Jacek
2020-Oct-29 21:00 UTC
[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE
My OS Gentoo Linux Samba & krb5 version: app-crypt/heimdal-7.6.0? abi_x86_32 abi_x86_64 berkdb caps ipv6 libressl lmdb selinux ssl static-libs net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg json ldap pam profiling-data python python_single_target_python3_7 quota selinux syslog system-heimdal winbind My /etc/samba/smb.conf (testparm) Load smb config files from /etc/samba/smb.conf Loaded services file OK. WARNING: 'workgroup' and 'netbios name' must differ. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] ??? bind interfaces only = Yes ??? client ipc min protocol = SMB3 ??? client max protocol = SMB3 ??? client min protocol = SMB3 ??? client signing = if_required ??? dns proxy = No ??? interfaces = lo net ??? log file = /var/log/samba/samba.log ??? max log size = 50 ??? passdb backend = smbpasswd ??? security = USER ??? server min protocol = SMB3 ??? server role = standalone server ??? server signing = if_required ??? server string = Domek ??? smb passwd file = /etc/samba/smbpasswd ??? time server = Yes ??? tls cafile = /etc/ssl/server/serverCA.crt ??? tls certfile = /etc/ssl/server/samba.cer ??? tls dh params file = /etc/ssl/server/dh4096.pem ??? tls keyfile = /etc/ssl/serwer/samba.key ??? workgroup = DOMEK ??? idmap config * : backend = tdb ??? dos filemode = Yes ??? force create mode = 0060 ??? force directory mode = 0700 ??? hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60 ??? smb encrypt = required [homes] ??? browseable = No ??? comment = Home Directories ??? create mask = 0750 ??? read only = No ??? valid users = %S ??? veto files = /.*/ # user ~> klist Credentials cache: FILE:/tmp/krb5cc_1001 ??????? Principal: user at DOMAIN.TLD ? Issued??????????????? Expires?????????????? Principal Oct 29 21:02:19 2020? Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD # user ~> hostname domek # user ~>? smbclient -L domek -U user%PaSsWoRd session setup failed: NT_STATUS_LOGON_FAILURE # user ~> klist Credentials cache: FILE:/tmp/krb5cc_1001 ??????? Principal: user at DOMAIN.TLD ? Issued??????????????? Expires?????????????? Principal Oct 29 21:02:19 2020? Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD # user ~> rm -f /tmp/krb5cc_1001 # user ~> klist klist: No ticket file: /tmp/krb5cc_1001 # user ~>? smbclient -L domek -U user%PaSsWoRd ??? Sharename?????? Type????? Comment ??? ---------?????? ----????? ------- ??? IPC$??????????? IPC?????? IPC Service (Domek) ??? user??????????? Disk????? Home Directories SMB1 disabled -- no workgroup available # user ~> I don't know if this is a bug or a new feature, but please choose one of the options. ;) If Samba in Standalone mode is working with kerberos then it's time to enable optional kerberos authorization in optional or required mode, (with the possibility to set these parameters in smb.conf) in my opinion this requires adding? parameters to smb.conf: location of krb5.keytab (default /etc/krb5.keytab) and kerberos auth = (none, optional, or required). Cheers
Rowland penny
2020-Oct-29 21:17 UTC
[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE
On 29/10/2020 21:00, Jacek via samba wrote:> My OS Gentoo Linux > > Samba & krb5 version: > > app-crypt/heimdal-7.6.0? abi_x86_32 abi_x86_64 berkdb caps ipv6 > libressl lmdb selinux ssl static-libs > net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg > json ldap pam profiling-data python python_single_target_python3_7 > quota selinux syslog system-heimdal winbind > > > My /etc/samba/smb.conf (testparm) > > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > WARNING: 'workgroup' and 'netbios name' must differ. > > Server role: ROLE_STANDALONE > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > ??? bind interfaces only = Yes > ??? client ipc min protocol = SMB3 > ??? client max protocol = SMB3 > ??? client min protocol = SMB3 > ??? client signing = if_required > ??? dns proxy = No > ??? interfaces = lo net > ??? log file = /var/log/samba/samba.log > ??? max log size = 50 > ??? passdb backend = smbpasswd > ??? security = USER > ??? server min protocol = SMB3 > ??? server role = standalone server > ??? server signing = if_required > ??? server string = Domek > ??? smb passwd file = /etc/samba/smbpasswd > ??? time server = Yes > ??? tls cafile = /etc/ssl/server/serverCA.crt > ??? tls certfile = /etc/ssl/server/samba.cer > ??? tls dh params file = /etc/ssl/server/dh4096.pem > ??? tls keyfile = /etc/ssl/serwer/samba.key > ??? workgroup = DOMEK > ??? idmap config * : backend = tdb > ??? dos filemode = Yes > ??? force create mode = 0060 > ??? force directory mode = 0700 > ??? hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60 > ??? smb encrypt = required > > > [homes] > ??? browseable = No > ??? comment = Home Directories > ??? create mask = 0750 > ??? read only = No > ??? valid users = %S > ??? veto files = /.*/ > > > # user ~> klist > Credentials cache: FILE:/tmp/krb5cc_1001 > ??????? Principal: user at DOMAIN.TLD > > ? Issued??????????????? Expires?????????????? Principal > Oct 29 21:02:19 2020? Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD > > # user ~> hostname > domek > > > # user ~>? smbclient -L domek -U user%PaSsWoRd > session setup failed: NT_STATUS_LOGON_FAILURE > > > # user ~> klist > Credentials cache: FILE:/tmp/krb5cc_1001 > ??????? Principal: user at DOMAIN.TLD > > ? Issued??????????????? Expires?????????????? Principal > Oct 29 21:02:19 2020? Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD > > > # user ~> rm -f /tmp/krb5cc_1001 > > > # user ~> klist > klist: No ticket file: /tmp/krb5cc_1001 > > > > # user ~>? smbclient -L domek -U user%PaSsWoRd > > ??? Sharename?????? Type????? Comment > ??? ---------?????? ----????? ------- > ??? IPC$??????????? IPC?????? IPC Service (Domek) > ??? user??????????? Disk????? Home Directories > SMB1 disabled -- no workgroup available > > > # user ~> > > I don't know if this is a bug or a new feature, but please choose one > of the options. ;) > > If Samba in Standalone mode is working with kerberos then it's time to > enable optional kerberos authorization in optional or required mode, > (with the possibility to set these parameters in smb.conf) > in my opinion this requires adding? parameters to smb.conf: > location of krb5.keytab (default /etc/krb5.keytab) > and kerberos auth = (none, optional, or required). > > Cheers > > >I do not understand why you are doing this, for kerberos to work correctly, you need to be able to find everything easily and everything must be using the same time. So, you need kerberos, a dns server and an ntp server and if you want more than authentication, you need a fileserver. OH look, I just described Active Directory ? Not saying you cannot get this setup to work, but why are you attempting to reinvent the wheel ? Rowland
Jacek
2020-Oct-30 02:05 UTC
[Samba] Samba4 ROLE_STANDALONE vs Kerberos = NT_STATUS_LOGON_FAILURE
>I do not understand why you are doing this, for kerberos to work correctly, you need to be able to find everything easily and everything must be using the same time. So, you need kerberos, a dns server and an ntp server and if you want more than authentication, you need a fileserver. OH look, I just described Active Directory ? Not saying you cannot get this setup to work, but why are you attempting to reinvent the wheel ? Rowland ?He did not reinvent the wheel. ?I tested Samba DC out of curiosity, but it had too many bugs to use, so I quit DC and went back to Standalone. ?But since I had Heimdal-kerberos installed with Samba, I turned on the kdc and kadmin daemons, added a domain, and started kinit. ?Then it turned out that although Samba in standalone mode does not support kerberos, the very fact of the existence of the Credentials cache with the KDC daemon enabled blocks logging into Samba in the Security User mode. ?So samba in standalone mode does not support but also kerberos work? ?Heimdal-kdc log: ?2020-10-30T03:00:16 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for krbtgt/DOMAIN.TLD at DOMAIN.TLD ?2020-10-30T03:00:16 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ ?2020-10-30T03:00:16 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for krbtgt/DOMAIN.TLD at DOMAIN.TLD ?2020-10-30T03:00:16 Client sent patypes: ENC-TS ?2020-10-30T03:00:16 ENC-TS pre-authentication succeeded -- user at DOMAIN.TLD ?2020-10-30T03:00:16 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 ?2020-10-30T03:00:16 Requested flags: canonicalize, forwardable ?2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD [canonicalize] ?2020-10-30T03:00:16 Searching referral for domek ?2020-10-30T03:00:16 Server not found in database: cifs/domek at DOMAIN.TLD: Unknown code hdb 3 ?2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD ?2020-10-30T03:00:16 Server not found in database: cifs/domek at DOMAIN.TLD: no such entry found in hdb ?2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD [canonicalize] ?2020-10-30T03:00:16 Searching referral for domek ?2020-10-30T03:00:16 Server not found in database: cifs/domek at DOMAIN.TLD: Unknown code hdb 3 ?2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD ?2020-10-30T03:00:16 Server not found in database: cifs/domek at DOMAIN.TLD: no such entry found in hdb ?2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:24 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for krbtgt/DOMAIN.TLD at DOMAIN.TLD ?2020-10-30T03:00:24 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ ?2020-10-30T03:00:24 AS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for krbtgt/DOMAIN.TLD at DOMAIN.TLD ?2020-10-30T03:00:24 Client sent patypes: ENC-TS ?2020-10-30T03:00:24 ENC-TS pre-authentication succeeded -- user at DOMAIN.TLD ?2020-10-30T03:00:24 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 ?2020-10-30T03:00:24 Requested flags: canonicalize, forwardable ?2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD [canonicalize] ?2020-10-30T03:00:24 Searching referral for domek ?2020-10-30T03:00:24 Server not found in database: cifs/domek at DOMAIN.TLD: Unknown code hdb 3 ?2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD ?2020-10-30T03:00:24 Server not found in database: cifs/domek at DOMAIN.TLD: no such entry found in hdb ?2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD [canonicalize] ?2020-10-30T03:00:24 Searching referral for domek ?2020-10-30T03:00:24 Server not found in database: cifs/domek at DOMAIN.TLD: Unknown code hdb 3 ?2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10 ?2020-10-30T03:00:24 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD ?2020-10-30T03:00:24 Server not found in database: cifs/domek at DOMAIN.TLD: no such entry found in hdb ?2020-10-30T03:00:24 Failed building TGS-REP to IPv4:192.168.1.10 Cheers W dniu 29.10.2020 o?22:17, Rowland penny via samba pisze:> On 29/10/2020 21:00, Jacek via samba wrote: >> My OS Gentoo Linux >> >> Samba & krb5 version: >> >> app-crypt/heimdal-7.6.0? abi_x86_32 abi_x86_64 berkdb caps ipv6 >> libressl lmdb selinux ssl static-libs >> net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg >> json ldap pam profiling-data python python_single_target_python3_7 >> quota selinux syslog system-heimdal winbind >> >> >> My /etc/samba/smb.conf (testparm) >> >> Load smb config files from /etc/samba/smb.conf >> Loaded services file OK. >> WARNING: 'workgroup' and 'netbios name' must differ. >> >> Server role: ROLE_STANDALONE >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> ??? bind interfaces only = Yes >> ??? client ipc min protocol = SMB3 >> ??? client max protocol = SMB3 >> ??? client min protocol = SMB3 >> ??? client signing = if_required >> ??? dns proxy = No >> ??? interfaces = lo net >> ??? log file = /var/log/samba/samba.log >> ??? max log size = 50 >> ??? passdb backend = smbpasswd >> ??? security = USER >> ??? server min protocol = SMB3 >> ??? server role = standalone server >> ??? server signing = if_required >> ??? server string = Domek >> ??? smb passwd file = /etc/samba/smbpasswd >> ??? time server = Yes >> ??? tls cafile = /etc/ssl/server/serverCA.crt >> ??? tls certfile = /etc/ssl/server/samba.cer >> ??? tls dh params file = /etc/ssl/server/dh4096.pem >> ??? tls keyfile = /etc/ssl/serwer/samba.key >> ??? workgroup = DOMEK >> ??? idmap config * : backend = tdb >> ??? dos filemode = Yes >> ??? force create mode = 0060 >> ??? force directory mode = 0700 >> ??? hosts allow = 192.168.1.0/24 127.0.0.0/8 fd2c:9fd7:c7c1:10::1/60 >> ??? smb encrypt = required >> >> >> [homes] >> ??? browseable = No >> ??? comment = Home Directories >> ??? create mask = 0750 >> ??? read only = No >> ??? valid users = %S >> ??? veto files = /.*/ >> >> >> # user ~> klist >> Credentials cache: FILE:/tmp/krb5cc_1001 >> ??????? Principal: user at DOMAIN.TLD >> >> ? Issued??????????????? Expires?????????????? Principal >> Oct 29 21:02:19 2020? Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD >> >> # user ~> hostname >> domek >> >> >> # user ~>? smbclient -L domek -U user%PaSsWoRd >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> # user ~> klist >> Credentials cache: FILE:/tmp/krb5cc_1001 >> ??????? Principal: user at DOMAIN.TLD >> >> ? Issued??????????????? Expires?????????????? Principal >> Oct 29 21:02:19 2020? Oct 30 21:02:19 2020 krbtgt/DOMAIN.TLD at DOMAIN.TLD >> >> >> # user ~> rm -f /tmp/krb5cc_1001 >> >> >> # user ~> klist >> klist: No ticket file: /tmp/krb5cc_1001 >> >> >> >> # user ~>? smbclient -L domek -U user%PaSsWoRd >> >> ??? Sharename?????? Type????? Comment >> ??? ---------?????? ----????? ------- >> ??? IPC$??????????? IPC?????? IPC Service (Domek) >> ??? user??????????? Disk????? Home Directories >> SMB1 disabled -- no workgroup available >> >> >> # user ~> >> >> I don't know if this is a bug or a new feature, but please choose one >> of the options. ;) >> >> If Samba in Standalone mode is working with kerberos then it's time >> to enable optional kerberos authorization in optional or required >> mode, (with the possibility to set these parameters in smb.conf) >> in my opinion this requires adding? parameters to smb.conf: >> location of krb5.keytab (default /etc/krb5.keytab) >> and kerberos auth = (none, optional, or required). >> >> Cheers >> >> >> > I do not understand why you are doing this, for kerberos to work > correctly, you need to be able to find everything easily and > everything must be using the same time. So, you need kerberos, a dns > server and an ntp server and if you want more than authentication, you > need a fileserver. OH look, I just described Active Directory ? > > Not saying you cannot get this setup to work, but why are you > attempting to reinvent the wheel ? > > Rowland