Re: [Samba] How to use kerberos as the default auth in AD config?
- Date: Mon, 13 Aug 2018 15:40:52 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] How to use kerberos as the default auth in AD config?
On Mon, 13 Aug 2018 19:25:24 +0530
Shyam Kaushik via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Hi Folks,
> We have samba(4.8) deployed with following key parms
> security = ADS
> realm = TEST
> client NTLMv2 auth = No
> ntlm auth = disabled
> We have a win2k user configured as a "Protected User"
> When this user tries to connect to samba/winbind, we get this error
> out & client is not able to connect
> [2018/08/13 13:46:50.019094, 2, pid=7845, class=auth]
> check_ntlm_password: Authentication for user
> [protecteduser] -> [protecteduser] FAILED with error
> NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1
> we can confirm the following behaviour (password hidden)
> root@test-01:~# wbinfo -a TEST\protecteduser%XXXX'
> plaintext password authentication failed
> Could not authenticate user TEST\protecteduser%XXXX with
> plaintext password
> challenge/response password authentication failed
> wbcAuthenticateUserEx(TEST\protecteduser): error code was
> NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e)
> error message was: Account restriction
> Could not authenticate user TEST\protecteduser with
> Whereas Kerberos auth works ok
> root@test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX'
> plaintext kerberos password authentication for
> [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
> when we have a regular user from the same win2k client that is not
> part of "Protected User", plaintext/NTLM auth works ok
> root@test-01:~# wbinfo -a 'TEST\normaluser%XXXX'
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> & client is able to work with samba share. Question is how do we force
> samba to do only KRB auth & not attempt at NTLM auth as its showing
> up in error with auth_check_ntlm_password? Any help appreciated!
Have you thought of trying PAM to do this ?
see 'man pam_winbind.conf' for more info, particularly
You should also really not be using a win2k machine any more, they went
EOL before XP did.
To unsubscribe from this list go to the following URL and read the