Getting Samba to authenticate against Active Directory

lqkums · 11-29-2008, 11:59 PM

Hi,

Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use Active Directory for authentication. I followed the instructions from article in following website:
http://technet.microsoft.com/en-au/m.../dd228986.aspx

Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the users in Active Directory through winbind as well as authenticate users using NTLM authentication.

Problem is that Iam unable to access Samba share from Windows clients as AD user. Analyzing the network traffic on SMBD port gives:
---
10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser
10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error:STATUS_LOGON_FAILURE
--

I can however access the Samba share as local user in the Samba server via smbpasswd:
---
166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums
166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response
166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global
166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
---

Winbind gives following error, not sure if this is significant for I can access the AD via "wbinfo"
[2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm

Googling helped me to get so far, but not completely resolve this issue.

Please find the configuration setting + detailed error log below:

----
i) Software Version
samba-client-3.2.3
samba-common-3.2.3
samba-3.2.3
samba-doc-3.2.3
samba-winbind-32bit-3.2.3
samba-swat-3.2.3
samba-debuginfo-3.2.3

krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1

ii) Configure Kerberos
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TESTDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
TESTDOMAIN.LOCAL = {
kdc = 172.16.4.10
default_domain = TESTDOMAIN.LOCAL
}

[domain_realm]
.testdomain = TESTDOMAIN.LOCAL
testdomain = TESTDOMAIN.LOCAL
.localdomain = TESTDOMAIN.LOCAL
localdomain = TESTDOMAIN.LOCAL
sol.datadirectnet.com = TESTDOMAIN.LOCAL
testdomain.local = TESTDOMAIN.LOCAL
.testdomain.local = TESTDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

iii) Authenticate a user against AD via Kerberos
kinit Administrator@TESTDOMAIN.LOCAL
Password for Administrator@TESTDOMAIN.LOCAL:

iv) List Kerberos Tickets
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TESTDOMAIN.LOCAL

Valid starting Expires Service principal
11/26/08 14:54:36 11/27/08 00:54:39 krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL
renew until 11/27/08 14:54:36

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

v) Configure WinBind +PAM

/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_mkhomedir.so skel=/etc/skel umask=0644
session required pam_unix.so

vi) Windbind started and can see users in AD
/etc/init.d/winbind status
winbindd (pid 14574 14562 14561 14459 14458) is running...

wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -u list
D1950-01+kums
D1950-01+tristan
TESTDOMAIN+administrator
TESTDOMAIN+guest
TESTDOMAIN+krbtgt
TESTDOMAIN+testuser

wbinfo -g
TESTDOMAIN+domain computers
TESTDOMAIN+domain controllers
TESTDOMAIN+schema admins
TESTDOMAIN+enterprise admins
TESTDOMAIN+cert publishers
TESTDOMAIN+domain admins
TESTDOMAIN+domain users

wbinfo -a TESTDOMAIN+testuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

vii) Modify /etc/pam.d/samba
/etc/pam.d/samba
auth required pam_stack.so service=system-auth
auth required pam_env.so
auth sufficient pam_krb5 use_first_pass
auth include /lib/security/pam_winbind.so
auth required pam_deny.so

session required pam_stack.so service=system-auth

account required pam_stack.so service=system-auth
account include /lib/security/pam_winbind.so

password required pam_stack.so service=system-auth

viii) Configure smb.conf
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.LOCAL
security = ADS
password server = 172.16.4.10
client NTLMv2 auth = Yes
log file = /var/log/samba/log.%m
max log size = 50
smb ports = 445
use mmap = No
dns proxy = No
socket address = 192.168.97.5
idmap backend = ad
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
force unknown acl user = Yes

[global-share]
path = /mnt/global
read only = No
inherit permissions = Yes
inherit acls = Yes

ix) Samba running
/etc/init.d/smb status
smbd (pid 32010 32006) is running...
nmbd (pid 31998) is running...

lsof -i TCP:445
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
winbindd 31799 root 17u IPv4 8034872 TCP D1950-01.sol.datadirectnet.com:57534->172.16.4.10:microsoft-ds (ESTABLISHED)
winbindd 31800 root 17u IPv4 8034855 TCP D1950-01.sol.datadirectnet.com:57532->172.16.4.10:microsoft-ds (ESTABLISHED)
smbd 32006 root 19u IPv4 8035491 TCP node1:microsoft-ds (LISTEN)

x) Join to AD is successful
net ads testjoin
Join is OK

xi) Authentication of AD user seems to work fine
ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=testuser
password:
NT_STATUS_OK: Success (0x0)

xii) /etc/init.d/iptables status
Firewall is stopped.

xiii)Analyze Network Traffic on SMBD port

Login as TESTDOMAIN\testuser (in Windows System)

10.844796 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response
10.844932 192.168.97.2 -> 192.168.97.5 SMB Trans2 Request, GET_DFS_REFERRAL, File: \192.168.97.5\global-share
10.844993 192.168.97.5 -> 192.168.97.2 SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND
10.849712 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
10.849800 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser
10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE
11.033663 192.168.97.2 -> 192.168.97.5 TCP capmux > microsoft-ds [ACK] Seq=1616 Ack=1172 Win=15213 Len=0
20.944057 192.168.97.2 -> 192.168.97.5 SMB Logoff AndX Request
20.944152 192.168.97.5 -> 192.168.97.2 SMB Logoff AndX Response
20.944231 192.168.97.2 -> 192.168.97.5 SMB Tree Disconnect Request
20.944360 192.168.97.5 -> 192.168.97.2 SMB Tree Disconnect Response

Login as D1950-01\kums (in Windows System)

163.625577 192.168.97.2 -> 192.168.97.5 TCP 4746 > microsoft-ds [ACK] Seq=1024 Ack=855 Win=15530 Len=0
166.059399 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
166.059551 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums
166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response
166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global-share
166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response

xiv) Winbind Error
[2008/11/26 15:22:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
ads_krb5_mk_req: krb5_get_credentials failed for dc$@TESTDOMAIN (Cannot find KDC for requested realm)
[2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm

----

Thanks in Advance,
-Kums

fngreno · 02-19-2009, 01:52 AM

I just discovered Likewise - after watching the last of my hair fall out after tweaking winbindd for another distro. I have used successfully on FC, CentOs and Ubuntu.

I want my hair back winbindd

farslayer · 02-19-2009, 07:33 AM

The OP may not realize that you are telling him that Likewise Open may help him authenticate against AD.. you might want to include a link next time.

OP's post was back in November,. I sure hope he got it all sorted out before now..