7

Setup

server

  • Centos 7.6
  • Samba 4.8
  • Winbind
  • SSSD
  • Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

  • Windows clients can connect using DOMAIN\username and password credentials
  • Mac OSX clients can connect using [email protected] and password credentials (other options are not accepted like DOMAIN\username)
  • Linux client can't connect using mount.cifs, I tried with those options
    • username=username,domain=DOMAIN
    • username=username,domain=FULL.DOMAIN.TLD (caps or not)
    • username=DOMAIN\username
    • username=FULL.DOMAIN.TLD\username
    • username=username@DOMAIN
    • ...etc

Clients used for this tests are

  • Windows 10
  • Centos 7
  • Debian 9
  • Ubuntu 18
  • OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd... but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@... this works also with smbclient

Here are my conf files

smb.conf

[global] workgroup = DOMAIN security = ads client signing = yes client use spnego = yes realm = DOMAIN.DOM.CH server role = MEMBER SERVER passdb backend = tdbsam kerberos method = secrets and keytab idmap config * : range = 10000-99999999 idmap config * : backend = tdb wins server = xx.xx.xx.xx winbind use default domain = yes load printers = no disable spoolss = yes show add printer wizard = No local master = No dns proxy = No logging = file log file = /var/log/samba/smb-%I.log log level = 4 max log size = 10000 follow symlinks = yes min protocol = SMB2 client min protocol = SMB2 debug hires timestamp = No acl group control = yes delete readonly = yes acl allow execute always = yes dos filemode = Yes inherit permissions = Yes store dos attributes = Yes vfs objects = acl_xattr [MyShare] inherit acls = Yes path = /srv/samba/partage read only = no admin users = @"DOMAIN\GROUP-AdminsU" "DOMAIN\user" vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} default_realm = DOMAIN.DOM.CH [realms] DOMAIN.DOM.CH = { kdc = domain.dom.ch admin_server = domain.dom.ch } [domain_realm] domain.dom.ch = DOMAIN.DOM.CH .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd] domains = domain.dom.ch config_file_version = 2 services = nss, pam default_domain_suffix = DOMAIN.DOM.CH [domain/domain.dom.ch] ad_domain = domain.dom.ch krb5_realm = DOMAIN.DOM.CH realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166 Mapping user [DOMAIN]\[user] from workstation [] ... check_ntlm_password: Checking password for unmapped user [DOMAIN]\[user]@[] with the new password interface check_ntlm_password: mapped user is: [DOMAIN]\[user]@[] check_ntlm_password: auth_context challenge created by random challenge is: Check auth for: [user] auth_check_ntlm_password: guest had nothing to say Check auth for: [user] check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER) auth_check_ntlm_password: sam had nothing to say Check auth for: [user] check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 check_ntlm_password: Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAIN\user failed: NT_STATUS_LOGON_FAILURE gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)] state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239] gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)] state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this "workstation=[]". With windows and mac clients, I always have a workstation name in brackets but nothing when it's a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN]\[user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN]\[user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662 smbd_smb2_request idx[1] of 5 vectors smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174 smbd_smb2_request idx[1] of 5 vectors smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don't know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success

Update 2

I could mount this share after creating a kerberos ticket with kinit and add sec=krb5 in the mount options. It's better than nothing but why is it acting like that?!

Update 3

Okay, after all the documents I could read, it looks like the only solution to authenticate against active directory and kerberos is to create first a krb ticket using kinit and then mount the share with -o sec=krb5 option. I honestly don't understand why linux is acting like that when OSX don't but anyway... for now, I don't have any other solution...

Improve this question
8
  • 2
    That's a very intriguing problem. I'd very much like to see an answer to it. I've once had a similar problem (with a simpler setup) and had to create local users with no shells so that samba would allow authentication against the LDAP to take place. Commented Apr 18, 2019 at 10:33
  • 1
    About the empty workstation name, have you tried using the explicit "netbiosname" option of mount.cifs? Commented Apr 18, 2019 at 10:36
  • 1
    I supposed you check double backslash in `DOMAIN\user' ? Commented Apr 18, 2019 at 12:04
  • 1
    @lgeorget: yep, tried also the netbiosname option which does not change anything, still no machine name in the logs Oh and by the way, I have other servers using auth against LDAP and it works without problem. But in my situation now, I have some super admin accounts which are not in the LDAP... that's why this AD conf. Commented Apr 23, 2019 at 5:22
  • 1
    @Archemar yes. Tried single, double, {back,front}slash Commented Apr 23, 2019 at 5:26

1 Answer 1

Reset to default
3
+50

I found this article which may help you mount the SMB shares.

https://askubuntu.com/questions/1026316/cifs-mounts-and-kerberos-permissions-on-access-or-best-practice

I believe that the issue is related to Kerberos and Sebastian Stark does a great job of explaining exactly what I would have said.

Improve this answer
3
  • 2
    This is pretty interesting! By creating I kerberos ticket, I can mount then my share using sec=krb5. Why the hell is this acting like that? Commented May 2, 2019 at 6:32
  • 2
    a quote from searchwindowsserver.techtarget.com/tip/… "Microsoft's Active Directory employs Kerberos for numerous activities, including user and system authentication, and authorization of network resource access". So to my understanding, without that Kerberos ticket you will not be able to access the share even though you may be prompted for creds. @darxmurf Commented May 2, 2019 at 15:59
  • 1
    Absolutely but this is configured on my server and working, as we can se my successful authentication on domain controller. Commented May 3, 2019 at 7:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.