Hi all, this is probably VFAQ, but I never found a working solution. I have a standalone samba server running samba ver. 3. In the network, we have heimdal kerberos used to authenticate users for pop3,imap,web-based applications etc. Now I would like to make the samba communicating with kerberos kdc so there will no longer be users in smbpasswd with separate passwords outside of kerberos. I already compiled samba with --with-krb5 configure switch and have following options in smb.conf: client use spnego = yes realm = KERBEROS.REALM.NAME use kerberos keytab = yes While it is heimdal's kerberos implementation, I added default_keytab_name = FILE:/etc/krb5.keytab to the [libdefaults] section of /etc/krb5.conf as I saw somewhere. But this is still not working for me: Debud on the client side: $ smbclient -d3 -U komanek //127.0.0.1/homes lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/usr/local/lib/smb.conf" Processing section "[global]" added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 added interface ip=a.b.c.d bcast=a.b.c.255 nmask=255.255.255.0 Client started (version 3.0.14a). Connecting to 127.0.0.1 at port 445 Password: Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x608a0215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE using -k switch in smbclient disables password prompt, but in other aspects it has the same behavior, regardless I have valid kerberos ticket or not. Debug on the server side: [2005/05/26 09:50:15, 4] lib/username.c:map_username(132) Scanning username map /usr/local/etc/samba/smbusers [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224) make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from workstation [XXX] [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132) attempting to make a user_info for komanek (komanek) [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142) making strings for komanek's user_info struct [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184) making blobs for komanek's user_info struct [2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200) made an encrypted user_info for komanek (komanek) [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [XXX.NATUR.CUNI.CZ]\[komanek]@[XXX] with the new password interface [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [XXX]\[komanek]@[XXX] [2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231) What should I do to make the kerberos authentication in samba working ? Thanks in advance, David Komanek
The with Kerberos option is only to allow samba to authenticate to a Microsoft Active Directory Kerberos server. You basically have two options: keep using smbpasswd files or store the passwords in an LDAP directory. It seems the recommended method by the Samba team is to use LDAP. However, you can use the pam_smbpass module to keep smbpasswd files updated with whatever other password methods you might use. pam_smbpass does not work with LDAP stored passwords to my knowledge. On Thu, 2005-05-26 at 10:05 +0200, David Komanek wrote:> Hi all, > > this is probably VFAQ, but I never found a working solution. I have a > standalone samba server running samba ver. 3. In the network, we have > heimdal kerberos used to authenticate users for pop3,imap,web-based > applications etc. Now I would like to make the samba communicating with > kerberos kdc so there will no longer be users in smbpasswd with separate > passwords outside of kerberos. > > I already compiled samba with --with-krb5 configure switch and have > following options in smb.conf: > > client use spnego = yes > realm = KERBEROS.REALM.NAME > use kerberos keytab = yes > > While it is heimdal's kerberos implementation, I added > > default_keytab_name = FILE:/etc/krb5.keytab > > to the [libdefaults] section of /etc/krb5.conf > as I saw somewhere. But this is still not working for me: > > Debud on the client side: > > $ smbclient -d3 -U komanek //127.0.0.1/homes > lp_load: refreshing parameters > Initialising global parameters > params.c:pm_process() - Processing configuration file > "/usr/local/lib/smb.conf" > Processing section "[global]" > added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 > added interface ip=a.b.c.d bcast=a.b.c.255 > nmask=255.255.255.0 > Client started (version 3.0.14a). > Connecting to 127.0.0.1 at port 445 > Password: > Doing spnego session setup (blob length=58) > got OID=1 3 6 1 4 1 311 2 2 10 > got principal=NONE > Got challenge flags: > Got NTLMSSP neg_flags=0x608a0215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60080215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60080215 > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILURE > > using -k switch in smbclient disables password prompt, but in other > aspects it has the same behavior, regardless I have valid kerberos ticket > or not. > > Debug on the server side: > > [2005/05/26 09:50:15, 4] lib/username.c:map_username(132) > Scanning username map /usr/local/etc/samba/smbusers > [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224) > make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from > workstation [XXX] > [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132) > attempting to make a user_info for komanek (komanek) > [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142) > making strings for komanek's user_info struct > [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184) > making blobs for komanek's user_info struct > [2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200) > made an encrypted user_info for komanek (komanek) > [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219) > check_ntlm_password: Checking password for unmapped user > [XXX.NATUR.CUNI.CZ]\[komanek]@[XXX] with the new password interface > [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222) > check_ntlm_password: mapped user is: [XXX]\[komanek]@[XXX] > [2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231) > > > > What should I do to make the kerberos authentication in samba working ? > > Thanks in advance, > > David Komanek >
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050527/6a210773/attachment.bin
Thank you very much for the patch. Unfotunatelly, this still does not work for me. David Client started (version 3.0.14a). Connecting to 127.0.0.1 at port 445 session request ok Serverzone is -7200 Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x608a0215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE
I noticed one more thing. The problem probablz starts a few lines before the patch, because got_kerberos vairable is set to 0 (FALSE). So I think parse_negTokenTarg() function fills OIDs[] with something what is not recognized. So should I forgot the authentication against heimdal's KDC this way ? Thanks, David ---------- My previous message ---------- Date: Tue, 31 May 2005 14:19:52 +0200 (CEST) From: David Komanek <xdavid@lib-eth.natur.cuni.cz> To: Andrew Bartlett <abartlet@samba.org> Cc: samba@lists.samba.org Subject: Re: [Samba] samba3 and kerberos authentication of users Thank you very much for the patch. Unfotunatelly, this still does not work for me. David Client started (version 3.0.14a). Connecting to 127.0.0.1 at port 445 session request ok Serverzone is -7200 Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x608a0215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE
Dominik J. Fischer
2005-May-31 14:47 UTC
[Samba] samba3 and kerberos authentication of users
I am using this constellation, too, but users cannot log on to my (samba-pdc controlled) domain while there is no problem accessing shares. What is the difference in authentication between logging in to a share and the domain log-on procedure (when I start my windows workstation and have to give my username and password)? Thanks! Dominik