eguigne at pasteur-cayenne.fr
2019-Jun-15 00:40 UTC
[Samba] Kerberos and NTLMv2 authentication
Dear Samba Users, I set a samba share (4.8.1) on a linux (centos 7) as server member ; authentication is done against a AD win 2012 R2 server through winbind. I thought authentication was using kerberos, but I checked log and found : Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin 2019 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK] workstation [CANONDCE0BD] Below, part of my smb.cnf : security = ads realm = MYDOMAIN workgroup = MYDOMAIN kerberos method = secrets and keytab server signing = mandatory client signing = mandatory How can I tell samba using kerberos instead of NTLMv2 ? Or is it in winbind configuration ? Best Regards, EdG
On 15/06/2019 01:40, eguigne--- via samba wrote:> Dear Samba Users, > > I set a samba share (4.8.1) on a linux (centos 7) as server member ; > authentication is done against a AD win 2012 R2 server through winbind. > > I thought authentication was using kerberos, but I checked log and found : > > Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin 2019 > 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK] workstation > [CANONDCE0BD] > > Below, part of my smb.cnf : > > security = ads > > realm = MYDOMAIN > workgroup = MYDOMAINWhy is your workgroup and realm the same ?> > kerberos method = secrets and keytab > > server signing = mandatory > > client signing = mandatory > > How can I tell samba using kerberos instead of NTLMv2 ? Or is it in > winbind configuration ?Do you have libpam-krb5 installed ? Rowland
eguigne at pasteur-cayenne.fr
2019-Jun-15 14:11 UTC
[Samba] Kerberos and NTLMv2 authentication
Hello Rowland, Sorry for the workgroup and realm name, I put MYDOMAIN to anonymize, should be : realm = MYDOMAIN.LOCAL workgroup = MYDOMAIN About libpam-krb5 installed, I have on my system : yum list krb5-workstation pam_krb5 krb5-workstation.x86_64 1.15.1-37.el7_6 @updates pam_krb5.x86_64 2.4.8-6.el7 @base Is pam_krb5 equivalent to libpam-krb5 on centos 7 ?> On 15/06/2019 01:40, eguigne--- via samba wrote: >> Dear Samba Users, >> >> I set a samba share (4.8.1) on a linux (centos 7) as server member ; >> authentication is done against a AD win 2012 R2 server through winbind. >> >> I thought authentication was using kerberos, but I checked log and found >> : >> >> Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin >> 2019 >> 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK] workstation >> [CANONDCE0BD] >> >> Below, part of my smb.cnf : >> >> security = ads >> >> realm = MYDOMAIN >> workgroup = MYDOMAIN > Why is your workgroup and realm the same ? >> >> kerberos method = secrets and keytab >> >> server signing = mandatory >> >> client signing = mandatory >> >> How can I tell samba using kerberos instead of NTLMv2 ? Or is it in >> winbind configuration ? > > Do you have libpam-krb5 installed ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Edouard,> I set a samba share (4.8.1) on a linux (centos 7) as server member ; > authentication is done against a AD win 2012 R2 server through winbind. > > I thought authentication was using kerberos, but I checked log and found : > > Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin 2019 > 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK] workstation > [CANONDCE0BD]CANONDCE0BD -> isn't that a copier doing scan2folder? If it is the case, please know that most of copier cannot do Kerberos auth properly. Actually you can already be happy if they to proper NTLM auth... If the copier is actually configured to do Kerberos (which it isn't the case usually), then check the NTP config, check that you are not using IP address but FQDN DNS name, and check that DNS configuration is right. Cheers, Denis> > Below, part of my smb.cnf : > > security = ads > > realm = MYDOMAIN > workgroup = MYDOMAIN > > kerberos method = secrets and keytab > > server signing = mandatory > > client signing = mandatory > > How can I tell samba using kerberos instead of NTLMv2 ? Or is it in > winbind configuration ? > > Best Regards, > EdG > >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint S?bastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
Hello Denis, Exactly, this is a Canon MFP. Thank you for your help ! :)) Edouard Le 17/06/2019 ? 09:37, Denis Cardon via samba a ?crit?:> Hi Edouard, > >> I set a samba share (4.8.1) on a linux (centos 7) as server member ; >> authentication is done against a AD win 2012 R2 server through winbind. >> >> I thought authentication was using kerberos, but I checked log and >> found : >> >> Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin >> 2019 >> 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK] workstation >> [CANONDCE0BD] > > CANONDCE0BD -> isn't that a copier doing scan2folder? > > If it is the case, please know that most of copier cannot do Kerberos > auth properly. Actually you can already be happy if they to proper > NTLM auth... If the copier is actually configured to do Kerberos > (which it isn't the case usually), then check the NTP config, check > that you are not using IP address but FQDN DNS name, and check that > DNS configuration is right. > > Cheers, > > Denis > >> >> Below, part of my smb.cnf : >> >> security = ads >> >> realm = MYDOMAIN >> workgroup = MYDOMAIN >> >> kerberos method = secrets and keytab >> >> server signing = mandatory >> >> client signing = mandatory >> >> How can I tell samba using kerberos instead of NTLMv2 ? Or is it in >> winbind configuration ? >> >> Best Regards, >> EdG >> >> >