Shaun Glass - Business Connexion
2013-Jun-19 15:16 UTC
[Samba] "The account is not authorized to login from this station"
Good Day,
I am testing, in a lab environment, samba shares with ad authentication for
access. My setup is as follows :
* Windows 2008 RC2
* RHEL 5.9
* Windows 7
* Windows XP SP3
* Samba 3.0.33-3.39.el5_8
All machines, including the RHEL Server having been added to the Domain running
on the Windows 2008 RC2 Server.
As per the subject, when trying to connect, from XP or Win 7, to the shares I
get :
"The account is not authorized to login from this station"
My configuration files and any files or parts there of altered during setup.
Note that this is a lab so all information is made up :
/etc/samba/smb.conf -
[global]
netbios name = RHEL-5-SMB
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = MUD-LAB
os level = 20
winbind enum groups = yes
socket address = 192.168.100.98
password server = *
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
encrypt passwords = no
dns proxy = no
realm = MUD-LAB.INTERNAL.CO.ZA
security = ADS
wins server = 192.168.100.99
wins proxy = no
client ntlmv2 auth = yes
[EFT]
comment = EFT
path = /MIPEB-Live/EFT
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"MUD-LAB+mip_sys_ad"
[EFT Rejection]
comment = EFT Rejection
path = /MIPEB-Live/EFT_Rejection
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"MUD-LAB+mip_sys_ad"
[EFT Treasury]
comment = EFT Treasury
path = /MIPEB-Live/EFT_Treasury
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"MUD-LAB+mip_sys_ad"
/etc/krb5.conf -
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MUD-LAB.INTERNAL.CO.ZA
dns_lookup_realm = false
dns_lookup_kdc = true
#
# NOTE: hard coded KDC lines below to work around slow IPv6 DNS queries
# see the following command for valid KDCs:
# host -t SRV _kerberos._tcp.MUD-LAB.INTERNAL.CO.ZA
# host -t SRV _kerberos._udp.MUD-LAB.INTERNAL.CO.ZA
#
[realms]
MUD-LAB.INTERNAL.CO.ZA = {
kdc = 192.168.100.99
default_domain = mud-lab.internal.co.za
}
[domain_realm]
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/nsswitch -
passwd: files winbind
shadow: files winbind
group: files winbind
/etc/pam.d/samba -
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
account include system-auth
session include system-auth
password include system-auth
Some of the following is checks done on the RHEL Server to verify it is
communicating with the Domain :
[root at rhel-5-smb samba]# wbinfo -u
MUD-LAB+administrator
MUD-LAB+guest
MUD-LAB+krbtgt
MUD-LAB+g801645
MUD-LAB+da000450
MUD-LAB+da000454
MUD-LAB+g9008w9
MUD-LAB+g9008x1
MUD-LAB+e323460
MUD-LAB+da000915
MUD-LAB+da000914
MUD-LAB+g9008w2
MUD-LAB+g9008w1
MUD-LAB+g9008v9
MUD-LAB+g9008v8
MUD-LAB+e933049
MUD-LAB+e933319
MUD-LAB+e933279
[root at rhel-5-smb samba]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
MUD-LAB+domain computers
MUD-LAB+domain controllers
MUD-LAB+schema admins
MUD-LAB+enterprise admins
MUD-LAB+cert publishers
MUD-LAB+domain admins
MUD-LAB+domain users
MUD-LAB+domain guests
MUD-LAB+group policy creator owners
MUD-LAB+ras and ias servers
MUD-LAB+allowed rodc password replication group
MUD-LAB+denied rodc password replication group
MUD-LAB+read-only domain controllers
MUD-LAB+enterprise read-only domain controllers
MUD-LAB+dnsadmins
MUD-LAB+dnsupdateproxy
MUD-LAB+mip_sys_ad
MUD-LAB+mip_acc_man
MUD-LAB+mip_fls
MUD-LAB+mip_depl
[root at rhel-5-smb samba]# wbinfo --group-info="MUD-LAB+mip_sys_ad"
MUD-LAB+mip_sys_ad:*:10004
[root at rhel-5-smb samba]# wbinfo -a MUD-LAB+da000450%Server at 2008
plaintext password authentication succeeded
challenge/response password authentication succeeded
The RHEL Server is based on our normal build where SSH authentication is also
done against the Domain. As far as I know these files are involved with that :
/etc/pam.d/system-auth -
#%PAM-1.0
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3 magic_root per_user
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_stack.so service=krb5-secdom
auth required pam_deny.so
account required pam_tally.so magic_root
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_stack.so service=krb5-secdom
account required pam_permit.so
password requisite pam_cracklib.so retry=3 type=local minlen=7 lcredit=-1
ucredit=-1 dcredit=-1 ocredit=-1 difok=3 difignore=15
password sufficient pam_unix.so md5 shadow nullok use_authtok remember=24
password sufficient pam_stack.so service=krb5-secdom
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
/etc/pam.d/krb5-secdom -
#%PAM-1.0
auth requisite pam_succeed_if.so quiet user ingroup
secdom
auth required pam_krb5.so
account requisite pam_succeed_if.so quiet user ingroup
secdom
account require pam_krb5.so
password required pam_krb5.so banner=MUD use_authtok
session optional pam_krb5.so
"secdom" Is a group on the RHEL Server. Users that use SSH have there
Domain ID's added to the local box but authenticate against the Domain. If
in the Group "secdom" they are allowed in.
Now all the troubleshooting I have done seems to relate to the Workstations and
their Security Policies. I have not been able to find the exact change required
to be made. Hoping someone has had similar issues and could help ?
Much appreciated
Regards
Disclaimer
The information contained in this communication from the sender is confidential.
It is intended solely for use by the recipient and others authorized to receive
it. If you are not the recipient, you are hereby notified that any disclosure,
copying, distribution or taking action in relation of the contents of this
information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and automatically archived
by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for
business. Mimecast Unified Email Management (UEM) offers email continuity,
security, archiving and compliance with all current legislation. To find out
more, visit http://www.mimecast.co.za/uem.
Andrew Bartlett
2013-Jun-20 03:45 UTC
[Samba] "The account is not authorized to login from this station"
On Wed, 2013-06-19 at 15:16 +0000, Shaun Glass - Business Connexion wrote:> Good Day, > > I am testing, in a lab environment, samba shares with ad authentication for access. My setup is as follows : > > * Windows 2008 RC2 > * RHEL 5.9 > * Windows 7 > * Windows XP SP3 > > * Samba 3.0.33-3.39.el5_8 > > All machines, including the RHEL Server having been added to the Domain running on the Windows 2008 RC2 Server. > > As per the subject, when trying to connect, from XP or Win 7, to the shares I get : > > "The account is not authorized to login from this station"> encrypt passwords = noRemove this line. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org