Web lists-archives.com

Re: [Samba] How to use kerberos as the default auth in AD config?




On Mon, 13 Aug 2018 19:25:24 +0530
Shyam Kaushik via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Folks,
> 
> We have samba(4.8) deployed with following key parms
>         security = ADS
>         realm = TEST
>         client NTLMv2 auth = No
>         ntlm auth = disabled
> 
> We have a win2k user configured as a "Protected User"
> (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how
> -to-configure-protected-accounts)
> 
> When this user tries to connect to samba/winbind, we get this error
> out & client is not able to connect
> 
> 	[2018/08/13 13:46:50.019094,  2, pid=7845, class=auth]
> ../source3/auth/auth.c:336(auth_check_ntlm_password)
> 	  check_ntlm_password:  Authentication for user
> [protecteduser] -> [protecteduser] FAILED with error
> NT_STATUS_ACCOUNT_RESTRICTION, authoritative=1
> 
> we can confirm the following behaviour (password hidden)
> 	root@test-01:~# wbinfo -a TEST\protecteduser%XXXX'
> 	plaintext password authentication failed
> 	Could not authenticate user TEST\protecteduser%XXXX with
> plaintext password
> 	challenge/response password authentication failed
> 	wbcAuthenticateUserEx(TEST\protecteduser): error code was
> NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e)
> 	error message was: Account restriction
> 	Could not authenticate user TEST\protecteduser with
> challenge/response
> 
> Whereas Kerberos auth works ok
> 	root@test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX'
> 	plaintext kerberos password authentication for
> [TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE)
> 	credentials were put in: FILE:/tmp/krb5cc_0
> 
> when we have a regular user from the same win2k client that is not
> part of "Protected User", plaintext/NTLM auth works ok
> 
> 	root@test-01:~# wbinfo -a 'TEST\normaluser%XXXX'
> 	plaintext password authentication succeeded
> 	challenge/response password authentication succeeded
> 
> & client is able to work with samba share. Question is how do we force
> samba to do only KRB auth & not attempt at NTLM auth as its showing
> up in error with auth_check_ntlm_password? Any help appreciated!
> 
> Thanks.
> 
> --Shyam
> 

Have you thought of trying PAM to do this ?

see 'man pam_winbind.conf' for more info, particularly
'require_membership_of'

You should also really not be using a win2k machine any more, they went
EOL before XP did.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba