Web lists-archives.com

[Samba] Regular users can't log in to Samba AD DC from Windows




Hi,

I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built from sources. (Actually, OS type and Samba version don't matter so much, as I have the same problem with Debian Jessie and Samba 4.5.5)

I followed the Wiki very close. Some details from provisioning:
...
Realm [RW.LAN]:
 Domain [RW]:
 Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
...
Server Role:           active directory domain controller
Hostname:              samba4-pfbsd
NetBIOS Domain:        RW
DNS Domain:            rw.lan
DOMAIN SID:            S-1-5-21-324325147-3161353582-651567851

The generated smb.conf file (I only add a user shell definition and a file share):

# Global parameters
[global]
    netbios name = SAMBA4-PFBSD
    realm = RW.LAN
    workgroup = RW
    dns forwarder = 8.8.8.8
    server role = active directory domain controller
    idmap_ldb:use rfc2307 = yes
    template shell = /usr/sbin/nologin

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/rw.lan/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

[samba-share]
       path = /samba-share
       read only = no

The generated krb5.conf:
[libdefaults]
    default_realm = RW.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true

/etc/nsswitch.conf:

# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z markj $
#
group: files winbind
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

All suggested tests (LDAP, SRV, A, Kerberos) passed; I also created a reverse DNS zone and a test user "user1"

Next, I successfully joined a Windows 10 Enterprise machine and logged in as a domain administrator. I can access the file share, write to it, set Windows permissions.

But when I open ADUC and click a user properties, I only have 5 tabs there (Environment, Sessions, Remote control, Remote Desktop Service Profile, COM+), and I can't add any other user. Windows just says nothing but from Samba logs I see something like this:
...
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
ldb_request BASE dn=CN=Users,DC=rw,DC=lan filter=(objectClass=*)
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 16:44:01 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
...

And I can't log in from the Windows machine to the domain with user1. Windows says, "Username or password is incorrect", and in Samba logs I see:
...
Kerberos: AS-REQ user1\@RW.LAN@xxxxxx from ipv4:192.168.0.102:56084 for krbtgt/RW.LAN@xxxxxx
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN@xxxxxx
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN@xxxxxx
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- user1\@RW.LAN@xxxxxx Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: AS-REQ user1\@RW.LAN@xxxxxx from ipv4:192.168.0.102:56085 for krbtgt/RW.LAN@xxxxxx
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN@xxxxxx
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN@xxxxxx
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN@xxxxxx (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN@xxxxxx
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: AS-REQ user1\@RW.LAN@xxxxxx from ipv4:192.168.0.102:56086 for krbtgt/RW.LAN@xxxxxx
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- user1\@RW.LAN@xxxxxx
Kerberos: Looking for ENC-TS pa-data -- user1\@RW.LAN@xxxxxx
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN@xxxxxx (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 Not updating badPwdCount on CN=User1 Tester1,CN=Users,DC=rw,DC=lan after wrong password
Kerberos: Failed to decrypt PA-DATA -- user1\@RW.LAN@xxxxxx
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] added interface rl0 ip=192.168.0.192 bcast=192.168.0.255 netmask=255.255.255.0
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:15 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:20 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:25 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:30 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:35 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:40 2017 EET
dreplsrv_notify_schedule(5) scheduled for: Sun Feb  5 17:08:45 2017 EET
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
...

Am I missing something basic here?

Thanks,
Alnis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba