Web lists-archives.com

Re: [Samba] krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2




On 16/05/2019 13:26, Markus Spanner-Denzer via samba wrote:
Hi,


in our setup, we have a number of AD domains with an exisiting one-way trust between the local domain of the system (which I will call LOCALDOM in the following) and the domain containing the user accounts (which I will call TRUSTEDDOM in the following). The domain controllers run Windows Server 2012.


Beginning with samba 4.4 we have an issue with authentication through pam_winbind on the Linux clients when krb5_auth is enabled in pam_winbind.conf (which worked in samba 4.2). Login to the Linux systems always fails with "No logon servers". The situation can also be reproduced with "wbinfo -K".


On samba >= 4.4 (tested on SLES12SP3 and RHEL7):

# wbinfo -K TRUSTEDDOM\\myaccount
Enter TRUSTEDDOM\myaccount's password:
plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] failed (requesting cctype: FILE)
wbcLogonUser(TRUSTEDDOM\myaccount): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user [TRUSTEDDOM\myaccount] with Kerberos (ccache: FILE)


The same worked with samba 4.2 (tested on SLES12SP1, identical configuration in samba.conf and krb5.conf):

# wbinfo -K TRUSTEDDOM\\myaccount
Enter TRUSTEDDOM\myaccount's password:
plaintext kerberos password authentication for [TRUSTEDDOM\myaccount] succeeded (requesting cctype: FILE)


Authenticating users from the local domain works in all releases of samba:

# wbinfo -K LOCALDOM\\mylocalaccount
Enter LOCALDOM\\mylocalaccount's password:
plaintext kerberos password authentication for [LOCALDOM\\mylocalaccount] succeeded (requesting cctype: FILE)


Authenticating users without krb5 (i.e. wbinfo -a) also works in all releases. Therefore, disabling krb5_auth helps as a work-around, the user can then request a Kerberos ticket manually using kinit myaccount@TRUSTEDDOM

Both LOCALDOM and TRUSTEDDOM are configured in krb5.conf.


It seems like newer releases of samba(-winbind) cannot locate the correct KDC for trusted domains. Do you know of any change in samba-winbind's behavior between 4.2 and 4.4? Is there something which has to be changed in the configuration? Unfortunately, I didn't find any hint in the documentation.


There were a few winbind changes in 4.3, but whether they would affect you, I have no idea, because you haven't posted your smb.conf.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba