Markus Jansen
2020-Oct-14 14:07 UTC
[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba:> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 13/10/2020 15:01, Markus Jansen via samba wrote: >>> Thank you very much for your hints. >>> >>> I got rid of SSSD and managed to get a successful kerberos >>> authentication via wbinfo -K and the UPN. >>> >>> But accessing via SMB (using MAC OS' smbutil or Finder) still fails with >>> "FAILED with error NT_STATUS_NO_SUCH_USER". >>> >>> As I'm using CentOS 8, I used authselect to configure winbind >>> integration to PAM (do I really need this for SMB?) and enabled >>> "with-krb5" and "with-pamaccess" - features to let /etc/pam.d/-files be >>> configured automatically. >>> >>> I'm really confused. What's missing? >>> >> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence >> Centos8, I had to compile the Centos7 package and install it before I >> could get Centos8 to work correctly. >> >> BIG NOTE: this is just my opinion. >> >> I really do not think that red-hat wants you to use Samba with RHEL8, I >> think they really want you to use sssd with freeipa instead. They have >> removed openldap, smbldap-tools and libpam-krb5 that I am aware of, >> there may be others.Good hint. I switched to Debian Buster - same issue: Interestinly, "id tim-upn" (the userPrincipalname) works and refers to the sAMAccountName. "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain users),3001(storage-users),1000001(BUILTIN\users). "login tim-upn" works, "ssh tim-upn at localhost", too.? Also: "smbclient -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't. Still confused.> This matches my direct observations. Also sssd has many options for > tuning that get *thrown out* with any security update of the software, > they are flushed by any run of authconfig which is often built into > related software updates. sssd is *not your friend* if you want any > tuning of your LDAP or related behavior, and it insists on pre-caching > all of your LDAP before completing the setup of sssd. SO it starts up, > times out on the pre-caching, and *fails* with no legible log of what > the problem was and no good way to tune it except to resttrict your > LDAP access to a wafer thin sliver of the upstream setup, *which > configuration gets overwritten!!!!* with updates of anything that uses > authconfig. > > This iss a condemnation of authconfig's poor management of the > sophisticated options to sssd, but unless you're running something > like ansible or chef to replace your /etc/sssd/ files as needed, it's > an ongoing problem, A backdoor also cannot rely on sssd to be working > correctly, so you're compelled to use something like SSH keys for an > ansible service account or direct root SSH access to support this. > >> How wedded are you to Centos ? I personally would advise you to switch >> to Debian or Ubuntu, everything just works. > Just ditch sssd if you want actual reliable LDAP. It's handy if you > need no sophistaction of a smal LDAP setup, but I have real problems > with it for sophisticated production use. It's not a well integrated > wrapper for LDAP, Kerberos, and other settihngs. > >> If you must use Centos8, then it is possible to get Linux to connect to >> a Samba share running on a Centos domain member, not sure about a Mac, I >> do not have one.
Rowland penny
2020-Oct-14 14:19 UTC
[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
On 14/10/2020 15:07, Markus Jansen via samba wrote:> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba: >> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba >> <samba at lists.samba.org> wrote: >>> On 13/10/2020 15:01, Markus Jansen via samba wrote: >>>> Thank you very much for your hints. >>>> >>>> I got rid of SSSD and managed to get a successful kerberos >>>> authentication via wbinfo -K and the UPN. >>>> >>>> But accessing via SMB (using MAC OS' smbutil or Finder) still fails with >>>> "FAILED with error NT_STATUS_NO_SUCH_USER". >>>> >>>> As I'm using CentOS 8, I used authselect to configure winbind >>>> integration to PAM (do I really need this for SMB?) and enabled >>>> "with-krb5" and "with-pamaccess" - features to let /etc/pam.d/-files be >>>> configured automatically. >>>> >>>> I'm really confused. What's missing? >>>> >>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence >>> Centos8, I had to compile the Centos7 package and install it before I >>> could get Centos8 to work correctly. >>> >>> BIG NOTE: this is just my opinion. >>> >>> I really do not think that red-hat wants you to use Samba with RHEL8, I >>> think they really want you to use sssd with freeipa instead. They have >>> removed openldap, smbldap-tools and libpam-krb5 that I am aware of, >>> there may be others. > Good hint. I switched to Debian Buster - same issue: > > Interestinly, "id tim-upn" (the userPrincipalname) works and refers to > the sAMAccountName. > > "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain > users),3001(storage-users),1000001(BUILTIN\users). > > "login tim-upn" works, "ssh tim-upn at localhost", too.? Also: "smbclient > -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient > -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't. > > Still confused. >So am I, '3000' for Domain Users and '1000001' for BUILTIN\users. Might help if you post the smb.conf you are using. Rowland
Markus Jansen
2020-Oct-15 11:24 UTC
[Samba] Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
Am 14.10.20 um 16:19 schrieb Rowland penny via samba:> On 14/10/2020 15:07, Markus Jansen via samba wrote: >> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba: >>> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba >>> <samba at lists.samba.org> wrote: >>>> On 13/10/2020 15:01, Markus Jansen via samba wrote: >>>>> Thank you very much for your hints. >>>>> >>>>> I got rid of SSSD and managed to get a successful kerberos >>>>> authentication via wbinfo -K and the UPN. >>>>> >>>>> But accessing via SMB (using MAC OS' smbutil or Finder) still >>>>> fails with >>>>> "FAILED with error NT_STATUS_NO_SUCH_USER". >>>>> >>>>> As I'm using CentOS 8, I used authselect to configure winbind >>>>> integration to PAM (do I really need this for SMB?) and enabled >>>>> "with-krb5" and "with-pamaccess" - features to let >>>>> /etc/pam.d/-files be >>>>> configured automatically. >>>>> >>>>> I'm really confused. What's missing? >>>>> >>>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence >>>> Centos8, I had to compile the Centos7 package and install it before I >>>> could get Centos8 to work correctly. >>>> >>>> BIG NOTE: this is just my opinion. >>>> >>>> I really do not think that red-hat wants you to use Samba with >>>> RHEL8, I >>>> think they really want you to use sssd with freeipa instead. They have >>>> removed openldap, smbldap-tools? and libpam-krb5 that I am aware of, >>>> there may be others. >> Good hint. I switched to Debian Buster - same issue: >> >> Interestinly, "id tim-upn" (the userPrincipalname) works and refers to >> the sAMAccountName. >> >> "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain >> users),3001(storage-users),1000001(BUILTIN\users). >> >> "login tim-upn" works, "ssh tim-upn at localhost", too.? Also: "smbclient >> -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient >> -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't. >> >> Still confused. >> > So am I, '3000' for Domain Users and '1000001' for BUILTIN\users. > Might help if you post the smb.conf you are using. > > RowlandI made a step backwards and figured out that authenticating via UPN DOES work if I use a "legal" one with an "@domain"-suffix. Sorry for that confusion. But: I want to use login names without the "@domain"-suffix because, as this looks like an email address, people could get irritated as their email address may look different. So I set the "winbind use default domain = yes" in the smb.conf and "wbinfo -K test-storage01" works for user UPN test-storage01 at ad.adtest.de. But smbclient (on Debian) or net use (on Windows) does not work if I omit the "@ad.adtest.de". Am I right when I think that missing the '@' leads to a fallback of DOMAIN\sAMAccountName - authentication because winbind does not know how to navigate through the AD forest? Interestingly, test-storage01 at ad.bnitm.de could be mapped to BNITM\test-storage01-sam and authenticate. (smb.log: "check_ntlm_password:? authentication for user [test-storage01 at ad.bnitm.de] -> [test-storage01 at ad.bnitm.de] -> [BNITM\test-storage01-sam] succeeded") Also: "getent passwd test-storage01 at ad.bnitm.de" -> "test-storage01-sam:*:3000:3000:Test Storage 01:/home/BNITM/test-storage01-sam:/bin/false" But "net use y: \\ip\example /user:test-storage01" leads to the following smb.log entry: "Auth: [SMB2,(null)] user [DESKTOP-9CASEDK]\[test-storage01] at [Thu, 15 Oct 2020 13:16:53.462240 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [DESKTOP-9CASEDK] remote host [ipv4:134.100.203.37:50737] mapped to [DESKTOP-9CASEDK]\[test-storage01]. local host [ipv4:134.100.202.143:445] ? {"timestamp": "2020-10-15T13:16:53.462447+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:134.100.202.143:445", "remoteAddress": "ipv4:134.100.203.37:50737", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DESKTOP-9CASEDK", "clientAccount": "test-storage01", "workstation": "DESKTOP-9CASEDK", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "test-storage01", "mappedDomain": "DESKTOP-9CASEDK", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5391}} ... while "net use y: \\ip\example /user:test-storage01 at ad.adtest.de" works. I wonder how authentication without domain suffix could work at all. My smb.conf: [global] ?? workgroup = ADTEST ?? security = ADS ?? realm = AD.ADTEST.DE ?? winbind refresh tickets = Yes ?? vfs objects = acl_xattr ?? map acl inherit = Yes ?? store dos attributes = Yes ?? dedicated keytab file = /etc/krb5.keytab ?? kerberos method = secrets and keytab ?? winbind expand groups = 4 ?? winbind refresh tickets = Yes ?? winbind normalize names = Yes ?? winbind nss info = rfc2307 ?? winbind use default domain = yes ?? winbind enum users = yes ?? winbind enum groups = yes ?? idmap config * : backend = autorid ?? idmap config * : range = 1000000-1999999 ?? idmap config * : rangesize = 1000000 ?? load printers = no ?? printing = bsd ?? printcap name = /dev/null ?? disable spoolss = yes ?? log level = 3 [example] ? path = /tmp/ ? comment = Example Share Markus -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201015/fe9f87d4/signature.sig>
Possibly Parallel Threads
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.