Web lists-archives.com

Re: [Samba] Can't authenticate to AD using Samba with SSSD




Quick look showed a error in rfc2307, so try fixing the smb.conf 

This one. 
> >   doing parameter idmap config YALE:schema_mode = rfcc2307
 rfcc2307 ??  cc ? 
 rfc2307 


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Rowland Penny via samba
> Verzonden: zaterdag 2 maart 2019 10:10
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Can't authenticate to AD using Samba with SSSD
> 
> On Fri, 1 Mar 2019 21:57:42 +0000
> "Paquin, Brian via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > Would someone please tell me where I can find some good
> > troubleshooting documents to resolve AD authentication issues when
> > using Samba? Is this mailing list the best place?
> > 
> > 
> > I was able to setup a working WINBIND-Samba setup on CentOS 7.6, but
> > I am required to use SSSD on a different CentOS 7.6 server. Using a
> > test VM, I can get services running, but I can't authenticate from a
> > Mac or smbclient.
> > 
> > 
> > Partial output of /var/log/samba/log.10.84.2.148 (the Mac client):
> > 
> > [2019/03/01 15:53:46.544858,
> > 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> > 
> >   Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24
> > len2=224
> > 
> > [2019/03/01 15:53:46.544907,
> > 3] ../source3/param/loadparm.c:3868(lp_load_ex)
> > 
> >   lp_load_ex: refreshing parameters
> > 
> > [2019/03/01 15:53:46.544956,
> > 3] ../source3/param/loadparm.c:547(init_globals)
> > 
> >   Initialising global parameters
> > 
> > [2019/03/01 15:53:46.545088,
> > 3] ../source3/param/loadparm.c:2782(lp_do_section)
> > 
> >   Processing section "[global]"
> > 
> >   doing parameter workgroup = YALE
> > 
> >   doing parameter realm = YU.YALE.EDU
> > 
> >   doing parameter security = ads
> > 
> >   doing parameter idmap config * : range = 1677216-33554431
> > 
> >   doing parameter idmap config YALE:schema_mode = rfcc2307
> > 
> >   doing parameter idmap config YALE:range = 100000-199999
> > 
> >   doing parameter idmap config YALE:backend = rid
> > 
> >   doing parameter idmap * : backend = tbd
> > 
> >   doing parameter dedicated keytab file = /etc/krb5.keytab
> > 
> >   doing parameter log file = /var/log/samba/log.%m
> > 
> >   doing parameter log level = 4
> > 
> >   doing parameter guest account = nobody
> > 
> >   doing parameter guest ok = no
> > 
> >   doing parameter template shell = /sbin/nologin
> > 
> >   doing parameter kerberos method = system keytab
> > 
> >   doing parameter store dos attributes = yes
> > 
> >   doing parameter vfs objects = acl_xattr
> > 
> > [2019/03/01 15:53:46.545450,
> > 2] ../source3/param/loadparm.c:2799(lp_do_section)
> > 
> >   Processing section "[testshare]"
> > 
> >   doing parameter comment = testshare
> > 
> >   doing parameter path = /testshare
> > 
> >   doing parameter valid users = @pathology_its
> > 
> >   doing parameter writable = yes
> > 
> >   doing parameter read only = No
> > 
> > [2019/03/01 15:53:46.545573,
> > 4] ../source3/param/loadparm.c:3910(lp_load_ex)
> > 
> >   pm_process() returned Yes
> > 
> > [2019/03/01 15:53:46.545604,
> > 3] ../source3/param/loadparm.c:1617(lp_add_ipc)
> > 
> >   adding IPC service
> > 
> > [2019/03/01 15:53:46.545669,
> > 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
> > 
> >   check_ntlm_password:  Checking password for unmapped user
> > [YALE]\[btp4]@[PAQUIN3200] with the new password interface
> > 
> > [2019/03/01 15:53:46.545691,
> > 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> > 
> >   check_ntlm_password:  mapped user is: [YALE]\[btp4]@[PAQUIN3200]
> > 
> > [2019/03/01 15:53:46.545715,
> > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> > 
> >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> > 
> > [2019/03/01 15:53:46.545735,
> > 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> > 
> >   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> > 
> > [2019/03/01 15:53:46.545753,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> > 
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> > 
> > [2019/03/01 15:53:46.545807,
> > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > 
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> > 
> > [2019/03/01 15:53:46.545828,
> > 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
> > 
> >   check_ntlm_password:  Authentication for user [btp4] -> [btp4]
> > FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
> > 
> > [2019/03/01 15:53:46.545864,
> > 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> > 
> >   Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019
> > 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
> > workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped
> > to [YALE]\[btp4]. local host [ipv4:10.84.2.79:445]
> > 
> > [2019/03/01 15:53:46.545899,
> > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > 
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > 
> > [2019/03/01 15:53:46.545937,
> > 3] 
> ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
> > 
> >   gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login
> > failed: NT_STATUS_LOGON_FAILURE
> > 
> > [2019/03/01 15:53:46.545965,
> > 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> > 
> >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > 
> > [2019/03/01 15:53:46.545985,
> > 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> > 
> >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > 
> > [2019/03/01 15:53:46.546002,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> > 
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > 
> > [2019/03/01 15:53:46.546039,
> > 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > 
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > 
> > [2019/03/01 15:53:46.546067,
> > 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
> > 
> >   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_LOGON_FAILURE] ||
> > at ../source3/smbd/smb2_sesssetup.c:137
> > 
> > 
> > My workflow for setting up SSSD and Samba:
> > 
> > 1) yum install -y sssd realmd adcli samba-common samba-common-tools
> > krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd
> > policycoreutils-python samba-client samba nano
> > 
> > 2) realm join ...  #shortened command; binding to specific OU; works
> > as expected
> > 
> > 3) authconfig --enablesssdauth --enablesssd 
> --enablemkhomedir --update
> > 
> > 4) nano /etc/samba/smb.conf
> > 
> > 5) testparm
> > 
> > 6) mkdir /testshare
> > 
> > 7) id btp4@xxxxxxxxxxx  #works as expected
> > 
> > 8) chown -R root:pathology_its@xxxxxxxxxxx /testshare/
> > 
> > 9) chcon -Rt samba_share_t /testshare/
> > 
> > 10) kinit btp4
> > 
> > 11) net ads join -k
> > 
> > 12) kinit -k CENTOSSSSD$  #name of test server
> > 
> > 13) /usr/bin/ldapsearch -H ...  #shortened command; works 
> as expected
> > 
> > 14) systemctl enable smb
> > 
> > 15) systemctl enable nmb
> > 
> > 16) systemctl start smb
> > 
> > 17) systemctl start nmb
> > 
> > 18) firewall-cmd --add-service=samba --permanent
> > 
> > 19) firewall-cmd --reload
> > 
> > 
> > I can provide contents of krb5.conf or sssd.conf if needed.
> > 
> 
> Sorry Brian, but you are asking in the wrong place. Samba does not
> supply sssd, so it cannot support it, try the sssd-users mailing
> list ;-)
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba