Marlon Franco
2020-Feb-24 19:00 UTC
[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
Hi Rowland, Can we at least make it work in a new server, i need to virtualize this first before i moved to Samba AD domain, this conf came from the debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD server exactly as much as possible because i might break something. I tried to changed the security = ads and kerberos method = secrets and keytab but still could not work when i do smbclient -k -L //sample.test.de/ -d 2session setup failed: NT_STATUS_ACCESS_DENIED or you saying it is not possible unless i moved to samba ad? Thanks! On Monday, February 24, 2020, 04:31:01 PM GMT+1, Rowland penny via samba <samba at lists.samba.org> wrote: On 24/02/2020 14:56, Marlon Franco via samba wrote:> Hi, > > I migrated our OLD system to a NEW Debian 10 > I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos >? > NEW - Debian Buster with samba 4.9.5 > OLD - Debian Wheezy with Samba 3.6.6 > > root at sample:~# kinit abcd > Password for abcd at TEST.DE: > root at sample:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: abcd at TEST.DE > > Valid starting Expires Service principal > 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE >? ?renew until 03/02/2020 11:00:47 > > root at sample:~# smbclient -k -L //sample.test.de/ -d 2 > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0 > session setup failed: NT_STATUS_ACCESS_DENIED > > root at sample:~# smbclient -L localhost -Uabcd > Enter TEST.DE\abcd's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > root at sample:~# klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > >? ?2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac) >? ?2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac) > > root at sample:~# kvno cifs/sample at TEST.DE > cifs/sample at TEST.DE: kvno = 2 > > > here is my smb.conf > > [global] > >? ?? ?workgroup = test.de >? ?? ?security = user >? ?? ?realm = TEST.DE >? ?? ?kerberos method = system keytab >? ?? ?domain logons = yes >? ?? ?logon path = \\%N\%U\windowsprofile >? ?? ?logon drive = H: >? ?? ?logon home = \\%N\%U >? ?? ?wins support = no >? ?? ?logon script = logon.cmd >? ?? ?add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u > >? ? ?? ?log file = /var/log/samba/log.%m > >? ?? ?max log size = 1000 >Why are you using kerberos with an NT4-style PDC ? You would need to use 'security = ads' (which would make it a Unix domain member) try reading this: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) I cannot recommend continuing using an NT4-style domain, they depend on SMBv1 and this will be removed. It may just be easier to set up a new Samba AD domain, this will also allow you to fix some of the problems the old style domains allowed (low IDs for one). Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
Rowland penny
2020-Feb-24 19:36 UTC
[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
On 24/02/2020 19:00, Marlon Franco wrote:> Hi Rowland, > > Can we at least make it work in a new server, i need to virtualize > this first before i moved to Samba AD domain, this conf came from the > debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD > server exactly as much as possible because i might break something. > > I tried to changed the security = ads and kerberos method = secrets > and keytab but still could not work > > when i do smbclient -k -L //sample.test.de/ -d 2 > session setup failed: NT_STATUS_ACCESS_DENIED > > or you saying it is not possible unless i moved to samba ad? >It wasn't very common to use kerberos with a PDC, so I am unsure if it will work now. However, it could be fallout from the various changes since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2. Try setting these options in smb.conf: ntlm auth = yes server max protocol = NT1 Rowland
Marlon Franco
2020-Feb-26 08:19 UTC
[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
Hi Rowland, I tried to set that option but still same result. I recreated the setup in old debian wheezy 7.11 and it's working. set the log level = 10 'abcd' is the user account then i noticed this in /var/log/samba/log.10.0.2.15 = the ip of the samba server, i am issuing the smbclient in the samba server itself. Unix User found. Rid marked as special and sid (S-1-22-1-12658) saved as extra sid [2020/02/24 21:13:21.436397,? 1, pid=5914, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:484(SamInfo3_handl e_sids) ? The primary group domain sid(S-1-5-21-2449491038-845518472-943770720-512) does not match the domain sid(S-1-5-21-3914098627-448258 429-2114528033) for abcd(S-1-22-1-12658) [2020/02/24 21:13:21.436416,? 1, pid=5914, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:254(make_session_inf o_krb5) ? make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID! [2020/02/24 21:13:21.436435,? 1, pid=5914, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:174(auth3_generate_session_in fo_pac) ? Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID) [2020/02/24 21:13:21.436477,? 3, pid=5914, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] Thanks! On Monday, February 24, 2020, 8:37:07 PM GMT+1, Rowland penny via samba <samba at lists.samba.org> wrote: On 24/02/2020 19:00, Marlon Franco wrote:> Hi Rowland, > > Can we at least make it work in a new server, i need to virtualize > this first before i moved to Samba AD domain, this conf came from the > debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD > server exactly as much as possible because i might break something. > > I tried to changed the security = ads and kerberos method = secrets > and keytab but still could not work > > when i do smbclient -k -L //sample.test.de/ -d 2 > session setup failed: NT_STATUS_ACCESS_DENIED > > or you saying it is not possible unless i moved to samba ad? >It wasn't very common to use kerberos with a PDC, so I am unsure if it will work now. However, it could be fallout from the various changes since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2. Try setting these options in smb.conf: ntlm auth = yes server max protocol = NT1 Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba