I have set up samba share with freeIPA server according to this wiki : https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA Windows client in trusted AD domain cannot mount the samba share and users keep getting credential pop ups while unix clients are able to mount it with no problem.
I have 2 clustered samba servers built on centos7 + pcs and they're joined IDM.DOMAIN.COM (managed by freeIPA) FreeIPA trusts DOMAIN.COM and its child domain PROD.DOMAIN.COM. From unix client ( Cent.PROD.DOMAIN.COM - ipa client installed), I can mount the share by using kerberos. From windows client (Win.PROD.DOMAIN.COM - joined AD domain PROD.DOMAIN.COM), I cannot mount the share. From both clients, I am using my domain user USER@DOMAIN.COM)
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
(unix client) ipa-client-4.6.4-10.el7 (ipa server) ipa-server-4.5.4-10.el7.centos.4.4.x86_64 ipa-client-4.5.4-10.el7.centos.4.4.x86_64 389-ds-base-1.3.7.5-28.el7_5.x86_64 pki-ca-10.5.1-15.el7_5.noarch krb5-server-1.15.1-19.el7.x86_64
(windows) windows 2012 R2
With the exact same smb.conf shown in wiki, I kept getting the error below. SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights. session setup failed: NT_STATUS_ACCESS_DENIED
I couldn't figure out why but by reading through the past posts here, I found someone was having the same issue with me and made it work by changing smb.conf security = user instead of ads. so here is my current samba config:
[global] netbios name = imgshare workgroup = WORKGROUP realm = IDM.DOMAIN.COM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m log level = 1 auth:10 winbind:10 security = user server string = Assets share map to guest = bad user clustering = yes ctdbd socket = /tmp/ctdb.socket [assets] path = /assets guest ok = no writable = yes browsable = yes ===
Command I used to mount the share on unix: mount -t cifs -o user=user,domain=DOMAIN.COM,sec=krb5 //assets.idm.domain.com/assets /mnt
and I am logged in as user@DOMAIN.COM in windows that is joined in AD DOMAIN then typed \assets.idm.domain.com
# smbstatus Samba version 4.8.3 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 0:12082 nobody nobody windows IP (ipv4:windows IP:54650) SMB3_02 - - 0:13688 user@domain.com user@domain.com unix IP (ipv4:unix IP:41380) NT1 - - Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- IPC$ 0:13688 172.21.68.208 Fri Dec 28 11:42:02 PM 2018 UTC - - IPC$ 0:12082 172.21.68.144 Fri Dec 28 11:38:55 PM 2018 UTC - - assets 0:13688 172.21.68.208 Fri Dec 28 11:42:02 PM 2018 UTC - - No locked files
As you can see, somehow access from windows client is mapped to guest user and because I am setting no guest access to the share, I cannot mount it. here is the samba server log:
[2018/12/28 23:38:54.697640, 5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user [domain]\[user] from workstation [WIN] [2018/12/28 23:38:54.697682, 5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:64(make_user_info) attempting to make a user_info for user(user) [2018/12/28 23:38:54.697705, 5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:72(make_user_info) making strings for user's user_info struct [2018/12/28 23:38:54.697726, 5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:125(make_user_info) making blobs for user's user_info struct [2018/12/28 23:38:54.697745, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:176(make_user_info) made a user_info for user (user) [2018/12/28 23:38:54.697762, 3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [domain]\[user]@WIN] with the new password interface [2018/12/28 23:38:54.697781, 3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [domain]\[user]@[WIN] [2018/12/28 23:38:54.697798, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:202(auth_check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2018/12/28 23:38:54.697815, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:204(auth_check_ntlm_password) challenge is: [2018/12/28 23:38:54.697831, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_builtin.c:41(check_guest_security) Check auth for: [user] [2018/12/28 23:38:54.697879, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) auth_check_ntlm_password: guest had nothing to say [2018/12/28 23:38:54.697985, 3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'user' in passdb. [2018/12/28 23:38:54.698015, 5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: sam_ignoredomain authentication for user [user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 [2018/12/28 23:38:54.698042, 2, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [user] -> [user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 [2018/12/28 23:38:54.698071, 3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:2214(do_map_to_guest_server_info) No such user user [domain] - using guest account [2018/12/28 23:38:54.698198, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/ntlmssp/ntlmssp_server.c:994(ntlmssp_server_postauth) ntlmssp_server_auth: Failed to create unmodified session key. [2018/12/28 23:38:54.698223, 5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/ntlmssp/ntlmssp_server.c:1011(ntlmssp_server_postauth) server session key is invalid (len == 0), cannot do KEY_EXCH! [2018/12/28 23:38:54.698245, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:440(gensec_update_send) gensec_update_send: ntlmssp[0x557928413d90]: subreq: 0x5579284168a0 [2018/12/28 23:38:54.698265, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:440(gensec_update_send) gensec_update_send: spnego[0x557928412d00]: subreq: 0x5579284131c0 [2018/12/28 23:38:54.698320, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:498(gensec_update_done)
Any idea why I am getting no such user error??
As that page says in the beginning, it is not a supported use case in FreeIPA and things may or may not work for you. There are known issues and this is one of them.
Nothing you could do to fix it right now. I'm working (slowly) on figuring out missing pieces. It requires a number of modifications in Samba source code as well as in FreeIPA's ipasam module and overall changes in the way how IPA represents CIFS services in its LDAP.
Do not try to set up a Samba server as security = user on IPA client. security = user implies it is either a standalone server or a domain controller which is not what you need here (IPA master must be a domain controller).
security = user
Our current approach on Samba side is described in this thread: https://lists.samba.org/archive/samba-technical/2018-December/131535.html and it is incomplete yet as the code on Samba side is not yet implemented.
Thank you for the detailed information, that makes sense. I suppose I will take a different approach for this share this time but looking forward to seeing progress on the samba side.
Metadata Update from @akadoya: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.