Paquin, Brian
2019-Mar-01 21:57 UTC
[Samba] Can't authenticate to AD using Samba with SSSD
Would someone please tell me where I can find some good troubleshooting documents to resolve AD authentication issues when using Samba? Is this mailing list the best place? I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but I am required to use SSSD on a different CentOS 7.6 server. Using a test VM, I can get services running, but I can't authenticate from a Mac or smbclient. Partial output of /var/log/samba/log.10.84.2.148 (the Mac client): [2019/03/01 15:53:46.544858, 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24 len2=224 [2019/03/01 15:53:46.544907, 3] ../source3/param/loadparm.c:3868(lp_load_ex) lp_load_ex: refreshing parameters [2019/03/01 15:53:46.544956, 3] ../source3/param/loadparm.c:547(init_globals) Initialising global parameters [2019/03/01 15:53:46.545088, 3] ../source3/param/loadparm.c:2782(lp_do_section) Processing section "[global]" doing parameter workgroup = YALE doing parameter realm = YU.YALE.EDU doing parameter security = ads doing parameter idmap config * : range = 1677216-33554431 doing parameter idmap config YALE:schema_mode = rfcc2307 doing parameter idmap config YALE:range = 100000-199999 doing parameter idmap config YALE:backend = rid doing parameter idmap * : backend = tbd doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter log file = /var/log/samba/log.%m doing parameter log level = 4 doing parameter guest account = nobody doing parameter guest ok = no doing parameter template shell = /sbin/nologin doing parameter kerberos method = system keytab doing parameter store dos attributes = yes doing parameter vfs objects = acl_xattr [2019/03/01 15:53:46.545450, 2] ../source3/param/loadparm.c:2799(lp_do_section) Processing section "[testshare]" doing parameter comment = testshare doing parameter path = /testshare doing parameter valid users = @pathology_its doing parameter writable = yes doing parameter read only = No [2019/03/01 15:53:46.545573, 4] ../source3/param/loadparm.c:3910(lp_load_ex) pm_process() returned Yes [2019/03/01 15:53:46.545604, 3] ../source3/param/loadparm.c:1617(lp_add_ipc) adding IPC service [2019/03/01 15:53:46.545669, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [YALE]\[btp4]@[PAQUIN3200] with the new password interface [2019/03/01 15:53:46.545691, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [YALE]\[btp4]@[PAQUIN3200] [2019/03/01 15:53:46.545715, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2019/03/01 15:53:46.545735, 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2019/03/01 15:53:46.545753, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2019/03/01 15:53:46.545807, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2019/03/01 15:53:46.545828, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [btp4] -> [btp4] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 [2019/03/01 15:53:46.545864, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445] [2019/03/01 15:53:46.545899, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2019/03/01 15:53:46.545937, 3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_LOGON_FAILURE [2019/03/01 15:53:46.545965, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2019/03/01 15:53:46.545985, 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2019/03/01 15:53:46.546002, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2019/03/01 15:53:46.546039, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2019/03/01 15:53:46.546067, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137 My workflow for setting up SSSD and Samba: 1) yum install -y sssd realmd adcli samba-common samba-common-tools krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd policycoreutils-python samba-client samba nano 2) realm join ... #shortened command; binding to specific OU; works as expected 3) authconfig --enablesssdauth --enablesssd --enablemkhomedir --update 4) nano /etc/samba/smb.conf 5) testparm 6) mkdir /testshare 7) id btp4 at yu.yale.edu #works as expected 8) chown -R root:pathology_its at yu.yale.edu /testshare/ 9) chcon -Rt samba_share_t /testshare/ 10) kinit btp4 11) net ads join -k 12) kinit -k CENTOSSSSD$ #name of test server 13) /usr/bin/ldapsearch -H ... #shortened command; works as expected 14) systemctl enable smb 15) systemctl enable nmb 16) systemctl start smb 17) systemctl start nmb 18) firewall-cmd --add-service=samba --permanent 19) firewall-cmd --reload I can provide contents of krb5.conf or sssd.conf if needed. Sorry for the lengthy email. Thank you, Brian
Rowland Penny
2019-Mar-02 09:10 UTC
[Samba] Can't authenticate to AD using Samba with SSSD
On Fri, 1 Mar 2019 21:57:42 +0000 "Paquin, Brian via samba" <samba at lists.samba.org> wrote:> Would someone please tell me where I can find some good > troubleshooting documents to resolve AD authentication issues when > using Samba? Is this mailing list the best place? > > > I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but > I am required to use SSSD on a different CentOS 7.6 server. Using a > test VM, I can get services running, but I can't authenticate from a > Mac or smbclient. > > > Partial output of /var/log/samba/log.10.84.2.148 (the Mac client): > > [2019/03/01 15:53:46.544858, > 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) > > Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24 > len2=224 > > [2019/03/01 15:53:46.544907, > 3] ../source3/param/loadparm.c:3868(lp_load_ex) > > lp_load_ex: refreshing parameters > > [2019/03/01 15:53:46.544956, > 3] ../source3/param/loadparm.c:547(init_globals) > > Initialising global parameters > > [2019/03/01 15:53:46.545088, > 3] ../source3/param/loadparm.c:2782(lp_do_section) > > Processing section "[global]" > > doing parameter workgroup = YALE > > doing parameter realm = YU.YALE.EDU > > doing parameter security = ads > > doing parameter idmap config * : range = 1677216-33554431 > > doing parameter idmap config YALE:schema_mode = rfcc2307 > > doing parameter idmap config YALE:range = 100000-199999 > > doing parameter idmap config YALE:backend = rid > > doing parameter idmap * : backend = tbd > > doing parameter dedicated keytab file = /etc/krb5.keytab > > doing parameter log file = /var/log/samba/log.%m > > doing parameter log level = 4 > > doing parameter guest account = nobody > > doing parameter guest ok = no > > doing parameter template shell = /sbin/nologin > > doing parameter kerberos method = system keytab > > doing parameter store dos attributes = yes > > doing parameter vfs objects = acl_xattr > > [2019/03/01 15:53:46.545450, > 2] ../source3/param/loadparm.c:2799(lp_do_section) > > Processing section "[testshare]" > > doing parameter comment = testshare > > doing parameter path = /testshare > > doing parameter valid users = @pathology_its > > doing parameter writable = yes > > doing parameter read only = No > > [2019/03/01 15:53:46.545573, > 4] ../source3/param/loadparm.c:3910(lp_load_ex) > > pm_process() returned Yes > > [2019/03/01 15:53:46.545604, > 3] ../source3/param/loadparm.c:1617(lp_add_ipc) > > adding IPC service > > [2019/03/01 15:53:46.545669, > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) > > check_ntlm_password: Checking password for unmapped user > [YALE]\[btp4]@[PAQUIN3200] with the new password interface > > [2019/03/01 15:53:46.545691, > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) > > check_ntlm_password: mapped user is: [YALE]\[btp4]@[PAQUIN3200] > > [2019/03/01 15:53:46.545715, > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > > [2019/03/01 15:53:46.545735, > 4] ../source3/smbd/uid.c:491(push_conn_ctx) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 1 > > [2019/03/01 15:53:46.545753, > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > > [2019/03/01 15:53:46.545807, > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2019/03/01 15:53:46.545828, > 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [btp4] -> [btp4] > FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 > > [2019/03/01 15:53:46.545864, > 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) > > Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019 > 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] > workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped > to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445] > > [2019/03/01 15:53:46.545899, > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2019/03/01 15:53:46.545937, > 3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) > > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login > failed: NT_STATUS_LOGON_FAILURE > > [2019/03/01 15:53:46.545965, > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2019/03/01 15:53:46.545985, > 4] ../source3/smbd/uid.c:491(push_conn_ctx) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2019/03/01 15:53:46.546002, > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2019/03/01 15:53:46.546039, > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2019/03/01 15:53:46.546067, > 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_LOGON_FAILURE] || > at ../source3/smbd/smb2_sesssetup.c:137 > > > My workflow for setting up SSSD and Samba: > > 1) yum install -y sssd realmd adcli samba-common samba-common-tools > krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd > policycoreutils-python samba-client samba nano > > 2) realm join ... #shortened command; binding to specific OU; works > as expected > > 3) authconfig --enablesssdauth --enablesssd --enablemkhomedir --update > > 4) nano /etc/samba/smb.conf > > 5) testparm > > 6) mkdir /testshare > > 7) id btp4 at yu.yale.edu #works as expected > > 8) chown -R root:pathology_its at yu.yale.edu /testshare/ > > 9) chcon -Rt samba_share_t /testshare/ > > 10) kinit btp4 > > 11) net ads join -k > > 12) kinit -k CENTOSSSSD$ #name of test server > > 13) /usr/bin/ldapsearch -H ... #shortened command; works as expected > > 14) systemctl enable smb > > 15) systemctl enable nmb > > 16) systemctl start smb > > 17) systemctl start nmb > > 18) firewall-cmd --add-service=samba --permanent > > 19) firewall-cmd --reload > > > I can provide contents of krb5.conf or sssd.conf if needed. >Sorry Brian, but you are asking in the wrong place. Samba does not supply sssd, so it cannot support it, try the sssd-users mailing list ;-) Rowland
L.P.H. van Belle
2019-Mar-04 09:07 UTC
[Samba] Can't authenticate to AD using Samba with SSSD
Quick look showed a error in rfc2307, so try fixing the smb.conf This one.> > doing parameter idmap config YALE:schema_mode = rfcc2307rfcc2307 ?? cc ? rfc2307 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: zaterdag 2 maart 2019 10:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Can't authenticate to AD using Samba with SSSD > > On Fri, 1 Mar 2019 21:57:42 +0000 > "Paquin, Brian via samba" <samba at lists.samba.org> wrote: > > > Would someone please tell me where I can find some good > > troubleshooting documents to resolve AD authentication issues when > > using Samba? Is this mailing list the best place? > > > > > > I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but > > I am required to use SSSD on a different CentOS 7.6 server. Using a > > test VM, I can get services running, but I can't authenticate from a > > Mac or smbclient. > > > > > > Partial output of /var/log/samba/log.10.84.2.148 (the Mac client): > > > > [2019/03/01 15:53:46.544858, > > 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) > > > > Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24 > > len2=224 > > > > [2019/03/01 15:53:46.544907, > > 3] ../source3/param/loadparm.c:3868(lp_load_ex) > > > > lp_load_ex: refreshing parameters > > > > [2019/03/01 15:53:46.544956, > > 3] ../source3/param/loadparm.c:547(init_globals) > > > > Initialising global parameters > > > > [2019/03/01 15:53:46.545088, > > 3] ../source3/param/loadparm.c:2782(lp_do_section) > > > > Processing section "[global]" > > > > doing parameter workgroup = YALE > > > > doing parameter realm = YU.YALE.EDU > > > > doing parameter security = ads > > > > doing parameter idmap config * : range = 1677216-33554431 > > > > doing parameter idmap config YALE:schema_mode = rfcc2307 > > > > doing parameter idmap config YALE:range = 100000-199999 > > > > doing parameter idmap config YALE:backend = rid > > > > doing parameter idmap * : backend = tbd > > > > doing parameter dedicated keytab file = /etc/krb5.keytab > > > > doing parameter log file = /var/log/samba/log.%m > > > > doing parameter log level = 4 > > > > doing parameter guest account = nobody > > > > doing parameter guest ok = no > > > > doing parameter template shell = /sbin/nologin > > > > doing parameter kerberos method = system keytab > > > > doing parameter store dos attributes = yes > > > > doing parameter vfs objects = acl_xattr > > > > [2019/03/01 15:53:46.545450, > > 2] ../source3/param/loadparm.c:2799(lp_do_section) > > > > Processing section "[testshare]" > > > > doing parameter comment = testshare > > > > doing parameter path = /testshare > > > > doing parameter valid users = @pathology_its > > > > doing parameter writable = yes > > > > doing parameter read only = No > > > > [2019/03/01 15:53:46.545573, > > 4] ../source3/param/loadparm.c:3910(lp_load_ex) > > > > pm_process() returned Yes > > > > [2019/03/01 15:53:46.545604, > > 3] ../source3/param/loadparm.c:1617(lp_add_ipc) > > > > adding IPC service > > > > [2019/03/01 15:53:46.545669, > > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) > > > > check_ntlm_password: Checking password for unmapped user > > [YALE]\[btp4]@[PAQUIN3200] with the new password interface > > > > [2019/03/01 15:53:46.545691, > > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) > > > > check_ntlm_password: mapped user is: [YALE]\[btp4]@[PAQUIN3200] > > > > [2019/03/01 15:53:46.545715, > > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > > > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > > > > [2019/03/01 15:53:46.545735, > > 4] ../source3/smbd/uid.c:491(push_conn_ctx) > > > > push_conn_ctx(0) : conn_ctx_stack_ndx = 1 > > > > [2019/03/01 15:53:46.545753, > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > > > > [2019/03/01 15:53:46.545807, > > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > > > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > > > > [2019/03/01 15:53:46.545828, > > 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) > > > > check_ntlm_password: Authentication for user [btp4] -> [btp4] > > FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 > > > > [2019/03/01 15:53:46.545864, > > 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) > > > > Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019 > > 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] > > workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped > > to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445] > > > > [2019/03/01 15:53:46.545899, > > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > > > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > > > [2019/03/01 15:53:46.545937, > > 3] > ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) > > > > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login > > failed: NT_STATUS_LOGON_FAILURE > > > > [2019/03/01 15:53:46.545965, > > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > > > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > > > [2019/03/01 15:53:46.545985, > > 4] ../source3/smbd/uid.c:491(push_conn_ctx) > > > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > > > [2019/03/01 15:53:46.546002, > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > > > [2019/03/01 15:53:46.546039, > > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > > > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > > > [2019/03/01 15:53:46.546067, > > 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex) > > > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > > status[NT_STATUS_LOGON_FAILURE] || > > at ../source3/smbd/smb2_sesssetup.c:137 > > > > > > My workflow for setting up SSSD and Samba: > > > > 1) yum install -y sssd realmd adcli samba-common samba-common-tools > > krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd > > policycoreutils-python samba-client samba nano > > > > 2) realm join ... #shortened command; binding to specific OU; works > > as expected > > > > 3) authconfig --enablesssdauth --enablesssd > --enablemkhomedir --update > > > > 4) nano /etc/samba/smb.conf > > > > 5) testparm > > > > 6) mkdir /testshare > > > > 7) id btp4 at yu.yale.edu #works as expected > > > > 8) chown -R root:pathology_its at yu.yale.edu /testshare/ > > > > 9) chcon -Rt samba_share_t /testshare/ > > > > 10) kinit btp4 > > > > 11) net ads join -k > > > > 12) kinit -k CENTOSSSSD$ #name of test server > > > > 13) /usr/bin/ldapsearch -H ... #shortened command; works > as expected > > > > 14) systemctl enable smb > > > > 15) systemctl enable nmb > > > > 16) systemctl start smb > > > > 17) systemctl start nmb > > > > 18) firewall-cmd --add-service=samba --permanent > > > > 19) firewall-cmd --reload > > > > > > I can provide contents of krb5.conf or sssd.conf if needed. > > > > Sorry Brian, but you are asking in the wrong place. Samba does not > supply sssd, so it cannot support it, try the sssd-users mailing > list ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2019-Mar-04 09:14 UTC
[Samba] Can't authenticate to AD using Samba with SSSD
On Mon, 4 Mar 2019 10:07:08 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Quick look showed a error in rfc2307, so try fixing the smb.conf > > This one. > > > doing parameter idmap config YALE:schema_mode = rfcc2307 > rfcc2307 ?? cc ? > rfc2307 >Louis, there is an even bigger problem than that, but we don't support sssd, so he needs to ask on the sssd-mailing list. If the OP was to read the release notes for 4.8.0, he will find that he needs to install something, at which point, he might just think 'If I have to install that, why bother with sssd ?' Rowland
Possibly Parallel Threads
- Can't authenticate to AD using Samba with SSSD
- Authenticating AD users and Local users
- Authenticating AD users and Local users
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently