Web lists-archives.com

Re: [Samba] Can't authenticate to AD using Samba with SSSD




On Fri, 1 Mar 2019 21:57:42 +0000
"Paquin, Brian via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Would someone please tell me where I can find some good
> troubleshooting documents to resolve AD authentication issues when
> using Samba? Is this mailing list the best place?
> 
> 
> I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but
> I am required to use SSSD on a different CentOS 7.6 server. Using a
> test VM, I can get services running, but I can't authenticate from a
> Mac or smbclient.
> 
> 
> Partial output of /var/log/samba/log.10.84.2.148 (the Mac client):
> 
> [2019/03/01 15:53:46.544858,
> 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> 
>   Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24
> len2=224
> 
> [2019/03/01 15:53:46.544907,
> 3] ../source3/param/loadparm.c:3868(lp_load_ex)
> 
>   lp_load_ex: refreshing parameters
> 
> [2019/03/01 15:53:46.544956,
> 3] ../source3/param/loadparm.c:547(init_globals)
> 
>   Initialising global parameters
> 
> [2019/03/01 15:53:46.545088,
> 3] ../source3/param/loadparm.c:2782(lp_do_section)
> 
>   Processing section "[global]"
> 
>   doing parameter workgroup = YALE
> 
>   doing parameter realm = YU.YALE.EDU
> 
>   doing parameter security = ads
> 
>   doing parameter idmap config * : range = 1677216-33554431
> 
>   doing parameter idmap config YALE:schema_mode = rfcc2307
> 
>   doing parameter idmap config YALE:range = 100000-199999
> 
>   doing parameter idmap config YALE:backend = rid
> 
>   doing parameter idmap * : backend = tbd
> 
>   doing parameter dedicated keytab file = /etc/krb5.keytab
> 
>   doing parameter log file = /var/log/samba/log.%m
> 
>   doing parameter log level = 4
> 
>   doing parameter guest account = nobody
> 
>   doing parameter guest ok = no
> 
>   doing parameter template shell = /sbin/nologin
> 
>   doing parameter kerberos method = system keytab
> 
>   doing parameter store dos attributes = yes
> 
>   doing parameter vfs objects = acl_xattr
> 
> [2019/03/01 15:53:46.545450,
> 2] ../source3/param/loadparm.c:2799(lp_do_section)
> 
>   Processing section "[testshare]"
> 
>   doing parameter comment = testshare
> 
>   doing parameter path = /testshare
> 
>   doing parameter valid users = @pathology_its
> 
>   doing parameter writable = yes
> 
>   doing parameter read only = No
> 
> [2019/03/01 15:53:46.545573,
> 4] ../source3/param/loadparm.c:3910(lp_load_ex)
> 
>   pm_process() returned Yes
> 
> [2019/03/01 15:53:46.545604,
> 3] ../source3/param/loadparm.c:1617(lp_add_ipc)
> 
>   adding IPC service
> 
> [2019/03/01 15:53:46.545669,
> 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
> 
>   check_ntlm_password:  Checking password for unmapped user
> [YALE]\[btp4]@[PAQUIN3200] with the new password interface
> 
> [2019/03/01 15:53:46.545691,
> 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> 
>   check_ntlm_password:  mapped user is: [YALE]\[btp4]@[PAQUIN3200]
> 
> [2019/03/01 15:53:46.545715,
> 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> 
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> 
> [2019/03/01 15:53:46.545735,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> 
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> 
> [2019/03/01 15:53:46.545753,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> 
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> 
> [2019/03/01 15:53:46.545807,
> 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> 
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> 
> [2019/03/01 15:53:46.545828,
> 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
> 
>   check_ntlm_password:  Authentication for user [btp4] -> [btp4]
> FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
> 
> [2019/03/01 15:53:46.545864,
> 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> 
>   Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019
> 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
> workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped
> to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445]
> 
> [2019/03/01 15:53:46.545899,
> 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> 
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> 
> [2019/03/01 15:53:46.545937,
> 3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
> 
>   gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login
> failed: NT_STATUS_LOGON_FAILURE
> 
> [2019/03/01 15:53:46.545965,
> 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> 
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> 
> [2019/03/01 15:53:46.545985,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> 
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> 
> [2019/03/01 15:53:46.546002,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> 
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> 
> [2019/03/01 15:53:46.546039,
> 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> 
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> 
> [2019/03/01 15:53:46.546067,
> 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
> 
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] ||
> at ../source3/smbd/smb2_sesssetup.c:137
> 
> 
> My workflow for setting up SSSD and Samba:
> 
> 1) yum install -y sssd realmd adcli samba-common samba-common-tools
> krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd
> policycoreutils-python samba-client samba nano
> 
> 2) realm join ...  #shortened command; binding to specific OU; works
> as expected
> 
> 3) authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
> 
> 4) nano /etc/samba/smb.conf
> 
> 5) testparm
> 
> 6) mkdir /testshare
> 
> 7) id btp4@xxxxxxxxxxx  #works as expected
> 
> 8) chown -R root:pathology_its@xxxxxxxxxxx /testshare/
> 
> 9) chcon -Rt samba_share_t /testshare/
> 
> 10) kinit btp4
> 
> 11) net ads join -k
> 
> 12) kinit -k CENTOSSSSD$  #name of test server
> 
> 13) /usr/bin/ldapsearch -H ...  #shortened command; works as expected
> 
> 14) systemctl enable smb
> 
> 15) systemctl enable nmb
> 
> 16) systemctl start smb
> 
> 17) systemctl start nmb
> 
> 18) firewall-cmd --add-service=samba --permanent
> 
> 19) firewall-cmd --reload
> 
> 
> I can provide contents of krb5.conf or sssd.conf if needed.
> 

Sorry Brian, but you are asking in the wrong place. Samba does not
supply sssd, so it cannot support it, try the sssd-users mailing
list ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba