samba - Apr 2013 - Struggling with Samba + AD member config (winbind auth failing) :(

Hello Samba List,

I am struggling with connecting samba to our AD servers. Thought it will be
easy as before but I was wrong.

DCs:
Windows Server 2012 (2x) with AD Domain Forest/Level 2003 NATIVE.
 + SBS 2003 (will be removed, migrating from SBS AD to new 2012 servers)

-standard AD schema with exchange attributes
DID NOT INSTALL UNIX attributes. This is required for SSSD. Thought i would
go without it.

Not sure where is the hickup.
 -doubts on Windows Server 2012 security

I was able to connect existing configuration on Windows Server 2012 VM -
with some test domain in virtual environ.

Thought maybe someone will know any neat trick.

Linux:
Centos 5.9 updated
*Samba 3.0.33 - using *
Samba 3.6.6. (3x package) -tryed
Samba 4.0.0. -tryed

Tryed Winbind and SSSD.

I have setup PAM, NSSWITCH, KRB5, SMB.

net ads info - ok
net ads status - ok
wbinfo -u - ok
wbinfo -g -ok
wbinfo -t -ok
wbinfo -m ok
kinit administrator at UNILINEDOO.LOCAL -ok
klist -ke - ok
net ads testjoin -ok
id <user> - ok
getent passwd - ok
getent group - ok

join commands:
net join ads -U Administrator
net join ads -U Adminsitrator
createupn="cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL"

Was looking at GPO in WIN2K12:
-encryption
-smb signing
-kerberos enc
-netlogon compatibility
-RPC client auth
-regedit: lanmanserver, lanmanworkstation
-SAM enumeration
-Pipes
-pipe perms on /var/cache/samba/winbindd_priv/pipe

KINIT did not work for:

kinit CBOX40$
-asks pass

*klist:*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 host/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
CRC-32)
   3 host/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
RSA-MD5)
   3 host/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
   3 host/cbox40 at UNILINEDOO.LOCAL (DES cbc mode with CRC-32)
   3 host/cbox40 at UNILINEDOO.LOCAL (DES cbc mode with RSA-MD5)
   3 host/cbox40 at UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
   3 CBOX40$@UNILINEDOO.LOCAL (DES cbc mode with CRC-32)
   3 CBOX40$@UNILINEDOO.LOCAL (DES cbc mode with RSA-MD5)
   3 CBOX40$@UNILINEDOO.LOCAL (ArcFour with HMAC/md5)
   3 cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
CRC-32)
   3 cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (DES cbc mode with
RSA-MD5)
   3 cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL (ArcFour with HMAC/md5)

::::::::::::::::::::::::::::::::::::::::::::::::::::::Configs:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
*KRB5:*
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log

[libdefaults]
default_realm = UNILINEDOO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
clockskew = 300
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

[realms]
 TDD.LOCAL = {
  kdc = 192.168.0.237:88
  kdc = 192.168.0.238:88
  master_kdc = 192.168.0.237
  default_domain = UNILINEDOO.LOCAL
 }
[domain_realm]
.unilinedoo.local = UNILINEDOO.LOCAL
unilinedoo.local = UNILINEDOO.LOCAL

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 15d
   renew_lifetime = 15d
   forwardable = true
   krb4_convert = false
 }
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::SMB.CONF:
[global]
        log file = /var/log/samba/%m.log
        load printers = no
   # Global winbind settings
   #idmap backend = rid:UNILINEDOO=10000-50000
  * idmap backend = ad*
*   idmap uid = 10000-40000*
*   idmap gid = 10000-40000*

   #idmap domains = UNILINEDOO
   #idmap config UNILINEDOO: default = yes
   #idmap config UNILINEDOO: backend = rid
   #idmap config UNILINEDOO: range = 10000-20000
   #idmap alloc config: range = 10000-20000

