Hi, I set up a samba 4 in Debian 9.9 as a Domain member server, but authentication is not working as follows: root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR Enter marcio at EMPRESA.COM.BR's password: plaintext password authentication succeeded Enter marcio at EMPRESA.COM.BR's password: challenge/response password authentication failed wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user marcio at EMPRESA.COM.BR with challenge/response My password is correct! ############################################# My DC are: Primary: Samba 4 DC (Debian 9.9) Secondary: Windows Server 2008 Follows my configurations files: SMB.CONF [global] netbios name = SRV-PROXY workgroup = EMPRESA security = ADS realm = EMPRESA.COM.BR encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 100000-999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes ############################################## NSSWITCH.CONF root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ######################################################################## root at srv-proxy:/etc# net ads join -Uadministrator Enter marcio's password: Using short domain name -- EMPRESA Joined 'SRV-PROXY' to dns domain 'empresa.com.br' root at srv-proxy:/etc# net ads testjoin Join is OK root at srv-proxy:/etc/samba# kinit marcio Password for marcio at EMPRESA.COM.BR: root at srv-proxy:/etc/samba# klist -l Principal name Cache name -------------- ---------- marcio at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 ##################################################################### The wbinfo -g and wbinfo -u commands are working properly. Could anybody help me? Regards, M?rcio Bacci
On 04/08/2019 23:18, Marcio Demetrio Bacci via samba wrote:> Hi, > > I set up a samba 4 in Debian 9.9 as a Domain member server, but > authentication is not working as follows: > > root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR > Enter marcio at EMPRESA.COM.BR's password: > plaintext password authentication succeeded > Enter marcio at EMPRESA.COM.BR's password: > challenge/response password authentication failed > wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was > NT_STATUS_WRONG_PASSWORD (0xc000006a) > error message was: Wrong Password > Could not authenticate user marcio at EMPRESA.COM.BR with challenge/response > > My password is correct! > ############################################# > My DC are: > Primary: Samba 4 DC (Debian 9.9) > Secondary: Windows Server 2008 > > Follows my configurations files: > > SMB.CONF > > [global] > netbios name = SRV-PROXY > workgroup = EMPRESA > security = ADS > realm = EMPRESA.COM.BR > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 3000-7999 > idmap config EMPRESA:backend = ad > idmap config EMPRESA:schema_mode = rfc2307 > idmap config EMPRESA:range = 100000-999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > ############################################## > > NSSWITCH.CONF > > root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > ######################################################################## > > root at srv-proxy:/etc# net ads join -Uadministrator > Enter marcio's password: > Using short domain name -- EMPRESA > Joined 'SRV-PROXY' to dns domain 'empresa.com.br' > > root at srv-proxy:/etc# net ads testjoin > Join is OK > > > root at srv-proxy:/etc/samba# kinit marcio > Password for marcio at EMPRESA.COM.BR: > root at srv-proxy:/etc/samba# klist -l > Principal name Cache name > -------------- ---------- > marcio at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 > > ##################################################################### > > The wbinfo -g and wbinfo -u commands are working properly. > > > Could anybody help me? > > Regards, > > M?rcio BacciRemove 'winbind' from the 'shadow' line in /etc/nsswitch.conf Have you given your users a uidNumber attribute containing a unique number inside the range '100000-999999' ? Have you also given 'Domain Users' a gidNumber attribute containing a number inside the same range ? Rowland
Hai,
I think this is an old bug.. ( pretty sure about it )
And i suggest to dont change anything except smb.conf.
Your trying to use kerbereros usersname.
wbinfo -a marcio at EMPRESA.COM.BR
Enter marcio at EMPRESA.COM.BR's password:
And you using:
winbind use default domain = yes
This is and old bug somewhere in 4.5/4/6 i believe.
Only change these, yes only slows down you server.
winbind enum users = no
winbind enum groups = no
And then try this:
wbinfo -a marcio
I'll bet that works.
If you setting up a squid proxy. ( im guessing based on your server hostname ),
with SSO and squid kerberos auth on Debian Buster. My new setting/setup for it.
Use this, i find this is the most easy way to setup squid + kerberos SSO auth
and winbind
Minimal to install : winbind squid krb5-user
You need SSO logins ( ssh )
Enable : in /etc/ssh/sshd_config ( mininal )
# GSSAPI options
GSSAPIAuthentication yes
#(optional)
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
( kerberos auth in squid )
kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab
And use this for the squid authentication.
### Negotiate (Kerberos and NTLM) authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k
/etc/squid/krb5-squid-HTTP-CHANGE_To_HOSTNAME-S_HERE.keytab \
-s HTTP/HTTP-CHANGE_TO_HOSTNAME-S_HERE at REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM-HERE
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on
### Pure NTLM authentication
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=NTDOM-HERE
# Optional add : --allow-mschapv2
#auth_param ntlm children 10
#auth_param ntlm keep_alive on
# Basic LDAP authentication
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 -b
"dc=your,dc=ldap,dc=domain" \
-D a_service_account_for_ldap_searches at dnsdomain.tld -W
/etc/squid/private/ldap-bind \
-f sAMAccountName=%s \
-H ldaps://dc2.dnsdomain.tld -H ldaps://dc1.dnsdomain.tld
auth_param basic children 5 startup=1 idle=1
auth_param basic children 10
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 1 hours
authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: maandag 5 augustus 2019 9:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] problems with authentication
>
> On 04/08/2019 23:18, Marcio Demetrio Bacci via samba wrote:
> > Hi,
> >
> > I set up a samba 4 in Debian 9.9 as a Domain member server, but
> > authentication is not working as follows:
> >
> > root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR
> > Enter marcio at EMPRESA.COM.BR's password:
> > plaintext password authentication succeeded
> > Enter marcio at EMPRESA.COM.BR's password:
> > challenge/response password authentication failed
> > wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was
> > NT_STATUS_WRONG_PASSWORD (0xc000006a)
> > error message was: Wrong Password
> > Could not authenticate user marcio at EMPRESA.COM.BR with
> challenge/response
> >
> > My password is correct!
> > #############################################
> > My DC are:
> > Primary: Samba 4 DC (Debian 9.9)
> > Secondary: Windows Server 2008
> >
> > Follows my configurations files:
> >
> > SMB.CONF
> >
> > [global]
> > netbios name = SRV-PROXY
> > workgroup = EMPRESA
> > security = ADS
> > realm = EMPRESA.COM.BR
> > encrypt passwords = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-7999
> > idmap config EMPRESA:backend = ad
> > idmap config EMPRESA:schema_mode = rfc2307
> > idmap config EMPRESA:range = 100000-999999
> >
> > winbind nss info = rfc2307
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > ##############################################
> >
> > NSSWITCH.CONF
> >
> > root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> > passwd: compat winbind
> > group: compat winbind
> > shadow: compat winbind
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> ##############################################################
> ##########
> >
> > root at srv-proxy:/etc# net ads join -Uadministrator
> > Enter marcio's password:
> > Using short domain name -- EMPRESA
> > Joined 'SRV-PROXY' to dns domain 'empresa.com.br'
> >
> > root at srv-proxy:/etc# net ads testjoin
> > Join is OK
> >
> >
> > root at srv-proxy:/etc/samba# kinit marcio
> > Password for marcio at EMPRESA.COM.BR:
> > root at srv-proxy:/etc/samba# klist -l
> > Principal name Cache name
> > -------------- ----------
> > marcio at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
> >
> >
> #####################################################################
> >
> > The wbinfo -g and wbinfo -u commands are working properly.
> >
> >
> > Could anybody help me?
> >
> > Regards,
> >
> > M?rcio Bacci
>
> Remove 'winbind' from the 'shadow' line in
/etc/nsswitch.conf
>
> Have you given your users a uidNumber attribute containing a unique
> number inside the range '100000-999999' ?
>
> Have you also given 'Domain Users' a gidNumber attribute containing
a
> number inside the same range ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
On 05/08/2019 08:24, L.P.H. van Belle via samba wrote:> Hai, > > I think this is an old bug.. ( pretty sure about it ) > And i suggest to dont change anything except smb.conf. > > Your trying to use kerbereros usersname. > wbinfo -a marcio at EMPRESA.COM.BR > Enter marcio at EMPRESA.COM.BR's password: > > And you using: > winbind use default domain = yes > This is and old bug somewhere in 4.5/4/6 i believe. > > Only change these, yes only slows down you server. > winbind enum users = no > winbind enum groups = no > > And then try this: > wbinfo -a marcio > > > I'll bet that works. >How much are you prepared to bet ;-) This has never worked for me, but everything else seems to work, so I ignore it: rowland at devstation:~$ wbinfo -a rowland Enter rowland's password: plaintext password authentication succeeded Enter rowland's password: challenge/response password authentication failed Could not authenticate user rowland with challenge/response rowland at devstation:~$ wbinfo -a rowland Enter rowland's password: plaintext password authentication succeeded Enter rowland's password: challenge/response password authentication failed Could not authenticate user rowland with challenge/response rowland at devstation:~$ wbinfo -a SAMDOM\\rowland Enter SAMDOM\rowland's password: plaintext password authentication succeeded Enter SAMDOM\rowland's password: challenge/response password authentication failed Could not authenticate user SAMDOM\rowland with challenge/response rowland at devstation:~$ kinit rowland Password for rowland at SAMDOM.EXAMPLE.COM: rowland at devstation:~$ wbinfo -a rowland Enter rowland's password: plaintext password authentication succeeded Enter rowland's password: challenge/response password authentication failed Could not authenticate user rowland with challenge/response rowland at devstation:~$ wbinfo -a rowland at SAMDOM.EXAMPLE.COM Enter rowland at SAMDOM.EXAMPLE.COM's password: plaintext password authentication succeeded Enter rowland at SAMDOM.EXAMPLE.COM's password: challenge/response password authentication failed Could not authenticate user rowland at SAMDOM.EXAMPLE.COM with challenge/response I am still going with the old favourite 'there are no uidNumber or gidNumbers in AD', this is usually the problem. For some reason people think these magically appear in AD ;-) Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 5 augustus 2019 9:59 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] problems with authentication > > On 05/08/2019 08:24, L.P.H. van Belle via samba wrote: > > Hai, > > > > I think this is an old bug.. ( pretty sure about it ) > > And i suggest to dont change anything except smb.conf. > > > > Your trying to use kerbereros usersname. > > wbinfo -a marcio at EMPRESA.COM.BR > > Enter marcio at EMPRESA.COM.BR's password: > > > > And you using: > > winbind use default domain = yes > > This is and old bug somewhere in 4.5/4/6 i believe. > > > > Only change these, yes only slows down you server. > > winbind enum users = no > > winbind enum groups = no > > > > And then try this: > > wbinfo -a marcio > > > > > > I'll bet that works. > > > How much are you prepared to bet ;-)ALL IN.. ;-) root at rtd-gw2:~# wbinfo -a username Enter username's password: plaintext password authentication succeeded Enter username's password: challenge/response password authentication succeeded root at rtd-gw2:~# wbinfo -a BAZRTD\\username Enter BAZRTD\username's password: plaintext password authentication succeeded Enter BAZRTD\username's password: challenge/response password authentication succeeded root at rtd-gw2:~# wbinfo -a username at rotterdam.bazuin.nl Enter username at rotterdam.bazuin.nl's password: plaintext password authentication succeeded Enter username at rotterdam.bazuin.nl's password: challenge/response password authentication succeeded Server Debian Buster, samba 4.10.6 ( my new proxy ) ;-) Greetz, Louis> > This has never worked for me, but everything else seems to work, so I > ignore it: > > rowland at devstation:~$ wbinfo -a rowland > Enter rowland's password: > plaintext password authentication succeeded > Enter rowland's password: > challenge/response password authentication failed > Could not authenticate user rowland with challenge/response > rowland at devstation:~$ wbinfo -a rowland > Enter rowland's password: > plaintext password authentication succeeded > Enter rowland's password: > challenge/response password authentication failed > Could not authenticate user rowland with challenge/response > rowland at devstation:~$ wbinfo -a SAMDOM\\rowland > Enter SAMDOM\rowland's password: > plaintext password authentication succeeded > Enter SAMDOM\rowland's password: > challenge/response password authentication failed > Could not authenticate user SAMDOM\rowland with challenge/response > rowland at devstation:~$ kinit rowland > Password for rowland at SAMDOM.EXAMPLE.COM: > rowland at devstation:~$ wbinfo -a rowland > Enter rowland's password: > plaintext password authentication succeeded > Enter rowland's password: > challenge/response password authentication failed > Could not authenticate user rowland with challenge/response > rowland at devstation:~$ wbinfo -a rowland at SAMDOM.EXAMPLE.COM > Enter rowland at SAMDOM.EXAMPLE.COM's password: > plaintext password authentication succeeded > Enter rowland at SAMDOM.EXAMPLE.COM's password: > challenge/response password authentication failed > Could not authenticate user rowland at SAMDOM.EXAMPLE.COM with > challenge/response > > I am still going with the old favourite 'there are no uidNumber or > gidNumbers in AD', this is usually the problem. For some > reason people > think these magically appear in AD ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi, I have updated Samba 4.5.16 to version 4.10.6 and it is now working.>Remove 'winbind' from the 'shadow' line in /etc/nsswitch.confOK.>Have you given your users a uidNumber attribute containing a uniquenumber inside the range '100000-999999' ? Is this done through the Unix attributes in RSAT and for each user?>Have you also given 'Domain Users' a gidNumber attribute containing anumber inside the same range ? Is this done for each custom group and for the "Domain Users" default group too? Will these changes affect user permissions on the Windows Server 2008 file server too ? Regards, M?rcio Bacci Em seg, 5 de ago de 2019 ?s 04:00, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 04/08/2019 23:18, Marcio Demetrio Bacci via samba wrote: > > Hi, > > > > I set up a samba 4 in Debian 9.9 as a Domain member server, but > > authentication is not working as follows: > > > > root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR > > Enter marcio at EMPRESA.COM.BR's password: > > plaintext password authentication succeeded > > Enter marcio at EMPRESA.COM.BR's password: > > challenge/response password authentication failed > > wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was > > NT_STATUS_WRONG_PASSWORD (0xc000006a) > > error message was: Wrong Password > > Could not authenticate user marcio at EMPRESA.COM.BR with > challenge/response > > > > My password is correct! > > ############################################# > > My DC are: > > Primary: Samba 4 DC (Debian 9.9) > > Secondary: Windows Server 2008 > > > > Follows my configurations files: > > > > SMB.CONF > > > > [global] > > netbios name = SRV-PROXY > > workgroup = EMPRESA > > security = ADS > > realm = EMPRESA.COM.BR > > encrypt passwords = yes > > > > idmap config *:backend = tdb > > idmap config *:range = 3000-7999 > > idmap config EMPRESA:backend = ad > > idmap config EMPRESA:schema_mode = rfc2307 > > idmap config EMPRESA:range = 100000-999999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > ############################################## > > > > NSSWITCH.CONF > > > > root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat winbind > > group: compat winbind > > shadow: compat winbind > > gshadow: files > > > > hosts: files dns > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > ######################################################################## > > > > root at srv-proxy:/etc# net ads join -Uadministrator > > Enter marcio's password: > > Using short domain name -- EMPRESA > > Joined 'SRV-PROXY' to dns domain 'empresa.com.br' > > > > root at srv-proxy:/etc# net ads testjoin > > Join is OK > > > > > > root at srv-proxy:/etc/samba# kinit marcio > > Password for marcio at EMPRESA.COM.BR: > > root at srv-proxy:/etc/samba# klist -l > > Principal name Cache name > > -------------- ---------- > > marcio at EMPRESA.COM.BR FILE:/tmp/krb5cc_0 > > > > ##################################################################### > > > > The wbinfo -g and wbinfo -u commands are working properly. > > > > > > Could anybody help me? > > > > Regards, > > > > M?rcio Bacci > > Remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf > > Have you given your users a uidNumber attribute containing a unique > number inside the range '100000-999999' ? > > Have you also given 'Domain Users' a gidNumber attribute containing a > number inside the same range ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >