#3228 samba/sssd and accessing share through CNAME on Win8+ clients
Closed: Invalid None by marcoc. Opened 2 years ago by marcoc.

Hi, we configured samba to authenticate through sssd-ad but authentication is not working when trying to connect to shares through a DNS alias instead of the actual hostname. This happens only on Windows 8/10 or server 2012+ clients. Windows 7 connects fine. I tried to find any errors in samba and sssd logs to no avail.

What happens is that when the login fails the authentication is actually not using kerberos:

[2016/10/27 12:24:28.434581, 1, pid=5920, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug)
authenticate: struct AUTHENTICATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmAuthenticate (3)
LmChallengeResponseLen : 0x0018 (24)
LmChallengeResponseMaxLen: 0x0018 (24)

but NTLMSSP

platform is Centos 7 + sssd 1.13.0.40

Please see sssd.conf and smb.conf attached

Thanks


SSSD currently support Kerberos authentication (NTLM might become available sometime but not in the nead future).

For Kerberos a client has to ask the AD DC for a service ticket for a given service. For file share access the service principal typical looks like cifs/fully.qualified.domain.name@AD.REALM. The fully.qualified.domain.name is the host name you enter when connection to the share. The client will then add the 'cifs/ prefix and the realm and ask the AD DC for a ticket. The AD DC search the servicePrincipalName attributes for a match. If no matching principal is found the client will fall back to NTLM authentication.

It looks like Windows 7 does not use the alias name you entered directly but canonicalize it first and then asks the DC. You can check this by calling calling 'klist' at the command prompt of the Windows 7 client after connecting to the share. In the output you should see a cifs/... principal with the actual host name and not with the alias name. It looks like this behavior causes issues with the Internet Explorer see e.g. https://social.technet.microsoft.com/Forums/windows/en-US/f649df36-a61b-4d23-a0c6-818dc2eff923/ie8-on-windows-7-kerberos-cname-bug?forum=w7itpronetworking . May guess because of this the behavior was changed in newer Windows releases. Unfortunately I have no idea if this configurable on the Windows side.

You can try to add servicePrincipalNames which contains the alias names to the host object of the SSSD client as well. This should allow the client to request for tickets with the alias name as well. On the SSSD client you should add matching entries to the keytab used by samba as well. 'net ads keytab add ...' can be used for this. Please make a copy of the existing keytab before so that you can recover it if anything goes wrong.

HTH

bye,
Sumit

Hi, I was able to solve it on the linux side using your suggestions, adding the principals with net ads keytab add, and then doing the same with stspn -a on the domain controller.

What I am perplexed about is that I wasn't able to get any understanding of what was happening looking at both sssd and samba logs with level 10. There is no "kerberos authentication failed, falling back to ntlm" anywhere, but it just logs the failing ntlm authentication. As sssd is managing the kerberos settings (as opposed to krb5.conf in /etc), I would expect sssd to be logging kerberos trace somewhere (maybe krb5_child.log?) but that is empty as well. Or should I refer to KRB5_TRACE variable? Also why is sssd falling back to ntlm if it does not support it?

Thanks for your help

You cannot see anything in the logs because the decisions are done on the Windows client. The client will ask the DC for a service ticket, if this fails it will fall back to NTLM authentication and only at this point it will start a connection to the Linux fileserver. So the only message you can see is the one from the description saying that NTLMSSP authentication is used by the client.

cc: => sbose

Fields changed

resolution: => invalid
status: new => closed

Metadata Update from @marcoc:
- Issue set to the milestone: NEEDS_TRIAGE

2 years ago

Login to comment on this ticket.

Metadata