samba - Aug 2018 - How to use kerberos as the default auth in AD config?

Well, you know, a 2010 EOL-date isn't that old... :P

On Mon, Aug 13, 2018 at 7:41 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 13 Aug 2018 19:25:24 +0530
> Shyam Kaushik via samba <samba at lists.samba.org> wrote:
>
> > Hi Folks,
> >
> > We have samba(4.8) deployed with following key parms
> >         security = ADS
> >         realm = TEST
> >         client NTLMv2 auth = No
> >         ntlm auth = disabled
> >
> > We have a win2k user configured as a "Protected User"
> > (
> https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how
> > -to-configure-protected-accounts)
> >
> > When this user tries to connect to samba/winbind, we get this error
> > out & client is not able to connect
> >
> >       [2018/08/13 13:46:50.019094,  2, pid=7845, class=auth]
> > ../source3/auth/auth.c:336(auth_check_ntlm_password)
> >         check_ntlm_password:  Authentication for user
> > [protecteduser] -> [protecteduser] FAILED with error
> > NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1
> >
> > we can confirm the following behaviour (password hidden)
> >       root at test-01:~# wbinfo -a TEST\protecteduser%XXXX'
> >       plaintext password authentication failed
> >       Could not authenticate user TEST\protecteduser%XXXX with
> > plaintext password
> >       challenge/response password authentication failed
> >       wbcAuthenticateUserEx(TEST\protecteduser): error code was
> > NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e)
> >       error message was: Account restriction
> >       Could not authenticate user TEST\protecteduser with
> > challenge/response
> >
> > Whereas Kerberos auth works ok
> >       root at test-01:~# wbinfo --krb5auth
'TEST\protecteduser%XXXX'
> >       plaintext kerberos password authentication for
> > [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE)
> >       credentials were put in: FILE:/tmp/krb5cc_0
> >
> > when we have a regular user from the same win2k client that is not
> > part of "Protected User", plaintext/NTLM auth works ok
> >
> >       root at test-01:~# wbinfo -a 'TEST\normaluser%XXXX'
> >       plaintext password authentication succeeded
> >       challenge/response password authentication succeeded
> >
> > & client is able to work with samba share. Question is how do we
force
> > samba to do only KRB auth & not attempt at NTLM auth as its
showing
> > up in error with auth_check_ntlm_password? Any help appreciated!
> >
> > Thanks.
> >
> > --Shyam
> >
>
> Have you thought of trying PAM to do this ?
>
> see 'man pam_winbind.conf' for more info, particularly
> 'require_membership_of'
>
> You should also really not be using a win2k machine any more, they went
> EOL before XP did.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Mon, 13 Aug 2018 17:32:05 -0700
Luke Barone via samba <samba at lists.samba.org> wrote:
> Well, you know, a 2010 EOL-date isn't that old... :P
> 
It is, if you think of it in dog-years, it's 70 years :-)

Rowland

On Tue, 14 Aug 2018 09:25:29 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Mon, 13 Aug 2018 17:32:05 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
> 
> > Well, you know, a 2010 EOL-date isn't that old... :P
> > 
> 
> It is, if you think of it in dog-years, it's 70 years :-)
> 
> Rowland
> 
Now the security updates have been released, I can tell you how to fix
the problem, upgrade ;-)

 CVE-2018-1139:
   Vulnerability that allows authentication via NTLMv1 even if disabled.

Rowland