   password server = 192.168.0.237
   workgroup = UNILINEDOO
   *realm = UNILINEDOO.LOCAL*
   winbind enum groups = yes
   winbind enum users = yes
        domain master = no
   *winbind separator = +*
*   winbind trusted domains only = no*
       * encrypt passwords = yes*
        wins support = no
*   winbind use default domain = yes*
        dns proxy = no
*        netbios name = CBOX40*
        server string = CBOX ADS
        local master = no
        os level = 20
        create mode = 775
*        security = ads*
        preferred master = no
        max log size = 50
        #log level: log level = 5 winbind:10 auth:10
        log level = 3
        debug timestamp = yes
        directory mode = 775
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    #nt pipe support = yes
  *  client schannel = auto*
*    server schannel = auto*
    #nt status support = yes
    client ntlmv2 auth = yes
*    client plaintext auth = yes*
    #obey pam restrictions = yes
  *  allow trusted domains = yes*
   * server signing = auto*
*    client signing = auto*
*    client use spnego = yes*
*    use spnego = yes*
    #min protocol = SMB1
    #max protocol = SMB1
    ntlm auth = yes
    #ntlmv2 auth = no
    #ldapsam:trusted = Yes
    #passdb backend = tdbsam
    client lanman auth = no
    #winbind nss info = rfc2307
    winbind refresh tickets = yes
    #winbind offline logon = no
    #winbind normalize names = no
    #winbind cache time = 360
    template shell = /bin/bash
*    use kerberos keytab = yes*
    #kerberos method = secrets and keytab
    #ldap ssl = Off

[test]
        nt acl support = yes
        writeable = yes
        inherit permissions = no
        path = /srv/uniline/
        force group = domain users
        comment = Uniline Company Share
        valid users = @"UNILINEDOO+domain users"
        create mode = 770
        directory mode = 770
#        public = yes
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
*NSSWITCH:*
passwd:     files winbind
shadow:     files
group:      files winbind
(tryed sss)

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::PAM:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
*auth        requisite     pam_winbind.so use_first_pass *
#krb5_auth
#require_membership_of=S-1-5-21-2974736424-2030979957-651850636-513
auth        requisite     pam_succeed_if.so uid >= 500 quiet
#auth        sufficient    pam_krb5.so try_first_pass
#auth        sufficient    pam_sss.so use_first_pass
#auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
#account      [default=bad success=ok user_unknown=ignore] pam_sss.so
account      sufficient   pam_winbind.so use_first_pass
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
#password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_winbind.so use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
#session     optional      pam_krb5.so
session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel/
#session     optional      pam_sss.so
session     optional      pam_winbind.so use_first_pass
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::Errors:

wbinfo -a user:pass
[root at cbox40 ~]# wbinfo -a ul67%Prus6u
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user ul67%Prus6u with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user ul67 with challenge/response

*wb-UNILINEDOO:*
[2013/04/06 01:04:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2085)
  rpc_pipe_bind: Remote machine ULVDC01.Unilinedoo.local pipe \NETLOGON
fnum 0x4000 bind request returned ok.
[2013/04/06 01:04:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2085)
  rpc_pipe_bind: Remote machine ULVDC01.Unilinedoo.local pipe \NETLOGON
fnum 0x1 bind request returned ok.
[2013/04/06 01:04:00, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1841)
*  winbindd_pam_auth: sam_logon returned ACCESS_DENIED.  Maybe the trust
account password was changed and we didn't know it. Killing connections to
domain UNILINEDOO*
[2013/04/06 01:04:00, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
*  NTLM CRAP authentication for user [UNILINEDOO]\[ul67] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)*

*SmbClient:*
[root at cbox40 samba]# smbclient -L localhost -U ul67 -d 3
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
added interface ip=10.0.2.40 bcast=10.0.2.255 nmask=255.255.255.0
added interface ip=192.168.0.173 bcast=192.168.0.255 nmask=255.255.255.0
Client started (version 3.0.33-3.39.el5_8).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Password:
Doing spnego session setup (blob length=121)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/cbox40.unilinedoo.local at UNILINEDOO.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
*SPNEGO login failed: Access denied*
*session setup failed: NT_STATUS_ACCESS_DENIED*

-tryed to disable SPNEGO and GOT NT1 error aferwords :D

Its been 10 days so I really know where to start once more.

Will try to do some tricks on GPO and play around once more with regedit
for making win2012 more similar to 2003
environment....

TCP log:
-tcpdump
* -did not see anything break inside of it.*
* -just some preauth failed but read that thats normal.*

-- 
Andrej Pintar
email : api984 at gmail.com
           andrej at skrad.com
           api984 at api984.net
web: http://www.api984.net
contact cell: 00385 98 790 639
home server: http://api984.ath.cx
ICQ: 191748772
Skype: api9841
MSN: fatallord at hotmail.com
IRC: api984, freenode.net
::Software is like sex: it's better when it's free::