Steve Dainard
2017-May-28 04:45 UTC
[Samba] Samba 4.4, sssd, adcli; windows hosts cannot authenticate
I'm running samba 4.4.4 on el7. I'm attempting to provide a share auth by Kerberos or for non-kerberos hosts auth by password on Linux or Windows (7) clients. We have uid/gid/group memberships in AD and typically configure Linux hosts with a kerberos/sssd/ldap configuration which uses attributes from AD, but are not joined to domain. I need to be able to automate the domain join with salt stack, so I'm stuck using adcli to join the machine as it has a plain-text password option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf to the samba host. Thus far I've been able to browse shares from Linux, which authenticates with Kerberos OK. File/directory perms are respected, new files are created with proper uid, etc. No complaints on this side. When I attempt to connect from a domain joined Windows client I get prompted for credentials, and domain credentials do not work. It seems like the id of the user isn't passed through or looked up correctly after Kerberos auth, and the user is labelled as a guest user. Guest users are mapped to bad user in samba config. Here's a bit of logging when the Windows client tries to access a share: https://pastebin.com/pbEqj9ZR Configs; smb.conf: https://pastebin.com/XfeVTCDE sssd.conf: https://pastebin.com/Z57rRwBw krb5.conf: https://pastebin.com/JigdxgJ6 Some other interesting tidbits: DNS is served by el6/bind, not by AD, but the AD srv records exist and work properly for auto discovery and binding. The samba server does not have a PTR record, although this seems to be a requirement for KDC's not members. The domain is ad.localdomain.com, but hosts (including the samba server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com. Any help is appreciated, usually its the Linux client that ends up being a pain, this is the first time for me a Windows client is having issues authing. Thanks, Steve
Rowland Penny
2017-May-28 08:38 UTC
[Samba] Samba 4.4, sssd, adcli; windows hosts cannot authenticate
On Sat, 27 May 2017 21:45:29 -0700 Steve Dainard via samba <samba at lists.samba.org> wrote:> I'm running samba 4.4.4 on el7. I'm attempting to provide a share > auth by Kerberos or for non-kerberos hosts auth by password on Linux > or Windows (7) > clients. > > We have uid/gid/group memberships in AD and typically configure > Linux hosts with a kerberos/sssd/ldap configuration which uses > attributes from AD, but are not joined to domain.You have 'security = ADS' in smb.conf and from 'man smb.conf' SECURITY = ADS In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.> > I need to be able to automate the domain join with salt stack, so I'm > stuck using adcli to join the machine as it has a plain-text password > option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf > to the samba host.Never heard of 'salt' until now and I don't really understand what it brings to the party ? From what you have posted the default realm is 'AD.LOCALDOMAIN.COM' but your clients are in the dns domain 'dhcp.localdomain.com', I am no kerberos expert, but this wouldn't work with a Samba AD DC. It sounds like you could replace the salt machine with a Samba AD DC and then you wouldn't have all the problems you are having, but I understand that you want to use salt. The only problem I can see, you have set up smb.conf to connect to an AD DC.> When I attempt to connect from a domain joined Windows client I get > prompted for credentials, and domain credentials do not work. It seems > like the id of the user isn't passed through or looked up correctly > after Kerberos auth, and the user is labelled as a guest user. Guest > users are mapped to bad user in samba config. Here's a bit of logging > when the Windows client tries to access a > share: https://pastebin.com/pbEqj9ZRActually unknown users (i.e. Bad User) are mapped to the Unix user 'nobody', they probably wouldn't be if you were using an AD DC with the windows clients joined to the domain. The other problem you have here is, sssd has nothing to do with Samba, it is not Samba package, you may get better help from the sssd-users mailing list, mainly because, if you are using sssd, it is this that is doing your authentication. Rowland
Steve Dainard
2017-May-28 22:27 UTC
[Samba] Samba 4.4, sssd, adcli; windows hosts cannot authenticate
On Sun, May 28, 2017 at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 27 May 2017 21:45:29 -0700 > Steve Dainard via samba <samba at lists.samba.org> wrote: > >> I'm running samba 4.4.4 on el7. I'm attempting to provide a share >> auth by Kerberos or for non-kerberos hosts auth by password on Linux >> or Windows (7) >> clients. >> >> We have uid/gid/group memberships in AD and typically configure >> Linux hosts with a kerberos/sssd/ldap configuration which uses >> attributes from AD, but are not joined to domain. > > You have 'security = ADS' in smb.conf and from 'man smb.conf' > > SECURITY = ADS > > In this mode, Samba will act as a domain member in an ADS realm. To > operate in this mode, the machine running Samba will need to have > Kerberos installed and configured and Samba will need to be joined > to the ADS realm using the net utility. >Right, the host is joined to the domain, via adcli, rather than net.> >> >> I need to be able to automate the domain join with salt stack, so I'm >> stuck using adcli to join the machine as it has a plain-text password >> option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf >> to the samba host. > > Never heard of 'salt' until now and I don't really understand what it > brings to the party ?In context, makes sure people understand I've used adcli, rather than using the net command and must continue to do so, so that I can automate joining samba servers to the domain.> > From what you have posted the default realm is > 'AD.LOCALDOMAIN.COM' but your clients are in the dns domain > 'dhcp.localdomain.com', I am no kerberos expert, but this wouldn't work > with a Samba AD DC.Right, the server is configured as a member server, not a domain controller. Also this doesn't seem to be a 'kerberos' issue, as my Linux clients who auth via kerberos are able to properly authenticate on a protected share without password prompts, and I see a cifs kerberos ticket on my Linux client. The Linux clients also have fqdn's in the same domain as the samba server, not the ad domain. So it appears it might be Windows implementation that has an issue with clients having a different domain name than the servers. That doesn't explain user/password authentication not working on the Windows client, I'm definitely missing something on this side, I'm thinking NTLM may not work with encrypted passwords although I thought this didn't apply to newer versions of samba. This seems related https://social.technet.microsoft.com/Forums/en-US/8249ad4c-69aa-41ba-8863-8ecd7a7a4d27/samba-share-password-refused?forum=win10itpronetworking I'll give it a run when I'm back in the office.> > It sounds like you could replace the salt machine with a Samba AD DC > and then you wouldn't have all the problems you are having, but I > understand that you want to use salt. The only problem I can see, you > have set up smb.conf to connect to an AD DC.Salt is only for configuration management, it doesn't matter too much in this context. As mentioned, I'm joining the samba server as a member of the domain, not using it as a domain controller, and using it as a DC is not an option.> > >> When I attempt to connect from a domain joined Windows client I get >> prompted for credentials, and domain credentials do not work. It seems >> like the id of the user isn't passed through or looked up correctly >> after Kerberos auth, and the user is labelled as a guest user. Guest >> users are mapped to bad user in samba config. Here's a bit of logging >> when the Windows client tries to access a >> share: https://pastebin.com/pbEqj9ZR > > Actually unknown users (i.e. Bad User) are mapped to the Unix user > 'nobody', they probably wouldn't be if you were using an AD DC with > the windows clients joined to the domain.Whichever user a bad user is being mapped to, I believe this is at the root of the problem with the Windows client. I think Kerberos is working for the initial auth/handshake, but somehow user id doesn't carry through to match actual permissions on the share. But that this does work for a Linux client machine/user is what is confounding.> > The other problem you have here is, sssd has nothing to do with Samba, > it is not Samba package, you may get better help from the sssd-users > mailing list, mainly because, if you are using sssd, it is this that > is doing your authentication.Yes, I've sent this mail to both lists.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Sumit Bose
2017-May-29 08:07 UTC
[Samba] [SSSD-users] Samba 4.4, sssd, adcli; windows hosts cannot authenticate
On Sat, May 27, 2017 at 09:45:29PM -0700, Steve Dainard wrote:> I'm running samba 4.4.4 on el7. I'm attempting to provide a share > auth by Kerberos or for non-kerberos hosts auth by password on Linux > or Windows (7) > clients.SSSD cannot handle NTLM ('auth by password') so you have to run winbind to make this possible. Adding the needed configuration manually is not that easy so I would recommend re-considering Samba's net utility to join. What is the specific feature you need from adcli? If it is 'preset-computer' I think you can just use the one-time password with net as well. If you want to SSSD running to lookup users and groups you can use SSSD's idmap plugin to make sure winbind uses the same UIDs and GIDs, see man idmap_sss for details. HTH bye, Sumit> > We have uid/gid/group memberships in AD and typically configure > Linux hosts with a kerberos/sssd/ldap configuration which uses > attributes from AD, but are not joined to domain. > > I need to be able to automate the domain join with salt stack, so I'm > stuck using adcli to join the machine as it has a plain-text password > option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf > to the samba host. > > Thus far I've been able to browse shares from Linux, which > authenticates with Kerberos OK. File/directory perms are respected, > new files are created with proper uid, etc. No complaints on this > side. > > When I attempt to connect from a domain joined Windows client I get > prompted for credentials, and domain credentials do not work. It seems > like the id of the user isn't passed through or looked up correctly > after Kerberos auth, and the user is labelled as a guest user. Guest > users are mapped to bad user in samba config. Here's a bit of logging > when the Windows client tries to access a > share: https://pastebin.com/pbEqj9ZR > > Configs; > smb.conf: https://pastebin.com/XfeVTCDE > sssd.conf: https://pastebin.com/Z57rRwBw > krb5.conf: https://pastebin.com/JigdxgJ6 > > Some other interesting tidbits: > DNS is served by el6/bind, not by AD, but the AD srv records exist and > work properly for auto discovery and binding. > The samba server does not have a PTR record, although this seems to be > a requirement for KDC's not members. > The domain is ad.localdomain.com, but hosts (including the samba > server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com. > > Any help is appreciated, usually its the Linux client that ends up > being a pain, this is the first time for me a Windows client is having > issues authing. > > Thanks, > Steve > _______________________________________________ > sssd-users mailing list -- sssd-users at lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave at lists.fedorahosted.org
Reasonably Related Threads
- Samba 4.4, sssd, adcli; windows hosts cannot authenticate
- Samba 4.4, sssd, adcli; windows hosts cannot authenticate
- smbd interoperability with sssd on Kerberos no winbind
- Geo-replication: queue delete commands and process after a specified time
- Using SSSD + AD with Samba seems to require Winbind be running