Shyam Kaushik
2018-Aug-13 13:55 UTC
[Samba] How to use kerberos as the default auth in AD config?
Hi Folks, We have samba(4.8) deployed with following key parms security = ADS realm = TEST client NTLMv2 auth = No ntlm auth = disabled We have a win2k user configured as a "Protected User" (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how -to-configure-protected-accounts) When this user tries to connect to samba/winbind, we get this error out & client is not able to connect [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth] ../source3/auth/auth.c:336(auth_check_ntlm_password) check_ntlm_password: Authentication for user [protecteduser] -> [protecteduser] FAILED with error NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1 we can confirm the following behaviour (password hidden) root at test-01:~# wbinfo -a TEST\protecteduser%XXXX' plaintext password authentication failed Could not authenticate user TEST\protecteduser%XXXX with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(TEST\protecteduser): error code was NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) error message was: Account restriction Could not authenticate user TEST\protecteduser with challenge/response Whereas Kerberos auth works ok root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' plaintext kerberos password authentication for [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 when we have a regular user from the same win2k client that is not part of "Protected User", plaintext/NTLM auth works ok root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX' plaintext password authentication succeeded challenge/response password authentication succeeded & client is able to work with samba share. Question is how do we force samba to do only KRB auth & not attempt at NTLM auth as its showing up in error with auth_check_ntlm_password? Any help appreciated! Thanks. --Shyam
Rowland Penny
2018-Aug-13 14:40 UTC
[Samba] How to use kerberos as the default auth in AD config?
On Mon, 13 Aug 2018 19:25:24 +0530 Shyam Kaushik via samba <samba at lists.samba.org> wrote:> Hi Folks, > > We have samba(4.8) deployed with following key parms > security = ADS > realm = TEST > client NTLMv2 auth = No > ntlm auth = disabled > > We have a win2k user configured as a "Protected User" > (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how > -to-configure-protected-accounts) > > When this user tries to connect to samba/winbind, we get this error > out & client is not able to connect > > [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth] > ../source3/auth/auth.c:336(auth_check_ntlm_password) > check_ntlm_password: Authentication for user > [protecteduser] -> [protecteduser] FAILED with error > NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1 > > we can confirm the following behaviour (password hidden) > root at test-01:~# wbinfo -a TEST\protecteduser%XXXX' > plaintext password authentication failed > Could not authenticate user TEST\protecteduser%XXXX with > plaintext password > challenge/response password authentication failed > wbcAuthenticateUserEx(TEST\protecteduser): error code was > NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) > error message was: Account restriction > Could not authenticate user TEST\protecteduser with > challenge/response > > Whereas Kerberos auth works ok > root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' > plaintext kerberos password authentication for > [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) > credentials were put in: FILE:/tmp/krb5cc_0 > > when we have a regular user from the same win2k client that is not > part of "Protected User", plaintext/NTLM auth works ok > > root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX' > plaintext password authentication succeeded > challenge/response password authentication succeeded > > & client is able to work with samba share. Question is how do we force > samba to do only KRB auth & not attempt at NTLM auth as its showing > up in error with auth_check_ntlm_password? Any help appreciated! > > Thanks. > > --Shyam >Have you thought of trying PAM to do this ? see 'man pam_winbind.conf' for more info, particularly 'require_membership_of' You should also really not be using a win2k machine any more, they went EOL before XP did. Rowland
Luke Barone
2018-Aug-14 00:32 UTC
[Samba] How to use kerberos as the default auth in AD config?
Well, you know, a 2010 EOL-date isn't that old... :P On Mon, Aug 13, 2018 at 7:41 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 13 Aug 2018 19:25:24 +0530 > Shyam Kaushik via samba <samba at lists.samba.org> wrote: > > > Hi Folks, > > > > We have samba(4.8) deployed with following key parms > > security = ADS > > realm = TEST > > client NTLMv2 auth = No > > ntlm auth = disabled > > > > We have a win2k user configured as a "Protected User" > > ( > https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how > > -to-configure-protected-accounts) > > > > When this user tries to connect to samba/winbind, we get this error > > out & client is not able to connect > > > > [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth] > > ../source3/auth/auth.c:336(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user > > [protecteduser] -> [protecteduser] FAILED with error > > NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1 > > > > we can confirm the following behaviour (password hidden) > > root at test-01:~# wbinfo -a TEST\protecteduser%XXXX' > > plaintext password authentication failed > > Could not authenticate user TEST\protecteduser%XXXX with > > plaintext password > > challenge/response password authentication failed > > wbcAuthenticateUserEx(TEST\protecteduser): error code was > > NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) > > error message was: Account restriction > > Could not authenticate user TEST\protecteduser with > > challenge/response > > > > Whereas Kerberos auth works ok > > root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' > > plaintext kerberos password authentication for > > [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) > > credentials were put in: FILE:/tmp/krb5cc_0 > > > > when we have a regular user from the same win2k client that is not > > part of "Protected User", plaintext/NTLM auth works ok > > > > root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX' > > plaintext password authentication succeeded > > challenge/response password authentication succeeded > > > > & client is able to work with samba share. Question is how do we force > > samba to do only KRB auth & not attempt at NTLM auth as its showing > > up in error with auth_check_ntlm_password? Any help appreciated! > > > > Thanks. > > > > --Shyam > > > > Have you thought of trying PAM to do this ? > > see 'man pam_winbind.conf' for more info, particularly > 'require_membership_of' > > You should also really not be using a win2k machine any more, they went > EOL before XP did. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Shyam Kaushik
2018-Aug-14 13:48 UTC
[Samba] How to use kerberos as the default auth in AD config?
Thanks Rowland for your pointers! I'm sorry to just mention it as win2k. This is actually a Windows 2016 server on which we want to get AD/"Protected Users" working. I will try pam_winbind & get back if this solves the issue. --Shyam On Tue, 14 Aug 2018 09:25:29 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 13 Aug 2018 17:32:05 -0700 > Luke Barone via samba <samba at lists.samba.org> wrote: > > > Well, you know, a 2010 EOL-date isn't that old... :P > > > > It is, if you think of it in dog-years, it's 70 years :-) > > Rowland >Now the security updates have been released, I can tell you how to fix the problem, upgrade ;-) CVE-2018-1139: Vulnerability that allows authentication via NTLMv1 even if disabled. Rowland -----Original Message----- From: Shyam Kaushik [mailto:shyam at zadarastorage.com] Sent: 13 August 2018 19:25 To: 'samba at lists.samba.org' Cc: Lev Vainblat Subject: How to use kerberos as the default auth in AD config? Hi Folks, We have samba(4.8) deployed with following key parms security = ADS realm = TEST client NTLMv2 auth = No ntlm auth = disabled We have a win2k user configured as a "Protected User" (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how -to-configure-protected-accounts) When this user tries to connect to samba/winbind, we get this error out & client is not able to connect [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth] ../source3/auth/auth.c:336(auth_check_ntlm_password) check_ntlm_password: Authentication for user [protecteduser] -> [protecteduser] FAILED with error NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1 we can confirm the following behaviour (password hidden) root at test-01:~# wbinfo -a TEST\protecteduser%XXXX' plaintext password authentication failed Could not authenticate user TEST\protecteduser%XXXX with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(TEST\protecteduser): error code was NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) error message was: Account restriction Could not authenticate user TEST\protecteduser with challenge/response Whereas Kerberos auth works ok root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' plaintext kerberos password authentication for [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 when we have a regular user from the same win2k client that is not part of "Protected User", plaintext/NTLM auth works ok root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX' plaintext password authentication succeeded challenge/response password authentication succeeded & client is able to work with samba share. Question is how do we force samba to do only KRB auth & not attempt at NTLM auth as its showing up in error with auth_check_ntlm_password? Any help appreciated! Thanks. --Shyam
Rowland Penny
2018-Aug-14 14:03 UTC
[Samba] How to use kerberos as the default auth in AD config?
On Tue, 14 Aug 2018 19:18:42 +0530 Shyam Kaushik <shyam at zadarastorage.com> wrote:> Thanks Rowland for your pointers! > > I'm sorry to just mention it as win2k. This is actually a Windows 2016 > server on which we want to get AD/"Protected Users" working. I will > try pam_winbind & get back if this solves the issue.Please don't refer to Windows 2016 as win2k, we have enough problems with people calling their first AD DC 'PDC' LOL> Now the security updates have been released, I can tell you how to fix > the problem, upgrade ;-) > > CVE-2018-1139: > Vulnerability that allows authentication via NTLMv1 even if > disabled.I couldn't tell you about the above before, I wasn't allowed to ;-) You seem to have run straight into it. Rowland
Shyam Kaushik
2018-Aug-17 12:24 UTC
[Samba] How to use kerberos as the default auth in AD config?
Hi Rowland, I tried both pam winbind & also samba with fix for CVE-2018-1139. But still cannot get windows 2016 "protected users" to work with samba. Note that "wbinfo --krb5auth" manages to authenticate. This I see it uses WINBIND_PAM_AUTH & not WINBIND_PAM_AUTH_CRAP. I dont see how to switch to WINBIND_PAM_AUTH instead of AUTH_CRAP. Any further insights? Thanks! --Shyam On Tue, 14 Aug 2018 19:18:42 +0530 Shyam Kaushik <shyam at zadarastorage.com> wrote:> Thanks Rowland for your pointers! > > I'm sorry to just mention it as win2k. This is actually a Windows 2016 > server on which we want to get AD/"Protected Users" working. I will > try pam_winbind & get back if this solves the issue.Please don't refer to Windows 2016 as win2k, we have enough problems with people calling their first AD DC 'PDC' LOL> Now the security updates have been released, I can tell you how to fix > the problem, upgrade ;-) > > CVE-2018-1139: > Vulnerability that allows authentication via NTLMv1 even if > disabled.I couldn't tell you about the above before, I wasn't allowed to ;-) You seem to have run straight into it. Rowland -----Original Message----- From: Shyam Kaushik [mailto:shyam at zadarastorage.com] Sent: 14 August 2018 19:19 To: 'samba at lists.samba.org'; 'rpenny at samba.org' Cc: Lev Vainblat Subject: RE: How to use kerberos as the default auth in AD config? Thanks Rowland for your pointers! I'm sorry to just mention it as win2k. This is actually a Windows 2016 server on which we want to get AD/"Protected Users" working. I will try pam_winbind & get back if this solves the issue. --Shyam On Tue, 14 Aug 2018 09:25:29 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 13 Aug 2018 17:32:05 -0700 > Luke Barone via samba <samba at lists.samba.org> wrote: > > > Well, you know, a 2010 EOL-date isn't that old... :P > > > > It is, if you think of it in dog-years, it's 70 years :-) > > Rowland >Now the security updates have been released, I can tell you how to fix the problem, upgrade ;-) CVE-2018-1139: Vulnerability that allows authentication via NTLMv1 even if disabled. Rowland -----Original Message----- From: Shyam Kaushik [mailto:shyam at zadarastorage.com] Sent: 13 August 2018 19:25 To: 'samba at lists.samba.org' Cc: Lev Vainblat Subject: How to use kerberos as the default auth in AD config? Hi Folks, We have samba(4.8) deployed with following key parms security = ADS realm = TEST client NTLMv2 auth = No ntlm auth = disabled We have a win2k user configured as a "Protected User" (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how -to-configure-protected-accounts) When this user tries to connect to samba/winbind, we get this error out & client is not able to connect [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth] ../source3/auth/auth.c:336(auth_check_ntlm_password) check_ntlm_password: Authentication for user [protecteduser] -> [protecteduser] FAILED with error NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1 we can confirm the following behaviour (password hidden) root at test-01:~# wbinfo -a TEST\protecteduser%XXXX' plaintext password authentication failed Could not authenticate user TEST\protecteduser%XXXX with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(TEST\protecteduser): error code was NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e) error message was: Account restriction Could not authenticate user TEST\protecteduser with challenge/response Whereas Kerberos auth works ok root at test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX' plaintext kerberos password authentication for [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 when we have a regular user from the same win2k client that is not part of "Protected User", plaintext/NTLM auth works ok root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX' plaintext password authentication succeeded challenge/response password authentication succeeded & client is able to work with samba share. Question is how do we force samba to do only KRB auth & not attempt at NTLM auth as its showing up in error with auth_check_ntlm_password? Any help appreciated! Thanks. --Shyam
Rowland Penny
2018-Aug-17 12:32 UTC
[Samba] How to use kerberos as the default auth in AD config?
On Fri, 17 Aug 2018 17:54:49 +0530 Shyam Kaushik <shyam at zadarastorage.com> wrote:> Hi Rowland, > > I tried both pam winbind & also samba with fix for CVE-2018-1139. But > still cannot get windows 2016 "protected users" to work with samba. > > Note that "wbinfo --krb5auth" manages to authenticate. This I see it > uses WINBIND_PAM_AUTH & not WINBIND_PAM_AUTH_CRAP. I dont see how to > switch to WINBIND_PAM_AUTH instead of AUTH_CRAP. Any further > insights? Thanks! >Do you have libpam-krb5 installed ? Rowland
Reasonably Related Threads
- How to use kerberos as the default auth in AD config?
- How to use kerberos as the default auth in AD config?
- How to use kerberos as the default auth in AD config?
- How to use kerberos as the default auth in AD config?
- Constant error messages about failure to remove oplock