Marlon Franco
2020-Feb-24 14:56 UTC
[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
Hi, I migrated our OLD system to a NEW Debian 10 I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos ? NEW - Debian Buster with samba 4.9.5 OLD - Debian Wheezy with Samba 3.6.6 root at sample:~# kinit abcd Password for abcd at TEST.DE: root at sample:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: abcd at TEST.DE Valid starting Expires Service principal 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE ?renew until 03/02/2020 11:00:47 root at sample:~# smbclient -k -L //sample.test.de/ -d 2 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0 session setup failed: NT_STATUS_ACCESS_DENIED root at sample:~# smbclient -L localhost -Uabcd Enter TEST.DE\abcd's password: session setup failed: NT_STATUS_LOGON_FAILURE root at sample:~# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac) ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac) root at sample:~# kvno cifs/sample at TEST.DE cifs/sample at TEST.DE: kvno = 2 here is my smb.conf [global] ?? ?workgroup = test.de ?? ?security = user ?? ?realm = TEST.DE ?? ?kerberos method = system keytab ?? ?domain logons = yes ?? ?logon path = \\%N\%U\windowsprofile ?? ?logon drive = H: ?? ?logon home = \\%N\%U ?? ?wins support = no ?? ?logon script = logon.cmd ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u ? ?? ?log file = /var/log/samba/log.%m ?? ?max log size = 1000
Rowland penny
2020-Feb-24 15:30 UTC
[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
On 24/02/2020 14:56, Marlon Franco via samba wrote:> Hi, > > I migrated our OLD system to a NEW Debian 10 > I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos > > NEW - Debian Buster with samba 4.9.5 > OLD - Debian Wheezy with Samba 3.6.6 > > root at sample:~# kinit abcd > Password for abcd at TEST.DE: > root at sample:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: abcd at TEST.DE > > Valid starting Expires Service principal > 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE > ?renew until 03/02/2020 11:00:47 > > root at sample:~# smbclient -k -L //sample.test.de/ -d 2 > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0 > session setup failed: NT_STATUS_ACCESS_DENIED > > root at sample:~# smbclient -L localhost -Uabcd > Enter TEST.DE\abcd's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > root at sample:~# klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > > ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac) > ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac) > > root at sample:~# kvno cifs/sample at TEST.DE > cifs/sample at TEST.DE: kvno = 2 > > > here is my smb.conf > > [global] > > ?? ?workgroup = test.de > ?? ?security = user > ?? ?realm = TEST.DE > ?? ?kerberos method = system keytab > ?? ?domain logons = yes > ?? ?logon path = \\%N\%U\windowsprofile > ?? ?logon drive = H: > ?? ?logon home = \\%N\%U > ?? ?wins support = no > ?? ?logon script = logon.cmd > ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u > > ? ?? ?log file = /var/log/samba/log.%m > > ?? ?max log size = 1000 >Why are you using kerberos with an NT4-style PDC ? You would need to use 'security = ads' (which would make it a Unix domain member) try reading this: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) I cannot recommend continuing using an NT4-style domain, they depend on SMBv1 and this will be removed. It may just be easier to set up a new Samba AD domain, this will also allow you to fix some of the problems the old style domains allowed (low IDs for one). Rowland
Marlon Franco
2020-Feb-24 19:00 UTC
[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
Hi Rowland, Can we at least make it work in a new server, i need to virtualize this first before i moved to Samba AD domain, this conf came from the debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD server exactly as much as possible because i might break something. I tried to changed the security = ads and kerberos method = secrets and keytab but still could not work when i do smbclient -k -L //sample.test.de/ -d 2session setup failed: NT_STATUS_ACCESS_DENIED or you saying it is not possible unless i moved to samba ad? Thanks! On Monday, February 24, 2020, 04:31:01 PM GMT+1, Rowland penny via samba <samba at lists.samba.org> wrote: On 24/02/2020 14:56, Marlon Franco via samba wrote:> Hi, > > I migrated our OLD system to a NEW Debian 10 > I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos >? > NEW - Debian Buster with samba 4.9.5 > OLD - Debian Wheezy with Samba 3.6.6 > > root at sample:~# kinit abcd > Password for abcd at TEST.DE: > root at sample:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: abcd at TEST.DE > > Valid starting Expires Service principal > 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE >? ?renew until 03/02/2020 11:00:47 > > root at sample:~# smbclient -k -L //sample.test.de/ -d 2 > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0 > session setup failed: NT_STATUS_ACCESS_DENIED > > root at sample:~# smbclient -L localhost -Uabcd > Enter TEST.DE\abcd's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > root at sample:~# klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > >? ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac) >? ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac) > > root at sample:~# kvno cifs/sample at TEST.DE > cifs/sample at TEST.DE: kvno = 2 > > > here is my smb.conf > > [global] > >? ?? ?workgroup = test.de >? ?? ?security = user >? ?? ?realm = TEST.DE >? ?? ?kerberos method = system keytab >? ?? ?domain logons = yes >? ?? ?logon path = \\%N\%U\windowsprofile >? ?? ?logon drive = H: >? ?? ?logon home = \\%N\%U >? ?? ?wins support = no >? ?? ?logon script = logon.cmd >? ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u > >? ? ?? ?log file = /var/log/samba/log.%m > >? ?? ?max log size = 1000 >Why are you using kerberos with an NT4-style PDC ? You would need to use 'security = ads' (which would make it a Unix domain member) try reading this: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) I cannot recommend continuing using an NT4-style domain, they depend on SMBv1 and this will be removed. It may just be easier to set up a new Samba AD domain, this will also allow you to fix some of the problems the old style domains allowed (low IDs for one). Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba