Rowland Penny
2023-Jun-24 09:16 UTC
[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
On 23/06/2023 19:08, Mike Robbert wrote:> Sorry about that I typed and sent a full message, but it looks like the entire body got swallowed up in transit. Here is the full text again. Let's hope this one works. > > I have a server running CentOS 7.9 with the system provided Samba packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a member server. The active Directory domain has a user object with among others, the following attributes defined > sAMAccountName = m12345678 > gecos = Zach Detest > gidNumer = 12345678 > uid = zach_detest > uidNumer = 12345678 > unixHomeDirectory = /home/m12345678 > userPrincipalName = zach_destest at domain.tld > > The smb.conf on the server looks like this: > > [global] > additional dns hostnames = dct-hanas-2.domain.tldUnless red-hat backported this, 'additional dns hostnames' didn't appear until Samba 4.11.0 at the earliest (I say that because I cannot find just when it was added, but it isn't in 'man smb.conf' for 4.10.x, but it is in 'man smb.conf' for 4.11.x).> debug class = Yes > debug pid = Yes > debug uid = Yes > disable spoolss = Yes > kerberos method = secrets and keytab > load printers = No > local master = No > log file = /var/log/samba/log.%I > max log size = 0 > netbios name = SERVER-DEV > nt pipe support = No > printcap name = /dev/null > realm = ADDOM.DOMAIN.TLD > security = ADS > server min protocol = SMB2 > server string = Fileserver %m > template homedir = /home/%U@%D > template shell = /bin/bash > unix extensions = No > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = ADDOM > fruit:nfs_aces = no > idmap config * : range = 1-999 > idmap config addom : unix_primary_group = yes > idmap config addom : unix_nss_info = yes > idamp config addom : schema_mode = rfc2307 > idmap config addom : backend = ad > idmap config addom : range = 1000-999999999 > idmap config * : backend = tdbDo you mind if I ask why you are using such strange (to me) ranges ? They would seem to preclude having any local users and groups.> acl group control = Yes > create mask = 0664 > directory mask = 0775 > dos filemode = Yes > force create mode = 0664 > force directory mode = 0775 > include = /etc/samba/samba-shares.share > map acl inherit = Yes > nt acl support = No > printing = bsd > read only = No > vfs objects = catia fruit streams_xattr > > > [test-open] > path = /tmp/test-open > > Both wbinfo and getent work to resolve this users information using either samaccountname or UPN >They are the attributes that work with user searches, however 'uid' (being a multi value ldap attribute) doesn't, This isn't just a Samba or Unix thing, Windows works in the same way. It looks to me (and I could be totally wrong) that sssd must have code that can use the 'uid' value and then set that as the owner of a file. If it is doing this, then how does it get around 'uid' being a multi valued attribute ? It is strange you have raised this, Stefan Kania raised virtually the same subject about a week ago and during this week, a bug report was listed: https://bugzilla.samba.org/show_bug.cgi?id=15399 I replied to Stefan here: https://lists.samba.org/archive/samba/2023-June/245561.html Rowland
Mike Robbert
2023-Jun-26 16:02 UTC
[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
? On 6/24/23, 03:17, "samba" <samba-bounces at lists.samba.org> wrote: On 23/06/2023 19:08, Mike Robbert wrote:> Sorry about that I typed and sent a full message, but it looks like the entire body got swallowed up in transit. Here is the full text again. Let's hope this one works. > > I have a server running CentOS 7.9 with the system provided Samba packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a member server. The active Directory domain has a user object with among others, the following attributes defined > sAMAccountName = m12345678 > gecos = Zach Detest > gidNumer = 12345678 > uid = zach_detest > uidNumer = 12345678 > unixHomeDirectory = /home/m12345678 > userPrincipalName = zach_destest at domain.tld > > The smb.conf on the server looks like this: > > [global] > additional dns hostnames = dct-hanas-2.domain.tldUnless red-hat backported this, 'additional dns hostnames' didn't appear until Samba 4.11.0 at the earliest (I say that because I cannot find just when it was added, but it isn't in 'man smb.conf' for 4.10.x, but it is in 'man smb.conf' for 4.11.x). RedHat must have backported this because it is in the man page and this line was not inserted manually by me, it was inserted when I joined the machine to the domain using ?net ads join?> idmap config * : range = 1-999 > idmap config addom : unix_primary_group = yes > idmap config addom : unix_nss_info = yes > idamp config addom : schema_mode = rfc2307 > idmap config addom : backend = ad > idmap config addom : range = 1000-999999999 > idmap config * : backend = tdbDo you mind if I ask why you are using such strange (to me) ranges ? They would seem to preclude having any local users and groups. We don?t have any local users other than the OS system users which all fall under 1000. All other users are in AD. They are the attributes that work with user searches, however 'uid' (being a multi value ldap attribute) doesn't, This isn't just a Samba or Unix thing, Windows works in the same way. It looks to me (and I could be totally wrong) that sssd must have code that can use the 'uid' value and then set that as the owner of a file. If it is doing this, then how does it get around 'uid' being a multi valued attribute ? It is strange you have raised this, Stefan Kania raised virtually the same subject about a week ago and during this week, a bug report was listed: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15399&data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6LEBdKreAKqrRagAID1VPXUGCvfW8HgCP3RdA6muNZ0%3D&reserved=0 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D15399&data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6LEBdKreAKqrRagAID1VPXUGCvfW8HgCP3RdA6muNZ0%3D&reserved=0> I replied to Stefan here: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fsamba%2F2023-June%2F245561.html&data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3xp%2BaSNg8YF3sQxL461twpt3ifoKugIeY9YCHz3C%2Bd4%3D&reserved=0 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fsamba%2F2023-June%2F245561.html&data=05%7C01%7Cmrobbert%40mines.edu%7C6d9d22a918d244cfd7aa08db7493d40a%7C997209e009b346239a4d76afa44a675c%7C0%7C0%7C638231950507722632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3xp%2BaSNg8YF3sQxL461twpt3ifoKugIeY9YCHz3C%2Bd4%3D&reserved=0> Rowland I did see Stafan?s post and the replies, but it did not address the issue that I am asking about. I don?t care about SSH access of users on this server and while it may a useful part of the solution, I am not asking about how users files ownership is displayed from the console/CLI. This server is only used as a file server and I would like for users to be able to map SMB/CIFS shares by entering their UPN as the username. The log that I sent was from a connection where I tried that with my test user zach_detest at domain.tld <mailto:zach_detest at domain.tld> It looks like the server received that from the client here: [2023/06/23 10:05:50.006889, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[zach_detest] domain=[domain.tld] workstation=[ITS-MACBOOK09] len1=24 len2=254 Then when it checks the password against the AD domain it mangles the input by moving the UPN suffix to the AD domain field: [2023/06/23 10:05:50.008789, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [domain.tld]\[zach_detest]@[ITS-MACBOOK09] with the new password interface Which fails: [2023/06/23 10:05:50.011820, 2, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 It tries again using the correct AD domain name, but doesn?t include the UPN suffix that was sent to it. [2023/06/23 10:05:50.080011, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[zach_detest] domain=[ADDOM] workstation=[ITS-MACBOOK09] len1=24 len2=254 Fails again: [2023/06/23 10:05:50.083899, 2, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 It tries one last time with another mangling of the input [2023/06/23 10:05:50.171506, 3, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[zach_detest] domain=[domain.tld@\server-dev.domain.tld] workstation=[ITS-MACBOOK09] len1=24 len2=254 But still isn?t sending the full UPN so it fails again: [2023/06/23 10:05:50.175367, 2, pid=22679, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [zach_detest] -> [zach_detest] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 Is there anything we can do to in order to get Samba/winbind to try sending the full UPN that the user entered to the domain controller? Thanks, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 9275 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20230626/761401e5/smime.bin>