Issue #7821: Samba integration issue for windows client - freeipa

freeipa

#7821 Samba integration issue for windows client

Closed: wontfix 5 years ago Opened 5 years ago by akadoya.

Issue

I have set up samba share with freeIPA server according to this wiki : https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
Windows client in trusted AD domain cannot mount the samba share and users keep getting credential pop ups while unix clients are able to mount it with no problem.

Steps to Reproduce

I have 2 clustered samba servers built on centos7 + pcs and they're joined IDM.DOMAIN.COM (managed by freeIPA)
FreeIPA trusts DOMAIN.COM and its child domain PROD.DOMAIN.COM.
From unix client ( Cent.PROD.DOMAIN.COM - ipa client installed), I can mount the share by using kerberos.
From windows client (Win.PROD.DOMAIN.COM - joined AD domain PROD.DOMAIN.COM), I cannot mount the share.
From both clients, I am using my domain user USER@DOMAIN.COM)

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

(unix client)
ipa-client-4.6.4-10.el7
(ipa server)
ipa-server-4.5.4-10.el7.centos.4.4.x86_64
ipa-client-4.5.4-10.el7.centos.4.4.x86_64
389-ds-base-1.3.7.5-28.el7_5.x86_64
pki-ca-10.5.1-15.el7_5.noarch
krb5-server-1.15.1-19.el7.x86_64

(windows)
windows 2012 R2

Additional info:

With the exact same smb.conf shown in wiki, I kept getting the error below.
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED

I couldn't figure out why but by reading through the past posts here, I found someone was having the same issue with me and made it work by changing smb.conf security = user instead of ads.
so here is my current samba config:

[global]
netbios name = imgshare
workgroup = WORKGROUP
realm = IDM.DOMAIN.COM
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
log level = 1 auth:10 winbind:10
security = user
server string = Assets share
map to guest = bad user
clustering = yes
ctdbd socket = /tmp/ctdb.socket
[assets]
path = /assets
guest ok = no
writable = yes
browsable = yes
===

Command I used to mount the share on unix:
mount -t cifs -o user=user,domain=DOMAIN.COM,sec=krb5 //assets.idm.domain.com/assets /mnt

and I am logged in as user@DOMAIN.COM in windows that is joined in AD DOMAIN then typed \assets.idm.domain.com

# smbstatus

Samba version 4.8.3
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
0:12082 nobody       nobody       windows IP (ipv4:windows IP:54650)  SMB3_02           -                    -
0:13688 user@domain.com user@domain.com unix IP (ipv4:unix IP:41380)  NT1               -                    -

Service      pid     Machine       Connected at                     Encryption   Signing
---------------------------------------------------------------------------------------------
IPC$         0:13688 172.21.68.208 Fri Dec 28 11:42:02 PM 2018 UTC  -            -
IPC$         0:12082 172.21.68.144 Fri Dec 28 11:38:55 PM 2018 UTC  -            -
assets       0:13688 172.21.68.208 Fri Dec 28 11:42:02 PM 2018 UTC  -            -

No locked files

As you can see, somehow access from windows client is mapped to guest user and because I am setting no guest access to the share, I cannot mount it.
here is the samba server log:

[2018/12/28 23:38:54.697640,  5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:122(make_user_info_map)
  Mapping user [domain]\[user] from workstation [WIN]
[2018/12/28 23:38:54.697682,  5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:64(make_user_info)
  attempting to make a user_info for user(user)
[2018/12/28 23:38:54.697705,  5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:72(make_user_info)
  making strings for user's user_info struct
[2018/12/28 23:38:54.697726,  5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:125(make_user_info)
  making blobs for user's user_info struct
[2018/12/28 23:38:54.697745, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:176(make_user_info)
  made a user_info for user (user)
[2018/12/28 23:38:54.697762,  3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [domain]\[user]@WIN] with the new password interface
[2018/12/28 23:38:54.697781,  3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [domain]\[user]@[WIN]
[2018/12/28 23:38:54.697798, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:202(auth_check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2018/12/28 23:38:54.697815, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:204(auth_check_ntlm_password)
  challenge is:
[2018/12/28 23:38:54.697831, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_builtin.c:41(check_guest_security)
  Check auth for: [user]
[2018/12/28 23:38:54.697879, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
  auth_check_ntlm_password: guest had nothing to say
[2018/12/28 23:38:54.697985,  3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'user' in passdb.
[2018/12/28 23:38:54.698015,  5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2018/12/28 23:38:54.698042,  2, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2018/12/28 23:38:54.698071,  3, pid=12082, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:2214(do_map_to_guest_server_info)
  No such user user [domain] - using guest account
[2018/12/28 23:38:54.698198, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/ntlmssp/ntlmssp_server.c:994(ntlmssp_server_postauth)
  ntlmssp_server_auth: Failed to create unmodified session key.
[2018/12/28 23:38:54.698223,  5, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/ntlmssp/ntlmssp_server.c:1011(ntlmssp_server_postauth)
  server session key is invalid (len == 0), cannot do KEY_EXCH!
[2018/12/28 23:38:54.698245, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:440(gensec_update_send)
  gensec_update_send: ntlmssp[0x557928413d90]: subreq: 0x5579284168a0
[2018/12/28 23:38:54.698265, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:440(gensec_update_send)
  gensec_update_send: spnego[0x557928412d00]: subreq: 0x5579284131c0
[2018/12/28 23:38:54.698320, 10, pid=12082, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:498(gensec_update_done)

Any idea why I am getting no such user error??

abbra commented 5 years ago

As that page says in the beginning, it is not a supported use case in FreeIPA and things may or may not work for you. There are known issues and this is one of them.

Nothing you could do to fix it right now. I'm working (slowly) on figuring out missing pieces. It requires a number of modifications in Samba source code as well as in FreeIPA's ipasam module and overall changes in the way how IPA represents CIFS services in its LDAP.

Do not try to set up a Samba server as security = user on IPA client. security = user implies it is either a standalone server or a domain controller which is not what you need here (IPA master must be a domain controller).

Our current approach on Samba side is described in this thread: https://lists.samba.org/archive/samba-technical/2018-December/131535.html and it is incomplete yet as the code on Samba side is not yet implemented.

akadoya commented 5 years ago

Thank you for the detailed information, that makes sense.
I suppose I will take a different approach for this share this time but looking forward to seeing progress on the samba side.

Metadata Update from @akadoya:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7821 Samba integration issue for windows client Closed: wontfix 5 years ago Opened 5 years ago by akadoya.

Issue

Steps to Reproduce

Version/Release/Distribution

Additional info:

Metadata

#7821 Samba integration issue for windows client

Closed: wontfix 5 years ago Opened 5 years ago by akadoya.