samba - Feb 2020 - NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Hi Rowland,
Can we at least make it work in a new server, i need to virtualize this first
before i moved to Samba AD domain, this conf came from the debian wheezy which
has a samba 3.6.6 i'm trying to replicate the OLD server exactly as much as
possible because i might break something.
I tried to changed the security = ads and kerberos method = secrets and keytab
but still could not work
when i do smbclient -k -L //sample.test.de/ -d 2session setup failed:
NT_STATUS_ACCESS_DENIED
or you saying it is not possible unless i moved to samba ad?
Thanks!    On Monday, February 24, 2020, 04:31:01 PM GMT+1, Rowland penny via
samba <samba at lists.samba.org> wrote:
 
 On 24/02/2020 14:56, Marlon Franco via samba wrote:
> Hi,
>
> I migrated our OLD system to a NEW Debian 10
> I can verify that ldap and kerberos are working but i am having issue with
samba which is also configured for kerberos
>? 
> NEW - Debian Buster with samba 4.9.5
> OLD - Debian Wheezy with Samba 3.6.6
>
> root at sample:~# kinit abcd
> Password for abcd at TEST.DE:
> root at sample:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: abcd at TEST.DE
>
> Valid starting Expires Service principal
> 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
>? ?renew until 03/02/2020 11:00:47
>
> root at sample:~# smbclient -k -L //sample.test.de/ -d 2
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> root at sample:~# smbclient -L localhost -Uabcd
> Enter TEST.DE\abcd's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> root at sample:~# klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -------------------
------------------------------------------------------
>
>? ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac)
>? ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac)
>
> root at sample:~# kvno cifs/sample at TEST.DE
> cifs/sample at TEST.DE: kvno = 2
>
>
> here is my smb.conf
>
> [global]
>
>? ?? ?workgroup = test.de
>? ?? ?security = user
>? ?? ?realm = TEST.DE
>? ?? ?kerberos method = system keytab
>? ?? ?domain logons = yes
>? ?? ?logon path = \\%N\%U\windowsprofile
>? ?? ?logon drive = H:
>? ?? ?logon home = \\%N\%U
>? ?? ?wins support = no
>? ?? ?logon script = logon.cmd
>? ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
>
>? ? ?? ?log file = /var/log/samba/log.%m
>
>? ?? ?max log size = 1000
>
Why are you using kerberos with an NT4-style PDC ?

You would need to use 'security = ads' (which would make it a Unix 
domain member)

try reading this: 
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I cannot recommend continuing using an NT4-style domain, they depend on 
SMBv1 and this will be removed.

It may just be easier to set up a new Samba AD domain, this will also 
allow you to fix some of the problems the old style domains allowed (low 
IDs for one).

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

On 24/02/2020 19:00, Marlon Franco wrote:
> Hi Rowland,
>
> Can we at least make it work in a new server, i need to virtualize 
> this first before i moved to Samba AD domain, this conf came from the 
> debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD 
> server exactly as much as possible because i might break something.
>
> I tried to changed the security = ads and kerberos method = secrets 
> and keytab but still could not work
>
> when i do smbclient -k -L //sample.test.de/ -d 2
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> or you saying it is not possible unless i moved to samba ad?
>
It wasn't very common to use kerberos with a PDC, so I am unsure if it 
will work now. However, it could be fallout from the various changes 
since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2.

Try setting these options in smb.conf:

ntlm auth = yes

server max protocol = NT1

Rowland

Hi Rowland,
I tried to set that option but still same result.
I recreated the setup in old debian wheezy 7.11 and it's working.
set the log level = 10
'abcd' is the user account

then i noticed this in /var/log/samba/log.10.0.2.15 = the ip of the samba
server, i am issuing the smbclient in the samba server itself.

Unix User found. Rid marked as special and sid (S-1-22-1-12658) saved as extra
sid
[2020/02/24 21:13:21.436397,? 1, pid=5914, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/server_info.c:484(SamInfo3_handl
e_sids)
? The primary group domain sid(S-1-5-21-2449491038-845518472-943770720-512) does
not match the domain sid(S-1-5-21-3914098627-448258
429-2114528033) for abcd(S-1-22-1-12658)
[2020/02/24 21:13:21.436416,? 1, pid=5914, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:254(make_session_inf
o_krb5)
? make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2020/02/24 21:13:21.436435,? 1, pid=5914, effective(0, 0), real(0, 0)]
../source3/auth/auth_generic.c:174(auth3_generate_session_in
fo_pac)
? Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID)
[2020/02/24 21:13:21.436477,? 3, pid=5914, effective(0, 0), real(0, 0),
class=smb2] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED]


Thanks!

    On Monday, February 24, 2020, 8:37:07 PM GMT+1, Rowland penny via samba
<samba at lists.samba.org> wrote:
 
 On 24/02/2020 19:00, Marlon Franco wrote:
> Hi Rowland,
>
> Can we at least make it work in a new server, i need to virtualize 
> this first before i moved to Samba AD domain, this conf came from the 
> debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD 
> server exactly as much as possible because i might break something.
>
> I tried to changed the security = ads and kerberos method = secrets 
> and keytab but still could not work
>
> when i do smbclient -k -L //sample.test.de/ -d 2
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> or you saying it is not possible unless i moved to samba ad?
>
It wasn't very common to use kerberos with a PDC, so I am unsure if it 
will work now. However, it could be fallout from the various changes 
since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2.

Try setting these options in smb.conf:

ntlm auth = yes

server max protocol = NT1

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba