Add and Update TLS Key > > tls enabled = yes > > tls keyfile = /etc/ssl/local/private/p2.pem > > tls certfile = /etc/ssl/local/certs/p2.pem > > tls cafile = /etc/ssl/certs/company-ca.pem > > > > ## map id's outside to domain to tdb files. > > idmap config * :backend = tdb > > idmap config * :range = 2000-9999 > > > > ## map ids from the domain the range may not overlap ! > > idmap config NTDOM : backend = ad > > idmap config NTDOM : schema_mode = rfc2307 > > idmap config NTDOM : range = 10000-3999999 > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > # renew the kerberos ticket > > winbind refresh tickets = yes > > > > # Use home directory and shell information from AD > > winbind nss info = rfc2307 > > > > # no NTDOM\user at hostname: but user at hostname as prompt with ssh logins > > winbind use default domain = yes > > > > winbind trusted domains only = no > > winbind cache time = 15 > > winbind enum users = yes > > winbind enum groups = yes > > > > # enable offline logins > > winbind offline logon = yes > > > > # check depth of nested groups, ! slows down you samba, if to much > groups depth > > winbind expand groups = 4 > > > > # user Administrator workaround, without it you are unable to set > privileges > > username map = /etc/samba/samba_usermapping > > > > # disable usershares creating, when set empty no error log messages. > > usershare path > > > > # Disable printing completely, when set empty no error log messages. > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > > > > > Output of my keytab file. > > klist -ke /etc/krb5.keytab > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > ---- ------------------------------------------------------------ > -------------- > > 3 host/proxy2.internal.domain.tld @REALM (des-cbc-crc) > > 3 host/proxy2 at REALM (des-cbc-crc) > > 3 host/proxy2.internal.domain.tld at REALM (des-cbc-md5) > > 3 host/proxy2 at REALM (des-cbc-md5) > > 3 host/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) > > 3 host/proxy2 at REALM (aes128-cts-hmac-sha1-96) > > 3 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) > > 3 host/proxy2 at REALM (aes256-cts-hmac-sha1-96) > > 3 host/proxy2.internal.domain.tld at REALM (arcfour-hmac) > > 3 host/proxy2 at REALM (arcfour-hmac) > > 3 proxy2$@REALM (des-cbc-crc) > > 3 proxy2$@REALM (des-cbc-md5) > > 3 proxy2$@REALM (aes128-cts-hmac-sha1-96) > > 3 proxy2$@REALM (aes256-cts-hmac-sha1-96) > > 3 proxy2$@REALM (arcfour-hmac) > > 3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-crc) > > 3 nfs/proxy2 at REALM (des-cbc-crc) > > 3 nfs/proxy2.internal.domain.tld at REALM (des-cbc-md5) > > 3 nfs/proxy2 at REALM (des-cbc-md5) > > 3 nfs/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) > > 3 nfs/proxy2 at REALM (aes128-cts-hmac-sha1-96) > > 3 nfs/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) > > 3 nfs/proxy2 at REALM (aes256-cts-hmac-sha1-96) > > 3 nfs/proxy2.internal.domain.tld at REALM (arcfour-hmac) > > 3 nfs/proxy2 at REALM (arcfour-hmac) > > 3 http/proxy2.internal.domain.tld at REALM (des-cbc-crc) > > 3 http/proxy2 at REALM (des-cbc-crc) > > 3 http/proxy2.internal.domain.tld at REALM (des-cbc-md5) > > 3 http/proxy2 at REALM (des-cbc-md5) > > 3 http/proxy2.internal.domain.tld at REALM (aes128-cts-hmac-sha1-96) > > 3 http/proxy2 at REALM (aes128-cts-hmac-sha1-96) > > 3 http/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96) > > 3 http/proxy2 at REALM (aes256-cts-hmac-sha1-96) > > 3 http/proxy2.internal.domain.tld at REALM (arcfour-hmac) > > 3 http/proxy2 at REALM (arcfour-hmac) > > > > > > > > And i?m having a hard time getting this explained. ( see below. ) > > So maybe someone on the list can explain this more to me. > > > > And I found also in list already : same problem/subjects. > > 28-12-2016 : Re: [Samba] Error with samba update in debian. > > 3?9-2016 : [Samba] challenge/response password authentication seems to be > broken > > > > My tests: > > 1 > > ntlm_auth --request-nt-key --username=username > > Password: > > NT_STATUS_OK: Success (0x0) > > > > 2 > > ntlm_auth --request-lm-key --username=username > > Password: > > NT_STATUS_OK: Success (0x0) > > > > 3 > > ntlm_auth --username=username --ntlmv2 > > Password: > > NT_STATUS_OK: Success (0x0) > > > > 4 > > ntlm_auth --username=username --lanman > > Password: > > NT_STATUS_OK: Success (0x0) > > > > 5 > > ntlm_auth --username=username --krb5auth=username > > Password: > > NT_STATUS_OK: Success (0x0) > > > > > > But... > > 6 > > ntlm_auth --diagnostics --username=username > > Password: > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > > > 7 > > wbinfo -a username > > Enter username's password: > > plaintext password authentication failed > > Could not authenticate user username with plaintext password > > Enter username 's password: > > challenge/response password authentication failed > > wbcAuthenticateUserEx(NTDOM\username): error code was > NT_STATUS_WRONG_PASSWORD (0xc000006a) > > error message was: Wrong Password > > Could not authenticate user username with challenge/response > > > > 8 > > wbinfo --krb5auth=username > > Enter username's password: > > plaintext kerberos password authentication for [username] failed > (requesting cctype: FILE) > > wbcLogonUser(username): error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > > error message was: No such user > > Could not authenticate user [username] with Kerberos (ccache: FILE) > > > > 9 > > wbinfo --krb5auth='NTDOM\username' > > Enter NTDOM\username's password: > > plaintext kerberos password authentication for [NTDOM\username] succeeded > (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > 10 > > wbinfo --krb5auth='username at REALM' > > Enter username at REALM's password: > > plaintext kerberos password authentication for [username at REALM] failed > (requesting cctype: FILE) > > wbcLogonUser(username at REALM): error code was NT_STATUS_LOGON_FAILURE > (0xc000006d) > > error message was: Logon failure > > Could not authenticate user [username at REALM] with Kerberos (ccache: FILE) > > > > > > Now i enabled in smb.conf : winbind use default domain = yes > > > > klist > > klist: Credentials cache file '/tmp/krb5cc_0' not found > > 1 > > ntlm_auth --request-nt-key --username=username > > Password: > > NT_STATUS_OK: Success (0x0) > > 2 > > ntlm_auth --request-lm-key --username=username > > Password: > > NT_STATUS_OK: Success (0x0) > > 3 > > ntlm_auth --username=username --ntlmv2 > > Password: > > NT_STATUS_OK: Success (0x0) > > 4 > > ntlm_auth --username=username --lanman > > Password: > > NT_STATUS_OK: Success (0x0) > > 5 > > ntlm_auth --username=username --krb5auth=username > > Password: > > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > > 6 > > ntlm_auth --diagnostics --username=username > > Password: > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > Wrong Password (0xc000006a) > > 7 > > wbinfo -a username > > Enter username's password: > > plaintext password authentication succeeded > > Enter username's password: > > challenge/response password authentication failed > > wbcAuthenticateUserEx(NTDOM\username): error code was > NT_STATUS_WRONG_PASSWORD (0xc000006a) > > error message was: Wrong Password > > Could not authenticate user username with challenge/response > > 8 > > wbinfo --krb5auth=username > > Enter username's password: > > plaintext kerberos password authentication for [username] succeeded > (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > 9 > > kdestroy -A > > root at rtd-proxy2:~# wbinfo --krb5auth='NTDOM\username' > > Enter NTDOM\username's password: > > plaintext kerberos password authentication for [NTDOM\username] succeeded > (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > 10 > > kdestroy -A > > root at rtd-proxy2:~# wbinfo --krb5auth='username at REALM' > > Enter username at REALM's password: > > plaintext kerberos password authentication for [username at REALM] succeeded > (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > What is missing in my config? Hints tips. > > I know that the devs are working on more consistant results with winbind, > i just dont know if its deployed yet. > > > > Tests overview smb.conf winbind use default domain. > > No Yes > > > > 1 Ok Ok > > 2 Ok Ok > > 3 Ok Ok > > 4 Ok Ok > > 5 Ok Fail > > 6 Fail Fail > > 7 Fail ½ ok ½ fail > > 8 Fail Ok > > 9 Ok Ok > > 10 Fail Ok > > > > > > Strange are to me 5 : > > ntlm_auth --username=username --krb5auth=username > > > > I cant explain 6. > > ntlm_auth --diagnostics --username=username > > > > 7 > > wbinfo -a username > > with winbind default domain = yes, > > plaintext password authentication succeeded but challenge/response > password authentication failed. > > > > kerberos related auth > > 8 > > wbinfo --krb5auth=username > > > > 9 > > wbinfo --krb5auth='NTDOM\username' > > > > 10 > > wbinfo --krb5auth='username at REALM' > > > > so im wondering, if im getting a better result with > > winbind use default domain =yes > > > > > > > > > > Greetz, > > > > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >