Re: [Samba] Samba Authentication With Kerberos
Hi Andrew, it is Samba 4 and the server role is active directory domain controller. Thanks and regards, Fabian On 28/01/2013 9:32, Andrew Bartlett wrote: On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
Thank you, this is a Samba4 host as an AD DC. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Andrew Bartlett Sent: January-28-13 9:32 AM To: Fabian von Romberg Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Authentication With Kerberos On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
Disregard, that, sorry. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Salib, Mr Sent: January-28-13 9:38 AM To: Andrew Bartlett; Fabian von Romberg Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Authentication With Kerberos Thank you, this is a Samba4 host as an AD DC. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Andrew Bartlett Sent: January-28-13 9:32 AM To: Fabian von Romberg Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Authentication With Kerberos On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
Hi Andrew, it is Samba 4 and the server role is active directory domain controller. Thanks and regards, Fabian On 28/01/2013 9:32, Andrew Bartlett wrote: On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Authentication With Kerberos
Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE Any help will be appreciated. Thanks and regards, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu 3 Apr 2008 5:00:36 pm Wes Modes wrote: Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? Note: this is from my experience and research, both of which are extensive but probably wrong. I wanted to do a similar thing (poor-man's SSO). I believe the problem is twofold: 1) The client never actually sends the password. By default, it sends a response to a challenge from the server; the response is based on the password. So the password, in any form, never traverses the network unless you explicitly turn on that compatibility model. Samba can't forward what it doesn't have. 2) Using LDAP for authentication is...a hack, to put it bluntly. Everybody does it, but we probably shouldn't. The problem is that in either authentication scenario (bind against LDAP = Good! or query the tree for user/pw/group/etc) would require modifications to the LDAP server. It could accept the password, request a certificate and then store the token and return the Correct answer if the token is good and intentionally return an incorrect answer if the Kerb auth fails. Since you can't send passwords in plaintext for obvious reasons, a simple or complex way to do this escapes me. I assume that you're not doing domain logins. You could write a web interface or quick Java craplet (or a keylogger...) that takes a login from the user and captures their password. Then you can feed that to a process on the LDAP server which authenticates against kerberos; if the authentication succeeds, you dump the hashed/crypted version of the password into the LDAP directory for authentication use later. Convoluted, but you could make it work. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker pgpSq2xFwlWvo.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
So far answers I've received on this list have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, Can't be done, simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle. 1. I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source. 2. There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it. 3. I have a separate linux file server running Samba. PCs and Macs will connect to it. I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model. The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 02:00:36PM -0700, Wes Modes wrote: It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. http://davenport.sourceforge.net/ntlm.html Enjoy. Volker pgpHv41tjZXZt.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba