Markus Spanner-Denzer
2019-May-16 12:26 UTC
[Samba] krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2
Hi, in our setup, we have a number of AD domains with an exisiting one-way trust between the local domain of the system (which I will call LOCALDOM in the following) and the domain containing the user accounts (which I will call TRUSTEDDOM in the following). The domain controllers run Windows Server 2012. Beginning with samba 4.4 we have an issue with authentication through pam_winbind on the Linux clients when krb5_auth is enabled in pam_winbind.conf (which worked in samba 4.2). Login to the Linux systems always fails with "No logon servers". The situation can also be reproduced with "wbinfo -K". On samba >= 4.4 (tested on SLES12SP3 and RHEL7): # wbinfo -K TRUSTEDDOM\\myaccount Enter TRUSTEDDOM\myaccount's password: plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] failed (requesting cctype: FILE) wbcLogonUser(TRUSTEDDOM\myaccount): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user [TRUSTEDDOM\myaccount] with Kerberos (ccache: FILE) The same worked with samba 4.2 (tested on SLES12SP1, identical configuration in samba.conf and krb5.conf): # wbinfo -K TRUSTEDDOM\\myaccount Enter TRUSTEDDOM\myaccount's password: plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] succeeded (requesting cctype: FILE) Authenticating users from the local domain works in all releases of samba: # wbinfo -K LOCALDOM\\mylocalaccount Enter LOCALDOM\\mylocalaccount's password: plaintext kerberos password authentication for [LOCALDOM\\mylocalaccount] succeeded (requesting cctype: FILE) Authenticating users without krb5 (i.e. wbinfo -a) also works in all releases. Therefore, disabling krb5_auth helps as a work-around, the user can then request a Kerberos ticket manually using kinit myaccount at TRUSTEDDOM Both LOCALDOM and TRUSTEDDOM are configured in krb5.conf. It seems like newer releases of samba(-winbind) cannot locate the correct KDC for trusted domains. Do you know of any change in samba-winbind's behavior between 4.2 and 4.4? Is there something which has to be changed in the configuration? Unfortunately, I didn't find any hint in the documentation. Markus -- Dipl.-Phys. Markus Spanner-Denzer Senior IT Systems Engineer (Linux) Systems & Applications noris network AG Thomas-Mann-Straße 16-20 90471 Nürnberg Deutschland Tel +49 911 9352 1126 Fax +49 911 9352 100 Email markus.spanner-denzer at noris.de noris network AG - Mehr Leistung als Standard Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Jürgen Städing Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4180 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20190516/6114b6fa/smime.bin>
Rowland penny
2019-May-16 12:47 UTC
[Samba] krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2
On 16/05/2019 13:26, Markus Spanner-Denzer via samba wrote:> Hi, > > > in our setup, we have a number of AD domains with an exisiting one-way trust between the local domain of the system (which I will call LOCALDOM in the following) and the domain containing the user accounts (which I will call TRUSTEDDOM in the following). The domain controllers run Windows Server 2012. > > > Beginning with samba 4.4 we have an issue with authentication through pam_winbind on the Linux clients when krb5_auth is enabled in pam_winbind.conf (which worked in samba 4.2). Login to the Linux systems always fails with "No logon servers". The situation can also be reproduced with "wbinfo -K". > > > On samba >= 4.4 (tested on SLES12SP3 and RHEL7): > > # wbinfo -K TRUSTEDDOM\\myaccount > Enter TRUSTEDDOM\myaccount's password: > plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] failed (requesting cctype: FILE) > wbcLogonUser(TRUSTEDDOM\myaccount): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) > error message was: No logon servers > Could not authenticate user [TRUSTEDDOM\myaccount] with Kerberos (ccache: FILE) > > > The same worked with samba 4.2 (tested on SLES12SP1, identical configuration in samba.conf and krb5.conf): > > # wbinfo -K TRUSTEDDOM\\myaccount > Enter TRUSTEDDOM\myaccount's password: > plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] succeeded (requesting cctype: FILE) > > > Authenticating users from the local domain works in all releases of samba: > > # wbinfo -K LOCALDOM\\mylocalaccount > Enter LOCALDOM\\mylocalaccount's password: > plaintext kerberos password authentication for [LOCALDOM\\mylocalaccount] succeeded (requesting cctype: FILE) > > > Authenticating users without krb5 (i.e. wbinfo -a) also works in all releases. Therefore, disabling krb5_auth helps as a work-around, the user can then request a Kerberos ticket manually using kinit myaccount at TRUSTEDDOM > > Both LOCALDOM and TRUSTEDDOM are configured in krb5.conf. > > > It seems like newer releases of samba(-winbind) cannot locate the correct KDC for trusted domains. Do you know of any change in samba-winbind's behavior between 4.2 and 4.4? Is there something which has to be changed in the configuration? Unfortunately, I didn't find any hint in the documentation. > >There were a few winbind changes in 4.3, but whether they would affect you, I have no idea, because you haven't posted your smb.conf. Rowland