On Tue, Jul 25, 2017 at 10:08:51AM +0200, Lukas Slebodnik wrote:
On (25/07/17 09:56), Marc-Henri Pamiseux wrote:
>Hi sssd user's,
>
>I contacted yesterday the Samba discussion list about a malfunction with
>this software. I was asked to put my question to the sssd list, which I
>do :)
>You will find below the email sent to the Samba list:
>
>**************************************************************************
>I've update a domain member smb server to samba 4.6.5.
>I don't want to use winbind for this upgrade so i'm trying with sssd.
>After a long informative reading on this subject, i've finaly success to
>connect using the hostname.
>
>The domain member is well join to AD-DC :
># net ads testjoin
>Join is OK
>
>Another test :
># adcli info -D local.mydomain
>[domain]
>domain-name = local.mydomain
>domain-short = MYDOMAIN
>domain-forest = local.mydomain
>domain-controller = hera.local.mydomain
>domain-controller-site = Laval
>domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable
>good-timeserv full-secret
>domain-controller-usable = yes
>domain-controllers = hera.local.mydomain
>[computer]
>computer-site = Laval
>
>From the Domain member server (RHEA), i can view the main sharing using
>my account but not when using the administrator account. By the way, i
>belive i made some limitation on this account because nobody have to use
>this one
>
># smbclient -L //RHEA -U myident
>Enter MYDOMAIN\myident's password:
>
> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (Samba 4.6.5-Debian)
> projets Disk Gestion des projets
> public Disk Public Stuff
> myident Disk Repertoire Personnel
>Domain=[MYDOMAIN] OS=[] Server=[]
>
> Server Comment
> --------- -------
> RHEA Samba 4.6.5-Debian
>
> Workgroup Master
> --------- -------
> MYDOMAIN RHEA
>
>From the AD-DC server (HERA), i can see the same thing using my account.
>Stil on the AD-DC, i've try another method :
>
># smbclient -L //192.168.1.2 -U myident
>Enter MYDOMAIN\myident's password:
>Domain=[MYDOMAIN] OS=[] Server=[]
>
> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (Samba 4.6.5-Debian)
> projets Disk Gestion des projets
> public Disk Public Stuff
> myident Disk Repertoire Personnel
>Domain=[MYDOMAIN] OS=[] Server=[]
>
> Server Comment
> --------- -------
> RHEA Samba 4.6.5-Debian
>
> Workgroup Master
> --------- -------
> MYDOMAIN RHEA
>
>Well...
>Everything seems to work.
>Now i want to test an access from a windows client. I have open the
>session on the domain using my account. Now i open windows explorer and
>i type //RHEA in the address bar. I can see the share that i can use.
>So, why do i post on this mailing list ?
>
>Because when I use address //192.168.1.2, the operating system asks me
>to identify myself. But i'have already done this when i've open this
>session. I am surprised because it is usually the opposite error that
>occurs. Let's go to the log on RHEA Host (192.168.1.2) :
>
>[2017/07/25 02:46:15.286177, 0]
>../source3/auth/auth_domain.c:226(domain_client_validate)
> domain_client_validate: unable to validate password for user myident
>in domain MYDOMAIN to Domain controller HERA.LOCAL.MYDOMAIN. Error was
>NT_STATUS_WRONG_PASSWORD.
>[2017/07/25 02:46:15.288928, 2]
>../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [myident] -> [myident]
>FAILED with error NT_STATUS_WRONG_PASSWORD
As you can see NTLM is used for authentication in this case and SSSD
does not support NTLM, hence authentication fails.
The reason is that when you use the name the Windows client can use
Kerberos because it can request a Kerbers service ticket for the
principal cifs/files.sever.name(a)AD.REALM. When using the IP address the
Windows client falls back to NTLM authentication because Kerberos does
not use IP addresses in principals and a reverse DNS lookup is often
unreliable or not even configured.
So when using SSSD you can only use the name. If you have uses cases
where only IP address can be used you currently have to use winbind.
HTH
bye,
Sumit
> >[2017/07/25 02:46:15.296364, 2]
> >../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
> > SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
> >
> >Ok, but this error occurred even before I specified an identifier.
> >I removed the Windows-based workstation from the domain and then, i join
> >it again. In this regard, i have noticed that a computer can not join a
> >Windows Active Directory domain if the Netbios over TCP / IP option is
> >not enabled. Too bad !
> >
> >RSAT is installed on this computer and i still can login and maintain
> >Active Directory and DNS zone from this computer. But now, i cannot see
> >RHEA share anymore. I've got the same error even if i use IP or hostname.
> >
> >sssd seems to work fine because the command getent passwd give me a result :
> >
> ># getent passwd myident
> >myident:*:1072:513:Marc-Henri Pamiseux:/home/MYDOMAIN/myident:/bin/bash
> >
> >Does someone can help me to investigate ?
>
> I would recommend following page for troubleshooting SSSD
>
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
>
> And maybe you can directly jump to authentication section
>
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshoot...
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org