samba - Mar 2019 - AD authentication issue in Samba (kerberos errors)

I have CENTOS7 box with Samba 4.8.3-4  and SSSD 1.16.2-13, authentication
against MS Win domain.
- Recently, Active Directory authentication stopped working within Samba
- Users who try to connect to reach the point of being prompted for AD
credentials; failures happen afterward.
- All flavors of client OS are affected: Windows, Mac and Linux (via
smbclient).
- There have been no configuration changes to the system
(especially/notably smb.conf) in 3+ weeks
- AD and SSSD continue to work fine within the operating system itself (SSH
to the server works, can query AD for group information via ‘getent group
GROUP’, etc.).

I do see some Kerberos errors into Samba logs:

[2019/03/20 09:43:48.594230,  0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password LINUX$@EXAMPLE.COM failed: Preauthentication
failed

As far as I see from forum suggestions, linux box re-join to the domain
should fix this issue, but I'm really don't like such manual workaround.

On Wed, 20 Mar 2019 12:27:09 +0200
"linux.il via samba" <samba at lists.samba.org> wrote:
> I have CENTOS7 box with Samba 4.8.3-4  and SSSD 1.16.2-13,
> authentication against MS Win domain.
We don't actually support using a Samba Unix domain member with SSSD,
mainly because SSSD isn't a Samba product.
> - Recently, Active Directory authentication stopped working within
> Samba
> - Users who try to connect to reach the point of being prompted for AD
> credentials; failures happen afterward.
> - All flavors of client OS are affected: Windows, Mac and Linux (via
> smbclient).
> - There have been no configuration changes to the system
> (especially/notably smb.conf) in 3+ weeks
If this has just started happening, something must have changed.
> - AD and SSSD continue to work fine within the operating system
> itself (SSH to the server works, can query AD for group information
> via ‘getent group GROUP’, etc.).
Is winbind running ?
> 
> I do see some Kerberos errors into Samba logs:
> 
> [2019/03/20 09:43:48.594230,  0]
> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>   kerberos_kinit_password LINUX$@EXAMPLE.COM failed: Preauthentication
> failed
> 
> As far as I see from forum suggestions, linux box re-join to the
> domain should fix this issue, but I'm really don't like such manual
> workaround.
Please post your smb.conf

Rowland

On Wed, 20 Mar 2019 13:11:47 +0200
"linux.il" <linux.il at gmail.com> wrote:
> >> - There have been no configuration changes to the system
> >> (especially/notably smb.conf) in 3+ weeks  
> >If this has just started happening, something must have changed.  
> I guess, Kerberos key automatic renew (krb5.keytab).
That would be my guess as well.
> 
> >Is winbind running ?  
> No
Then start it, you need it, from 4.8.0, Samba must have winbind running
when 'security' is set to 'ads'.
> 
> >Please post your smb.conf  
> This is my 'global' section:
> 
>        workgroup = EXAMPLE
>         security = ads
>         encrypt passwords = yes
>         realm =  EXAMPLE.COM
>         passdb backend = tdbsam
> 
Is that it ?

If we remove the default settings, it just becomes:

       workgroup = EXAMPLE
       security = ads
       realm =  EXAMPLE.COM

You need more and you do not need sssd

I would start by adding 'winbind refresh tickets = yes'
I wouldn't stop there.

Rowland

Rowland,
Thank you, I'll try to implement your suggestions.
But it definitely worked without winbind.

On Wed, Mar 20, 2019 at 1:26 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 20 Mar 2019 13:11:47 +0200
> "linux.il" <linux.il at gmail.com> wrote:
>
> > >> - There have been no configuration changes to the system
> > >> (especially/notably smb.conf) in 3+ weeks
> > >If this has just started happening, something must have changed.
> > I guess, Kerberos key automatic renew (krb5.keytab).
>
> That would be my guess as well.
>
> >
> > >Is winbind running ?
> > No
>
> Then start it, you need it, from 4.8.0, Samba must have winbind running
> when 'security' is set to 'ads'.
>
> >
> > >Please post your smb.conf
> > This is my 'global' section:
> >
> >        workgroup = EXAMPLE
> >         security = ads
> >         encrypt passwords = yes
> >         realm =  EXAMPLE.COM
> >         passdb backend = tdbsam
> >
>
> Is that it ?
>
> If we remove the default settings, it just becomes:
>
>        workgroup = EXAMPLE
>        security = ads
>        realm =  EXAMPLE.COM
>
> You need more and you do not need sssd
>
> I would start by adding 'winbind refresh tickets = yes'
> I wouldn't stop there.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>