Rocky SAMBA Shares - Winbind User Share Auth Problems from Windows

Hi All,
I am in the developing this network.
Rocky is widely used -
One of the problems I’ve had is with total AD integration.
Validating user logins seems best with SSSD - but delivering shares works better with Winbind.

One of the issues I’m trying to find a solution for - with thanks to Linde and Hortimech is that a recent Rocky AD Intergrated file server will not validate windows users who connect to its shares.

I don’t think I need to use Kerberos with Winbind, that Winbind should be capable of doing this on its own. Users can log in and UID and GID and groups are being enumerated correctly.
The www. research is misleading and is telling me kerberos may be the answer.

The Error Windows reports - you have permissions to access a resource - “Target Account name is incorrect"

Ive uplifed the log levels and Winbind reports …

LOGS >>>>>>>>>>>>>>>>>>>>>
Allowed connection from 10.30.0.108 (10.30.0.108)
[2024/06/28 15:21:33.134823, 3] …/…/source3/smbd/smb2_oplock.c:1408(init_oplocks)
init_oplocks: initializing messages.
[2024/06/28 15:21:33.135893, 3] …/…/source3/smbd/smb2_negprot.c:1133(smb2_multi_protocol_reply_negprot)
Requested protocol [NT LM 0.12]
[2024/06/28 15:21:33.135922, 3] …/…/source3/smbd/smb2_negprot.c:1133(smb2_multi_protocol_reply_negprot)
Requested protocol [SMB 2.002]
[2024/06/28 15:21:33.135931, 3] …/…/source3/smbd/smb2_negprot.c:1133(smb2_multi_protocol_reply_negprot)
Requested protocol [SMB 2.???]
[2024/06/28 15:21:33.136075, 3] …/…/source3/smbd/smb2_negprot.c:345(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2024/06/28 15:21:33.136124, 5] …/…/source3/auth/auth.c:575(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = ‘domain member’
[2024/06/28 15:21:33.136143, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend anonymous
[2024/06/28 15:21:33.136157, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘anonymous’
[2024/06/28 15:21:33.136166, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam
[2024/06/28 15:21:33.136173, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘sam’
[2024/06/28 15:21:33.136180, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2024/06/28 15:21:33.136187, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘sam_ignoredomain’
[2024/06/28 15:21:33.136194, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend sam_netlogon3
[2024/06/28 15:21:33.136207, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘sam_netlogon3’
[2024/06/28 15:21:33.136215, 5] …/…/source3/auth/auth.c:52(smb_register_auth)
Attempting to register auth backend winbind
[2024/06/28 15:21:33.136223, 5] …/…/source3/auth/auth.c:64(smb_register_auth)
Successfully added auth method ‘winbind’
[2024/06/28 15:21:33.136229, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2024/06/28 15:21:33.136238, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2024/06/28 15:21:33.136245, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2024/06/28 15:21:33.136253, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam has a valid init
[2024/06/28 15:21:33.136260, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match winbind
[2024/06/28 15:21:33.136267, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2024/06/28 15:21:33.136274, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/06/28 15:21:33.136282, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2024/06/28 15:21:33.137002, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘gssapi_spnego’ registered
[2024/06/28 15:21:33.137035, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘gssapi_krb5’ registered
[2024/06/28 15:21:33.137043, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘gssapi_krb5_sasl’ registered
[2024/06/28 15:21:33.137051, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘spnego’ registered
[2024/06/28 15:21:33.137058, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘schannel’ registered
[2024/06/28 15:21:33.137067, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘ncalrpc_as_system’ registered
[2024/06/28 15:21:33.137079, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘sasl-EXTERNAL’ registered
[2024/06/28 15:21:33.137088, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘ntlmssp’ registered
[2024/06/28 15:21:33.137095, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘ntlmssp_resume_ccache’ registered
[2024/06/28 15:21:33.137103, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘http_basic’ registered
[2024/06/28 15:21:33.137110, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘http_ntlm’ registered
[2024/06/28 15:21:33.137123, 3] …/…/auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend ‘http_negotiate’ registered
[2024/06/28 15:21:33.137215, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2024/06/28 15:21:33.137248, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2024/06/28 15:21:33.137934, 3] …/…/source3/smbd/smb2_negprot.c:1198(smb2_multi_protocol_reply_negprot)
Selected protocol SMB 2.???
[2024/06/28 15:21:33.140112, 3] …/…/source3/smbd/smb2_negprot.c:345(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2024/06/28 15:21:33.140224, 5] …/…/source3/auth/auth.c:575(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = ‘domain member’
[2024/06/28 15:21:33.140260, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2024/06/28 15:21:33.140280, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2024/06/28 15:21:33.140298, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2024/06/28 15:21:33.140317, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam has a valid init
[2024/06/28 15:21:33.140335, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match winbind
[2024/06/28 15:21:33.140353, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2024/06/28 15:21:33.140371, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/06/28 15:21:33.140389, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2024/06/28 15:21:33.140480, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2024/06/28 15:21:33.140501, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2024/06/28 15:21:33.146785, 5] …/…/source3/auth/auth.c:575(make_auth3_context_for_ntlm)
make_auth3_context_for_ntlm: Making default auth method list for server role = ‘domain member’
[2024/06/28 15:21:33.146814, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match anonymous
[2024/06/28 15:21:33.146824, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method anonymous has a valid init
[2024/06/28 15:21:33.146831, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2024/06/28 15:21:33.146839, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam has a valid init
[2024/06/28 15:21:33.146861, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match winbind
[2024/06/28 15:21:33.146869, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2024/06/28 15:21:33.146877, 5] …/…/source3/auth/auth.c:436(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2024/06/28 15:21:33.146885, 5] …/…/source3/auth/auth.c:461(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2024/06/28 15:21:33.146933, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism spnego
[2024/06/28 15:21:33.147007, 5] …/…/auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2024/06/28 15:21:33.147274, 1] …/…/source3/librpc/crypto/gse.c:712(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/gsl-svr-cifs.DOMAIN.local@DOMAIN.LOCAL not found in keytab (ticket kvno 1)]
[2024/06/28 15:21:33.155834, 3] …/…/lib/util/access.c:372(allow_access)

I messaged Hortimech - sorry if this is against protocol I am really looking for a solution here.

Kind Regards

Jake

OK - I might be close - I am obviously an idiot - of course it uses Kerberos - I’ve created a default location keyfile by editing environmental variables /etc/profile

The error is gss_accept_sec_context fualed with Unspecified GSS Failure : Request Ticket Server cifs/testfs.test/local@TEST.LOCAL not found in keytab

I didn’t reply because the message appeared to be offlist, it didn’t continue the existing thread. I am sorry, but I do not reply to emails that are offlist unless I specifically ask for them.

I cannot replicate your problem, I can connect to a share running on rock9 from a Linux or a Win10 computer, it just works. I also cannot understand what you have done in /etc/profile, I have never touched that file.

Can you please post the output of ‘testparm -s’ and the contents of /etc/krb5.conf

Hi Hortimech.

Sorry for breaking protocol.

I am just leaving the office now and will update you tomorrow.

However what it seems like is that Kerberos is getting what it needs for kinit - and is using KCM:0 for Kerberos and the keytab file lines in krb5.conf are being ignored and although all other forms of authentication work SMBD cannot use the kerberos ticket…

Will post required bits tomorrow.

Sorry and thank again as ever.

I will document this when done.
If I manage it :slight_smile:

Got it Samba should have a line
kerberos method = system keytab
so that it can use the Kerberos Credential Manager or KCM

Thanks !!

Er, no, it should work without that line, can you please post what I asked for.

NOT Working

[global]
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        printcap name = cups
        realm = DOMAIN.LOCAL
        security = ADS
        server min protocol = NT1
        template shell = /bin/bash
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = DOMAIN
        idmap config DOMAIN : range = 100000-999999
        idmap config DOMAIN : backend = rid
        idmap config * : range = 10000-99999
        idmap config * : backend = tdb
        cups options = raw


[share]
        comment = Samba Test This Please
        path = /mnt/share
        read only = No
        server smb encrypt = required

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    clnt = FILE:/var/log/krb5clnt.log

[libdefaults]
    default_realm = DOMAIN.LOCAL
    default_keytab_name = FILE:/etc/krb5.keytab
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 0
    forwardable = false
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
	default_ccache_name = KEYRING:persistent:%{uid}
    allow_weak_crypto = false
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 des3-cbc-sha1
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 des3-cbc-sha1
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 des3-cbc-sha1
    udp_preference_limit = 0


[realms]
DOMAIN.LOCAL = {
     kdc = dc2.DOMAIN.local:88
     admin_server = dc2.DOMAIN.local:749
 }

[domain_realm]
.DOMAIN.local = DOMAIN.LOCAL
DOMAIN.locl = DOMAIN.LOCAL

From this Kerberos doesn’t respect log locations even if you declare the clnt log location.

klist always produces the output KCM:0 and Samba is not reading it.

WORKING

[global]
        kerberos method = system keytab
        printcap name = cups
        realm = DOMAIN.LOCAL
        security = ADS
        server min protocol = NT1
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = DOMAIN
        idmap config DOMAIN : range = 100000-999999
        idmap config DOMAIN : backend = rid
        idmap config * : range = 10000-99999
        idmap config * : backend = tdb
        cups options = raw


[share]
        comment = Samba Test This Please
        path = /mnt/share
        read only = No
        server smb encrypt = required


[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    clnt = FILE:/var/log/krb5clnt.log
    
[libdefaults]
    default_realm = DOMAIN.LOCAL
    default_keytab_name = FILE:/etc/krb5.keytab
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 0
    forwardable = false
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_ccache_name = FILE:/etc/krb5.keytab
    allow_weak_crypto = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 des3-cbc-sha1
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 des3-cbc-sha1
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 des3-cbc-sha1
    udp_preference_limit = 0
    

[realms]
DOMAIN.LOCAL = {
     kdc = dc2.DOMAIN.local:88
     admin_server = dc2.DOMAIN.local:749
 }

[domain_realm]
.DOMAIN.local = DOMAIN.LOCAL
DOMAIN.locl = DOMAIN.LOCAL

I cannot get Kerberos to store on the keytab file.

Its always showing KCM -

However chaning to system keytab makes it work.

Sorry for large posts.

Please use the formatting tools when posting configuration, logs, etc @BikeJake68 these are available when you are posting in the text box.

You can see how from your posts that I edited above.

This is my working smb.conf on a rocky9 machine:

[global]
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  server string = Samba Client %h

  winbind use default domain = yes
  winbind expand groups = 2
  winbind refresh tickets = Yes
  disable netbios = yes
  dns proxy = no

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config SAMDOM : backend  = rid
  idmap config SAMDOM : range = 10000-999999
  template shell = /bin/bash
  template homedir = /home/%U

  vfs objects = acl_xattr
  map acl inherit = Yes

  # Comment the following 4 lines to act as a print server
  printcap name = /dev/null
  load printers = no
  disable spoolss = yes
  printing = bsd

  # logging
  log level = 1
  log file = /var/log/samba/%m.log
  logging = file

[homes]
  comment = Home Directories
  browseable = no
  read only = no
  create mask = 0700
  directory mask = 0700
  valid users = %S

[data]
	comment = shared area
	path = /srv/shared
	read only = no

This is my working and Samba recommended /etc/krb5.conf:

cat /etc/krb5.conf
[libdefaults]
  default_realm = SAMDOM.EXAMPLE.COM
  dns_lookup_kdc = false
  dns_lookup_realm = true

[realms]
	SAMDOM.EXAMPLE.COM = {
		default_domain = samdom.example.com
	}

[domain_realm]
	ROCKY9 = SAMDOM.EXAMPLE.COM

/etc/resolv.conf should have your dns domain (which I hope isn’t really using the ‘.local’ TLD) set as the search and the first nameserver should be an AD DC.

OK - thanks sorry about that

1 Like

So when you do klist it shows the kerberos store as /etc/krb5.keytab ?

What ever I do I cannot get it to write the kerberos info to that keytab file.
Although my problem is this has worked before …

use system keytab resolves the issue.

I will test further anyway.

Thank you!

Not sure I understand what you are trying to say, could it be that you are trying to run a KDC on your member server ?

Here is the output when I SSH into the rocky9 machine:

fred@devstation:~$ ssh fred@rocky9
Last login: Mon Jul  1 15:35:32 2024
[fred@rocky9 ~]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_11104)
[fred@rocky9 ~]$ kinit
Password for fred@SAMDOM.EXAMPLE.COM: 
[fred@rocky9 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_11104
Default principal: fred@SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
02/07/24 16:55:07  03/07/24 02:55:07  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
	renew until 03/07/24 16:54:59