Web lists-archives.com

Re: [Samba] How to use kerberos as the default auth in AD config?




Thanks Rowland for your pointers!

I'm sorry to just mention it as win2k. This is actually a Windows 2016
server on which we want to get AD/"Protected Users" working. I will try
pam_winbind & get back if this solves the issue.

--Shyam

On Tue, 14 Aug 2018 09:25:29 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Mon, 13 Aug 2018 17:32:05 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
> > Well, you know, a 2010 EOL-date isn't that old... :P
> >
>
> It is, if you think of it in dog-years, it's 70 years :-)
>
> Rowland
>

Now the security updates have been released, I can tell you how to fix
the problem, upgrade ;-)

 CVE-2018-1139:
   Vulnerability that allows authentication via NTLMv1 even if disabled.

Rowland

-----Original Message-----
From: Shyam Kaushik [mailto:shyam@xxxxxxxxxxxxxxxxx]
Sent: 13 August 2018 19:25
To: 'samba@xxxxxxxxxxxxxxx'
Cc: Lev Vainblat
Subject: How to use kerberos as the default auth in AD config?

Hi Folks,

We have samba(4.8) deployed with following key parms
        security = ADS
        realm = TEST
        client NTLMv2 auth = No
        ntlm auth = disabled

We have a win2k user configured as a "Protected User"
(https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how
-to-configure-protected-accounts)

When this user tries to connect to samba/winbind, we get this error out &
client is not able to connect

	[2018/08/13 13:46:50.019094,  2, pid=7845, class=auth]
../source3/auth/auth.c:336(auth_check_ntlm_password)
	  check_ntlm_password:  Authentication for user [protecteduser] ->
[protecteduser] FAILED with error NT_STATUS_ACCOUNT_RESTRICTION,
authoritative=1

we can confirm the following behaviour (password hidden)
	root@test-01:~# wbinfo -a TEST\protecteduser%XXXX'
	plaintext password authentication failed
	Could not authenticate user TEST\protecteduser%XXXX with plaintext
password
	challenge/response password authentication failed
	wbcAuthenticateUserEx(TEST\protecteduser): error code was
NT_STATUS_ACCOUNT_RESTRICTION (0xc000006e)
	error message was: Account restriction
	Could not authenticate user TEST\protecteduser with
challenge/response

Whereas Kerberos auth works ok
	root@test-01:~# wbinfo --krb5auth 'TEST\protecteduser%XXXX'
	plaintext kerberos password authentication for
[TEST\protecteduser%XXXX] succeeded (requesting cctype: FILE)
	credentials were put in: FILE:/tmp/krb5cc_0

when we have a regular user from the same win2k client that is not part of
"Protected User", plaintext/NTLM auth works ok

	root@test-01:~# wbinfo -a 'TEST\normaluser%XXXX'
	plaintext password authentication succeeded
	challenge/response password authentication succeeded

& client is able to work with samba share. Question is how do we force
samba to do only KRB auth & not attempt at NTLM auth as its showing up in
error with auth_check_ntlm_password? Any help appreciated!

Thanks.

--Shyam

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba