Web lists-archives.com

[Samba] winbind question. (challenge/response password authentication)




Hai, 

 

Im setting up a new proxy and im testing a bit around. 

Goal is, get everyting working with minimal changes to the system. 

 

Setup: Debian 8 with NFS nfsv3 and v4 (krb) automounts,  winbind 4.5.3 , squid 3.5.24 (with ssl support)

Which is basicly a copy of my other proxy but a new install with more systemd and less packages used.

 

Working: 

-          ssh logins with AD users. Userdirs nfsv4. 

-          NFSv3 and NFSv4 (krb5) (with systemd with automount for user home dirs )

-          Squid with basic auth. ( over ldap ssl) 

-          Put needed SPN in the keytab file.   

o        bug found : samba-tool spn add HTTP/hostname.domain.tld@REALM proxy2$ ) 

§         keytab result is http/  not HTTP/  squid needs HTTP ! 





Not working : 

-          Winbind user tests.

-          Kerberos Auth for squid. Need to fix keytab first. 

 

 

The setup/config

 

The running  smb.conf 

[global]

    workgroup = NTDOM

    security = ads

    realm = REALM

 

    netbios name = PROXY2

    preferred master = no

    domain master = no

    host msdfs = no

 

    interfaces = 192.168.0.2 127.0.0.1

    bind interfaces only = yes

    dns proxy = yes

 

    #Add and Update TLS Key

    tls enabled = yes

    tls keyfile = /etc/ssl/local/private/p2.pem

    tls certfile = /etc/ssl/local/certs/p2.pem

    tls cafile = /etc/ssl/certs/company-ca.pem

            

    ## map id's outside to domain to tdb files.

    idmap config * :backend = tdb

    idmap config * :range = 2000-9999

 

    ## map ids from the domain  the range may not overlap !

    idmap config NTDOM : backend = ad

    idmap config NTDOM : schema_mode = rfc2307

    idmap config NTDOM : range = 10000-3999999

 

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

 

    # renew the kerberos ticket

    winbind refresh tickets = yes

 

    # Use home directory and shell information from AD

    winbind nss info = rfc2307

 

    # no NTDOM\user@hostname: but user@hostname as prompt with ssh logins

    winbind use default domain = yes

 

    winbind trusted domains only = no

    winbind cache time = 15

    winbind enum users  = yes

    winbind enum groups = yes

 

    # enable offline logins

    winbind offline logon = yes

 

    # check depth of nested groups, ! slows down you samba, if to much groups depth

    winbind expand groups = 4

 

    # user Administrator workaround, without it you are unable to set privileges

    username map = /etc/samba/samba_usermapping

 

    # disable usershares creating, when set empty no error log messages.

    usershare path =

 

    # Disable printing completely, when set empty no error log messages.

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes

 

 

 

Output of my keytab file. 

klist -ke /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   3 host/proxy2.internal.domain.tld @REALM (des-cbc-crc)

   3 host/proxy2@REALM (des-cbc-crc)

   3 host/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   3 host/proxy2@REALM (des-cbc-md5)

   3 host/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   3 host/proxy2@REALM (aes128-cts-hmac-sha1-96)

   3 host/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   3 host/proxy2@REALM (aes256-cts-hmac-sha1-96)

   3 host/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   3 host/proxy2@REALM (arcfour-hmac)

   3 proxy2$@REALM (des-cbc-crc)

   3 proxy2$@REALM (des-cbc-md5)

   3 proxy2$@REALM (aes128-cts-hmac-sha1-96)

   3 proxy2$@REALM (aes256-cts-hmac-sha1-96)

   3 proxy2$@REALM (arcfour-hmac)

   3 nfs/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   3 nfs/proxy2@REALM (des-cbc-crc)

   3 nfs/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   3 nfs/proxy2@REALM (des-cbc-md5)

   3 nfs/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   3 nfs/proxy2@REALM (aes128-cts-hmac-sha1-96)

   3 nfs/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   3 nfs/proxy2@REALM (aes256-cts-hmac-sha1-96)

   3 nfs/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   3 nfs/proxy2@REALM (arcfour-hmac)

   3 http/proxy2.internal.domain.tld@REALM (des-cbc-crc)

   3 http/proxy2@REALM (des-cbc-crc)

   3 http/proxy2.internal.domain.tld@REALM (des-cbc-md5)

   3 http/proxy2@REALM (des-cbc-md5)

   3 http/proxy2.internal.domain.tld@REALM (aes128-cts-hmac-sha1-96)

   3 http/proxy2@REALM (aes128-cts-hmac-sha1-96)

   3 http/proxy2.internal.domain.tld@REALM (aes256-cts-hmac-sha1-96)

   3 http/proxy2@REALM (aes256-cts-hmac-sha1-96)

   3 http/proxy2.internal.domain.tld@REALM (arcfour-hmac)

   3 http/proxy2@REALM (arcfour-hmac)

 

 

 

And i?m having a hard time getting this explained. ( see below. ) 

So maybe someone on the list can explain this more to me. 

 

And I found also in list already : same problem/subjects. 

28-12-2016 : Re: [Samba] Error with samba update in debian.

3?9-2016 : [Samba] challenge/response password authentication seems to be broken

 

My tests: 

1

ntlm_auth --request-nt-key --username=username

Password:

NT_STATUS_OK: Success (0x0)

 

2

ntlm_auth --request-lm-key --username=username

Password:

NT_STATUS_OK: Success (0x0)

 

3

ntlm_auth --username=username --ntlmv2

Password:

NT_STATUS_OK: Success (0x0)

 

4

ntlm_auth --username=username --lanman

Password:

NT_STATUS_OK: Success (0x0)

 

5

ntlm_auth --username=username --krb5auth=username

Password:

NT_STATUS_OK: Success (0x0)

 

 

But... 

6

ntlm_auth --diagnostics --username=username

Password:

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

 

7

wbinfo -a username

Enter username's password:

plaintext password authentication failed

Could not authenticate user username with plaintext password

Enter username 's password:

challenge/response password authentication failed

wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)

error message was: Wrong Password

Could not authenticate user username with challenge/response

 

8

wbinfo --krb5auth=username

Enter username's password:

plaintext kerberos password authentication for [username] failed (requesting cctype: FILE)

wbcLogonUser(username): error code was NT_STATUS_NO_SUCH_USER (0xc0000064)

error message was: No such user

Could not authenticate user [username] with Kerberos (ccache: FILE)

 

9

wbinfo --krb5auth='NTDOM\username'

Enter NTDOM\username's password:

plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0

 

10

wbinfo --krb5auth='username@REALM'

Enter username@REALM's password:

plaintext kerberos password authentication for [username@REALM] failed (requesting cctype: FILE)

wbcLogonUser(username@REALM): error code was NT_STATUS_LOGON_FAILURE (0xc000006d)

error message was: Logon failure

Could not authenticate user [username@REALM] with Kerberos (ccache: FILE)

 

 

Now i enabled in smb.conf : winbind use default domain = yes 

 

klist

klist: Credentials cache file '/tmp/krb5cc_0' not found

1

ntlm_auth --request-nt-key --username=username

Password:

NT_STATUS_OK: Success (0x0)

2

ntlm_auth --request-lm-key --username=username

Password:

NT_STATUS_OK: Success (0x0)

3

ntlm_auth --username=username --ntlmv2

Password:

NT_STATUS_OK: Success (0x0)

4

ntlm_auth --username=username --lanman

Password:

NT_STATUS_OK: Success (0x0)

5

ntlm_auth --username=username --krb5auth=username

Password:

NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

6

ntlm_auth --diagnostics --username=username

Password:

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

Wrong Password (0xc000006a)

7

wbinfo -a username

Enter username's password:

plaintext password authentication succeeded

Enter username's password:

challenge/response password authentication failed

wbcAuthenticateUserEx(NTDOM\username): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)

error message was: Wrong Password

Could not authenticate user username with challenge/response

8

wbinfo --krb5auth=username

Enter username's password:

plaintext kerberos password authentication for [username] succeeded (requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0

 

9

kdestroy -A

root@rtd-proxy2:~# wbinfo --krb5auth='NTDOM\username'

Enter NTDOM\username's password:

plaintext kerberos password authentication for [NTDOM\username] succeeded (requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0

 

10

kdestroy -A

root@rtd-proxy2:~# wbinfo --krb5auth='username@REALM'

Enter username@REALM's password:

plaintext kerberos password authentication for [username@REALM] succeeded (requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0

 

What is missing in my config? Hints tips. 

I know that the devs are working on more consistant results with winbind, i just dont know if its deployed yet. 

 

Tests overview  smb.conf winbind use default domain.

                        No        Yes 

 

1                    Ok        Ok        

2                    Ok        Ok

3                    Ok        Ok

4                    Ok        Ok

5                    Ok        Fail

6                    Fail       Fail

7                    Fail       ½ ok ½ fail

8                    Fail       Ok

9                    Ok        Ok

10                 Fail       Ok

 

 

Strange are to me 5 : 

ntlm_auth --username=username --krb5auth=username 

 

I cant explain 6. 

ntlm_auth --diagnostics --username=username

 

7

wbinfo -a username

with winbind default domain =  yes, 

plaintext password authentication succeeded  but challenge/response password authentication failed.

 

kerberos related auth

8

wbinfo --krb5auth=username

 

9

wbinfo --krb5auth='NTDOM\username'

 

10

wbinfo --krb5auth='username@REALM'

 

so im wondering, if im getting a better result with 

winbind use default domain =yes 

 

 

 

 

Greetz, 

 

Louis

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba