samba - Feb 2020 - NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Hi,

I migrated our OLD system to a NEW Debian 10
I can verify that ldap and kerberos are working but i am having issue with samba
which is also configured for kerberos
?
NEW - Debian Buster with samba 4.9.5
OLD - Debian Wheezy with Samba 3.6.6 

root at sample:~# kinit abcd
Password for abcd at TEST.DE: 
root at sample:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: abcd at TEST.DE

Valid starting Expires Service principal
02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
?renew until 03/02/2020 11:00:47

root at sample:~# smbclient -k -L //sample.test.de/ -d 2
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0
session setup failed: NT_STATUS_ACCESS_DENIED

root at sample:~# smbclient -L localhost -Uabcd
Enter TEST.DE\abcd's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

root at sample:~# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------

?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac) 
?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac) 

root at sample:~# kvno cifs/sample at TEST.DE
cifs/sample at TEST.DE: kvno = 2


here is my smb.conf

[global]

?? ?workgroup = test.de
?? ?security = user
?? ?realm = TEST.DE
?? ?kerberos method = system keytab
?? ?domain logons = yes
?? ?logon path = \\%N\%U\windowsprofile
?? ?logon drive = H:
?? ?logon home = \\%N\%U
?? ?wins support = no
?? ?logon script = logon.cmd
?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u

? ?? ?log file = /var/log/samba/log.%m

?? ?max log size = 1000

On 24/02/2020 14:56, Marlon Franco via samba wrote:
> Hi,
>
> I migrated our OLD system to a NEW Debian 10
> I can verify that ldap and kerberos are working but i am having issue with
samba which is also configured for kerberos
>   
> NEW - Debian Buster with samba 4.9.5
> OLD - Debian Wheezy with Samba 3.6.6
>
> root at sample:~# kinit abcd
> Password for abcd at TEST.DE:
> root at sample:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: abcd at TEST.DE
>
> Valid starting Expires Service principal
> 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
>  ?renew until 03/02/2020 11:00:47
>
> root at sample:~# smbclient -k -L //sample.test.de/ -d 2
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> root at sample:~# smbclient -L localhost -Uabcd
> Enter TEST.DE\abcd's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> root at sample:~# klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -------------------
------------------------------------------------------
>
>  ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac)
>  ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac)
>
> root at sample:~# kvno cifs/sample at TEST.DE
> cifs/sample at TEST.DE: kvno = 2
>
>
> here is my smb.conf
>
> [global]
>
>  ?? ?workgroup = test.de
>  ?? ?security = user
>  ?? ?realm = TEST.DE
>  ?? ?kerberos method = system keytab
>  ?? ?domain logons = yes
>  ?? ?logon path = \\%N\%U\windowsprofile
>  ?? ?logon drive = H:
>  ?? ?logon home = \\%N\%U
>  ?? ?wins support = no
>  ?? ?logon script = logon.cmd
>  ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
>
>  ? ?? ?log file = /var/log/samba/log.%m
>
>  ?? ?max log size = 1000
>
Why are you using kerberos with an NT4-style PDC ?

You would need to use 'security = ads' (which would make it a Unix 
domain member)

try reading this: 
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I cannot recommend continuing using an NT4-style domain, they depend on 
SMBv1 and this will be removed.

It may just be easier to set up a new Samba AD domain, this will also 
allow you to fix some of the problems the old style domains allowed (low 
IDs for one).

Rowland

Hi Rowland,
Can we at least make it work in a new server, i need to virtualize this first
before i moved to Samba AD domain, this conf came from the debian wheezy which
has a samba 3.6.6 i'm trying to replicate the OLD server exactly as much as
possible because i might break something.
I tried to changed the security = ads and kerberos method = secrets and keytab
but still could not work
when i do smbclient -k -L //sample.test.de/ -d 2session setup failed:
NT_STATUS_ACCESS_DENIED
or you saying it is not possible unless i moved to samba ad?
Thanks!    On Monday, February 24, 2020, 04:31:01 PM GMT+1, Rowland penny via
samba <samba at lists.samba.org> wrote:
 
 On 24/02/2020 14:56, Marlon Franco via samba wrote:
> Hi,
>
> I migrated our OLD system to a NEW Debian 10
> I can verify that ldap and kerberos are working but i am having issue with
samba which is also configured for kerberos
>? 
> NEW - Debian Buster with samba 4.9.5
> OLD - Debian Wheezy with Samba 3.6.6
>
> root at sample:~# kinit abcd
> Password for abcd at TEST.DE:
> root at sample:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: abcd at TEST.DE
>
> Valid starting Expires Service principal
> 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
>? ?renew until 03/02/2020 11:00:47
>
> root at sample:~# smbclient -k -L //sample.test.de/ -d 2
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> root at sample:~# smbclient -L localhost -Uabcd
> Enter TEST.DE\abcd's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> root at sample:~# klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -------------------
------------------------------------------------------
>
>? ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac)
>? ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac)
>
> root at sample:~# kvno cifs/sample at TEST.DE
> cifs/sample at TEST.DE: kvno = 2
>
>
> here is my smb.conf
>
> [global]
>
>? ?? ?workgroup = test.de
>? ?? ?security = user
>? ?? ?realm = TEST.DE
>? ?? ?kerberos method = system keytab
>? ?? ?domain logons = yes
>? ?? ?logon path = \\%N\%U\windowsprofile
>? ?? ?logon drive = H:
>? ?? ?logon home = \\%N\%U
>? ?? ?wins support = no
>? ?? ?logon script = logon.cmd
>? ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
>
>? ? ?? ?log file = /var/log/samba/log.%m
>
>? ?? ?max log size = 1000
>
Why are you using kerberos with an NT4-style PDC ?

You would need to use 'security = ads' (which would make it a Unix 
domain member)

try reading this: 
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I cannot recommend continuing using an NT4-style domain, they depend on 
SMBv1 and this will be removed.

It may just be easier to set up a new Samba AD domain, this will also 
allow you to fix some of the problems the old style domains allowed (low 
IDs for one).

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba