Web lists-archives.com

[Samba] Can't authenticate to AD using Samba with SSSD




Would someone please tell me where I can find some good troubleshooting documents to resolve AD authentication issues when using Samba? Is this mailing list the best place?


I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but I am required to use SSSD on a different CentOS 7.6 server. Using a test VM, I can get services running, but I can't authenticate from a Mac or smbclient.


Partial output of /var/log/samba/log.10.84.2.148 (the Mac client):

[2019/03/01 15:53:46.544858,  3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)

  Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24 len2=224

[2019/03/01 15:53:46.544907,  3] ../source3/param/loadparm.c:3868(lp_load_ex)

  lp_load_ex: refreshing parameters

[2019/03/01 15:53:46.544956,  3] ../source3/param/loadparm.c:547(init_globals)

  Initialising global parameters

[2019/03/01 15:53:46.545088,  3] ../source3/param/loadparm.c:2782(lp_do_section)

  Processing section "[global]"

  doing parameter workgroup = YALE

  doing parameter realm = YU.YALE.EDU

  doing parameter security = ads

  doing parameter idmap config * : range = 1677216-33554431

  doing parameter idmap config YALE:schema_mode = rfcc2307

  doing parameter idmap config YALE:range = 100000-199999

  doing parameter idmap config YALE:backend = rid

  doing parameter idmap * : backend = tbd

  doing parameter dedicated keytab file = /etc/krb5.keytab

  doing parameter log file = /var/log/samba/log.%m

  doing parameter log level = 4

  doing parameter guest account = nobody

  doing parameter guest ok = no

  doing parameter template shell = /sbin/nologin

  doing parameter kerberos method = system keytab

  doing parameter store dos attributes = yes

  doing parameter vfs objects = acl_xattr

[2019/03/01 15:53:46.545450,  2] ../source3/param/loadparm.c:2799(lp_do_section)

  Processing section "[testshare]"

  doing parameter comment = testshare

  doing parameter path = /testshare

  doing parameter valid users = @pathology_its

  doing parameter writable = yes

  doing parameter read only = No

[2019/03/01 15:53:46.545573,  4] ../source3/param/loadparm.c:3910(lp_load_ex)

  pm_process() returned Yes

[2019/03/01 15:53:46.545604,  3] ../source3/param/loadparm.c:1617(lp_add_ipc)

  adding IPC service

[2019/03/01 15:53:46.545669,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)

  check_ntlm_password:  Checking password for unmapped user [YALE]\[btp4]@[PAQUIN3200] with the new password interface

[2019/03/01 15:53:46.545691,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)

  check_ntlm_password:  mapped user is: [YALE]\[btp4]@[PAQUIN3200]

[2019/03/01 15:53:46.545715,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)

  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2

[2019/03/01 15:53:46.545735,  4] ../source3/smbd/uid.c:491(push_conn_ctx)

  push_conn_ctx(0) : conn_ctx_stack_ndx = 1

[2019/03/01 15:53:46.545753,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2

[2019/03/01 15:53:46.545807,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1

[2019/03/01 15:53:46.545828,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [btp4] -> [btp4] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1

[2019/03/01 15:53:46.545864,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)

  Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445]

[2019/03/01 15:53:46.545899,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2019/03/01 15:53:46.545937,  3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)

  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_LOGON_FAILURE

[2019/03/01 15:53:46.545965,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)

  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2019/03/01 15:53:46.545985,  4] ../source3/smbd/uid.c:491(push_conn_ctx)

  push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2019/03/01 15:53:46.546002,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2019/03/01 15:53:46.546039,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2019/03/01 15:53:46.546067,  3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137


My workflow for setting up SSSD and Samba:

1) yum install -y sssd realmd adcli samba-common samba-common-tools krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd policycoreutils-python samba-client samba nano

2) realm join ...  #shortened command; binding to specific OU; works as expected

3) authconfig --enablesssdauth --enablesssd --enablemkhomedir --update

4) nano /etc/samba/smb.conf

5) testparm

6) mkdir /testshare

7) id btp4@xxxxxxxxxxx  #works as expected

8) chown -R root:pathology_its@xxxxxxxxxxx /testshare/

9) chcon -Rt samba_share_t /testshare/

10) kinit btp4

11) net ads join -k

12) kinit -k CENTOSSSSD$  #name of test server

13) /usr/bin/ldapsearch -H ...  #shortened command; works as expected

14) systemctl enable smb

15) systemctl enable nmb

16) systemctl start smb

17) systemctl start nmb

18) firewall-cmd --add-service=samba --permanent

19) firewall-cmd --reload


I can provide contents of krb5.conf or sssd.conf if needed.


Sorry for the lengthy email.


Thank you,


Brian
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba