Hi List, I?m attempting to configure an Active Directory joined CentOS 7 host to share directories with Windows clients using Samba. The machine has been joined to the domain via: ?adcli join --stdin-password --domain-ou=?OU=Servers,DC=domain,DC=com' --login-user={{ private_ad_username }} -S dc1 DOMAIN.COM". Logging in to the host via ssh with AD user credentials works fine. I have SSSD configured to use the Linux attributes specified in the AD user object (uidNumber, gidNumber, unixHomeDirectory, loginShell). The end goal here is to be able to mount the linux home directories on Windows using those same Active Directory credentials. To be clear, it is the same user account used for ssh login to the linux host and mounting the linux share from Windows. The problem: When initiating an smb map request from my Windows client, with the command ?net use X: \\centos0000\homes?, Windows presents the error messages (after prompting for credentials): System error 86 has occurred. // The specified network password is not correct. Within /var/log/samba/10.0.0.1.log, the following items seem notable: [2019/06/1015:05:10.230921,? 2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets) ? ../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password [2019/06/1015:05:10.230941,? 1] ../source3/librpc/crypto/gse_krb5.c:594(gse_krb5_get_server_keytab) ? ../source3/librpc/crypto/gse_krb5.c:594: Error! Unable to set mem keytab - -1765328254 [2019/06/1015:05:10.230968,? 1] ../auth/gensec/gensec_start.c:697(gensec_start_mech) ? Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR [2019/06/1015:05:22.103832, 10, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) ? check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_NOT_IMPLEMENTED [2019/06/1015:09:18.069675,? 3] ../source3/libads/ldap.c:618(ads_connect) ? Successfully contacted LDAP server 10.10.10.10 [2019/06/10 15:23:26.676743, 10, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) ? made a user_info for test_user (test_user) [2019/06/10 15:23:26.676751,? 3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) ? check_ntlm_password:? Checking password for unmapped user [DOMAIN]\[test_user]@[WIN0000] with the new password interface [2019/06/10 15:23:26.676763,? 3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) ? check_ntlm_password:? mapped user is: [DOMAIN]\[test_user]@[WIN0000] [2019/06/10 15:05:22.103840,? 5, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) ? check_ntlm_password: winbind authentication for user [test_user] FAILED with error NT_STATUS_LOGON_FAILURE [2019/06/10 15:05:22.103848,? 2, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) ? check_ntlm_password:? Authentication for user [test_user] -> [test_user] FAILED with error NT_STATUS_LOGON_FAILURE [2019/06/10 15:05:22.103860,? 2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg) ? SPNEGO login failed: NT_STATUS_LOGON_FAILURE Some additional notes: I do not have winbind running. It was my understanding that sssd and winbind do not play well together: is it one or the other in this case? The AD user objects have the four linux attributes specified above populated. AD groups have gidNumer populated. I do not have selinux or firewalld running. Kinit ?k CENTOS0000$ returns fine Can perform id lookups on active directory users. Regards, Zach My current configuration is as follows: cat /etc/sssd/conf.d/100_ad.conf [domain/ad_domain] ad_server = dc1, dc2 ad_domain = DOMAIN.COM krb5_realm = DOMAIN.COM dyndns_update = false id_provider = ad auth_provider = ad access_provider = ad cache_credentials = True ad_access_filter = (uidNumber=*) ldap_id_mapping = False ldap_sudo_search_base = OU=Linux,DC=domain,DC=com debug_level = 8 [sssd] domains = ad_domain services = nss, sudo, pam config_file_version = 2 [nss] homedir_substring = /home vetoed_shells = /usr/local/bin/bash shell_fallback = /usr/bin/bash cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = DOMAIN.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] DOMAIN.COM= { ? kdc = dc1.domain.com ? admin_server = dc1.domain.com } [domain_realm] .domain.com= DOMAIN.COM domain.com= DOMAIN.COM cat /etc/smb.conf #======================= Global Settings ==================================== [global] ??????? interfaces = enp3s0f0 127.0.0.1 ??????? bind interfaces only = yes ??????? security = ads ??????? realm = DOMAIN.COM ??????? workgroup = DOMAIN ??????? password server = * ??????? local master = no ??????? domain master = no ??????? preferred master = no ??????? wins support = no ??????? wins proxy = no ??????? dns proxy = yes ??????? server string = Samba Server Version %v ??????? log level = 3 auth:10 ??????? printing = cups ??????? printcap name = /dev/null ??????? load printers = no ??????? cups options = raw # --------------------------- Logging Options ----------------------------- # # Log File let you specify where to put logs and how to split them up. ??????? # logs split per machine ??????? log file = /var/log/samba/%m.log ??????? # max 100KB per log file, then rotate ??????? max log size = 100 #============================ Share Definitions ============================= [homes] ??????? comment = Home Directories ??????? browseable = yes ??????? writable = yes ??????? force create mode = 0640 ??????? force directory mode = 0750
Rowland penny
2019-Jun-11 13:14 UTC
[Samba] Sharing directory via Samba using AD credentials
On 11/06/2019 14:01, Zach Doman via samba wrote:> Hi List, > > I?m attempting to configure an Active Directory joined CentOS 7 host to share directories with Windows clients using Samba. The machine has been joined to the domain via: ?adcli join --stdin-password --domain-ou=?OU=Servers,DC=domain,DC=com' --login-user={{ private_ad_username }} -S dc1 DOMAIN.COM". Logging in to the host via ssh with AD user credentials works fine. I have SSSD configured to use the Linux attributes specified in the AD user object (uidNumber, gidNumber, unixHomeDirectory, loginShell). The end goal here is to be able to mount the linux home directories on Windows using those same Active Directory credentials. To be clear, it is the same user account used for ssh login to the linux host and mounting the linux share from Windows. > > The problem: > When initiating an smb map request from my Windows client, with the command ?net use X: \\centos0000\homes?, Windows presents the error messages (after prompting for credentials): System error 86 has occurred. // The specified network password is not correct. > > Within /var/log/samba/10.0.0.1.log, the following items seem notable: > [2019/06/1015:05:10.230921,? 2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets) > ? ../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password > [2019/06/1015:05:10.230941,? 1] ../source3/librpc/crypto/gse_krb5.c:594(gse_krb5_get_server_keytab) > ? ../source3/librpc/crypto/gse_krb5.c:594: Error! Unable to set mem keytab - -1765328254 > [2019/06/1015:05:10.230968,? 1] ../auth/gensec/gensec_start.c:697(gensec_start_mech) > ? Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR > [2019/06/1015:05:22.103832, 10, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) > ? check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_NOT_IMPLEMENTED > [2019/06/1015:09:18.069675,? 3] ../source3/libads/ldap.c:618(ads_connect) > ? Successfully contacted LDAP server 10.10.10.10 > [2019/06/10 15:23:26.676743, 10, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) > ? made a user_info for test_user (test_user) > [2019/06/10 15:23:26.676751,? 3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) > ? check_ntlm_password:? Checking password for unmapped user [DOMAIN]\[test_user]@[WIN0000] with the new password interface > [2019/06/10 15:23:26.676763,? 3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) > ? check_ntlm_password:? mapped user is: [DOMAIN]\[test_user]@[WIN0000] > [2019/06/10 15:05:22.103840,? 5, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > ? check_ntlm_password: winbind authentication for user [test_user] FAILED with error NT_STATUS_LOGON_FAILURE > [2019/06/10 15:05:22.103848,? 2, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > ? check_ntlm_password:? Authentication for user [test_user] -> [test_user] FAILED with error NT_STATUS_LOGON_FAILURE > [2019/06/10 15:05:22.103860,? 2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg) > ? SPNEGO login failed: NT_STATUS_LOGON_FAILURE > > Some additional notes: > I do not have winbind running. It was my understanding that sssd and winbind do not play well together: is it one or the other in this case? > The AD user objects have the four linux attributes specified above populated. AD groups have gidNumer populated. > I do not have selinux or firewalld running. > Kinit ?k CENTOS0000$ returns fine > Can perform id lookups on active directory users. > > Regards, > Zach > > My current configuration is as follows: > > cat /etc/sssd/conf.d/100_ad.conf > [domain/ad_domain] > ad_server = dc1, dc2 > ad_domain = DOMAIN.COM > krb5_realm = DOMAIN.COM > dyndns_update = false > id_provider = ad > auth_provider = ad > access_provider = ad > cache_credentials = True > ad_access_filter = (uidNumber=*) > ldap_id_mapping = False > ldap_sudo_search_base = OU=Linux,DC=domain,DC=com > debug_level = 8 > > [sssd] > domains = ad_domain > services = nss, sudo, pam > config_file_version = 2 > > [nss] > homedir_substring = /home > vetoed_shells = /usr/local/bin/bash > shell_fallback = /usr/bin/bash > > cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = DOMAIN.COM > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > DOMAIN.COM= { > ? kdc = dc1.domain.com > ? admin_server = dc1.domain.com > } > > [domain_realm] > .domain.com= DOMAIN.COM > domain.com= DOMAIN.COM > > cat /etc/smb.conf > #======================= Global Settings ====================================> > [global] > ??????? interfaces = enp3s0f0 127.0.0.1 > ??????? bind interfaces only = yes > ??????? security = ads > ??????? realm = DOMAIN.COM > ??????? workgroup = DOMAIN > ??????? password server = * > ??????? local master = no > ??????? domain master = no > ??????? preferred master = no > ??????? wins support = no > ??????? wins proxy = no > ??????? dns proxy = yes > ??????? server string = Samba Server Version %v > ??????? log level = 3 auth:10 > > ??????? printing = cups > ??????? printcap name = /dev/null > ??????? load printers = no > ??????? cups options = raw > > # --------------------------- Logging Options ----------------------------- > # > # Log File let you specify where to put logs and how to split them up. > ??????? # logs split per machine > ??????? log file = /var/log/samba/%m.log > ??????? # max 100KB per log file, then rotate > ??????? max log size = 100 > > #============================ Share Definitions =============================> > [homes] > ??????? comment = Home Directories > ??????? browseable = yes > ??????? writable = yes > ??????? force create mode = 0640 > ??????? force directory mode = 0750Until yesterday I would have pointed you at the sssd-users mailing list, that was until I found this: *Important* Red?Hat only supports running Samba as a server with the |winbindd| service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is not supported. Samba does not support sssd because it cannot, it doesn't produce it. It now seems that red-hat doesn't support using sssd with Samba either, so you are on your own here. I suppose that I should point out that you MUST run winbind on a Unix domain member, so you might as well use it. Rowland
Thanks for the reply, Rowland. I managed to solve the issue without using winbind after doing some additional reading and digging around in my own environment. Due to the many times I have rebuilt my test host, the servicePrincipalName attribute within AD went missing somehow. This caused the Windows smb requests that I expected to be negotiated via kerberos to always fall back to NTLM (as noted in the log lines I posted previously) which isn?t supported by SSSD. Once this host attribute was updated to contain the right values (removing the computer object and re-joining to AD), SSO Kerberos authentication worked as I expected it to. -Zach For those who may find this question later on, here is my final smb.conf config file: #======================= Global Settings ====================================[global] ???????interfaces={{ ansible_default_ipv4.interface }} 127.0.0.1 ??? ????bind interfacesonly=yes ???????security=ads ???????realm=DOMAIN.COM ???????workgroup=DOMAIN ??????? serverstring=Samba Server Version %v ??????? kerberosmethod=system keytab # --------------------------- Logging Options ----------------------------- # Log File let you specify where to put logs and how to split them up. ???????# logs split per machine ??????? logfile=/var/log/samba/%m.log ???????# max 100KB per log file, then rotate ??????? max logsize=100 ??????? loglevel=2 #============================ Share Definitions =============================[homes] ???????comment=Home Directories ???????browseable=yes ???????writable=yes ??????? force createmode=0640 ??????? force directorymode=0750 On Jun 11, 2019, 8:14 AM -0500, Rowland penny via samba <samba at lists.samba.org>, wrote:> On 11/06/2019 14:01, Zach Doman via samba wrote: > > Hi List, > > > > I?m attempting to configure an Active Directory joined CentOS 7 host to share directories with Windows clients using Samba. The machine has been joined to the domain via: ?adcli join --stdin-password --domain-ou=?OU=Servers,DC=domain,DC=com' --login-user={{ private_ad_username }} -S dc1 DOMAIN.COM". Logging in to the host via ssh with AD user credentials works fine. I have SSSD configured to use the Linux attributes specified in the AD user object (uidNumber, gidNumber, unixHomeDirectory, loginShell). The end goal here is to be able to mount the linux home directories on Windows using those same Active Directory credentials. To be clear, it is the same user account used for ssh login to the linux host and mounting the linux share from Windows. > > > > The problem: > > When initiating an smb map request from my Windows client, with the command ?net use X: \\centos0000\homes?, Windows presents the error messages (after prompting for credentials): System error 86 has occurred. // The specified network password is not correct. > > > > Within /var/log/samba/10.0.0.1.log, the following items seem notable: > > [2019/06/1015:05:10.230921,? 2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets) > > ? ../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password > > [2019/06/1015:05:10.230941,? 1] ../source3/librpc/crypto/gse_krb5.c:594(gse_krb5_get_server_keytab) > > ? ../source3/librpc/crypto/gse_krb5.c:594: Error! Unable to set mem keytab - -1765328254 > > [2019/06/1015:05:10.230968,? 1] ../auth/gensec/gensec_start.c:697(gensec_start_mech) > > ? Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR > > [2019/06/1015:05:22.103832, 10, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) > > ? check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_NOT_IMPLEMENTED > > [2019/06/1015:09:18.069675,? 3] ../source3/libads/ldap.c:618(ads_connect) > > ? Successfully contacted LDAP server 10.10.10.10 > > [2019/06/10 15:23:26.676743, 10, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) > > ? made a user_info for test_user (test_user) > > [2019/06/10 15:23:26.676751,? 3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) > > ? check_ntlm_password:? Checking password for unmapped user [DOMAIN]\[test_user]@[WIN0000] with the new password interface > > [2019/06/10 15:23:26.676763,? 3, pid=4750, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) > > ? check_ntlm_password:? mapped user is: [DOMAIN]\[test_user]@[WIN0000] > > [2019/06/10 15:05:22.103840,? 5, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > > ? check_ntlm_password: winbind authentication for user [test_user] FAILED with error NT_STATUS_LOGON_FAILURE > > [2019/06/10 15:05:22.103848,? 2, pid=4335, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > > ? check_ntlm_password:? Authentication for user [test_user] -> [test_user] FAILED with error NT_STATUS_LOGON_FAILURE > > [2019/06/10 15:05:22.103860,? 2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg) > > ? SPNEGO login failed: NT_STATUS_LOGON_FAILURE > > > > Some additional notes: > > I do not have winbind running. It was my understanding that sssd and winbind do not play well together: is it one or the other in this case? > > The AD user objects have the four linux attributes specified above populated. AD groups have gidNumer populated. > > I do not have selinux or firewalld running. > > Kinit ?k CENTOS0000$ returns fine > > Can perform id lookups on active directory users. > > > > Regards, > > Zach > > > > My current configuration is as follows: > > > > cat /etc/sssd/conf.d/100_ad.conf > > [domain/ad_domain] > > ad_server = dc1, dc2 > > ad_domain = DOMAIN.COM > > krb5_realm = DOMAIN.COM > > dyndns_update = false > > id_provider = ad > > auth_provider = ad > > access_provider = ad > > cache_credentials = True > > ad_access_filter = (uidNumber=*) > > ldap_id_mapping = False > > ldap_sudo_search_base = OU=Linux,DC=domain,DC=com > > debug_level = 8 > > > > [sssd] > > domains = ad_domain > > services = nss, sudo, pam > > config_file_version = 2 > > > > [nss] > > homedir_substring = /home > > vetoed_shells = /usr/local/bin/bash > > shell_fallback = /usr/bin/bash > > > > cat /etc/krb5.conf > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > dns_lookup_realm = true > > dns_lookup_kdc = true > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > rdns = false > > default_realm = DOMAIN.COM > > default_ccache_name = KEYRING:persistent:%{uid} > > > > [realms] > > DOMAIN.COM= { > > ? kdc = dc1.domain.com > > ? admin_server = dc1.domain.com > > } > > > > [domain_realm] > > .domain.com= DOMAIN.COM > > domain.com= DOMAIN.COM > > > > cat /etc/smb.conf > > #======================= Global Settings ====================================> > > > [global] > > ??????? interfaces = enp3s0f0 127.0.0.1 > > ??????? bind interfaces only = yes > > ??????? security = ads > > ??????? realm = DOMAIN.COM > > ??????? workgroup = DOMAIN > > ??????? password server = * > > ??????? local master = no > > ??????? domain master = no > > ??????? preferred master = no > > ??????? wins support = no > > ??????? wins proxy = no > > ??????? dns proxy = yes > > ??????? server string = Samba Server Version %v > > ??????? log level = 3 auth:10 > > > > ??????? printing = cups > > ??????? printcap name = /dev/null > > ??????? load printers = no > > ??????? cups options = raw > > > > # --------------------------- Logging Options ----------------------------- > > # > > # Log File let you specify where to put logs and how to split them up. > > ??????? # logs split per machine > > ??????? log file = /var/log/samba/%m.log > > ??????? # max 100KB per log file, then rotate > > ??????? max log size = 100 > > > > #============================ Share Definitions =============================> > > > [homes] > > ??????? comment = Home Directories > > ??????? browseable = yes > > ??????? writable = yes > > ??????? force create mode = 0640 > > ??????? force directory mode = 0750 > > Until yesterday I would have pointed you at the sssd-users mailing list, > that was until I found this: > > *Important* > > Red?Hat only supports running Samba as a server with the |winbindd| > service to provide domain users and groups to the local system. Due to > certain limitations, such as missing Windows access control list (ACL) > support and NT LAN Manager (NTLM) fallback, the System Security Services > Daemon (SSSD) is not supported. > > Samba does not support sssd because it cannot, it doesn't produce it. It > now seems that red-hat doesn't support using sssd with Samba either, so > you are on your own here. > > I suppose that I should point out that you MUST run winbind on a Unix > domain member, so you might as well use it. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba