AD authentication in Samba (kerberos errors)

General support questions
Post Reply
ThomasF
Posts: 1
Joined: 2018/03/21 17:08:46

AD authentication in Samba (kerberos errors)

Post by ThomasF » 2018/03/21 17:14:07

A bit vexed by a recent issue with a production fileserver.

- Over the weekend, Active Directory authentication stopped working within Samba; users could connect to shares on Friday, not so much on Monday.
- Users who try to connect do reach the point of being prompted for AD credentials; failures happen afterward.
- All flavors of client OS are affected: Windows, Mac and Linux (via smbclient).
- There have been no configuration changes to the system (especially/notably smb.conf) in 3+ weeks
- AD and SSSD continue to work fine within the operating system itself (SSH to the server works, can query AD for group information via ‘getent group GROUP’, etc.).
- Other services on the system (notably, NFS exports) continue to work just fine.
- Have yet to rule out issues on the far end (domain controllers)


SERVER INFO:

- CentOS 7.4.1708
- samba-4.6.2-12
- SSSD packages are all 1.15.2-50


While I can certainly provide a full smb.conf:

- Samba had been working fine since the server went into production on Feb 25, and no configuration changes have been made since then
- The Samba and sssd configurations are identical to another fileserver in our environment, which continues to serve shares without issue.


Notable findings:

$ smbclient –d=5 -L //server.domain.com
Enter password:
(lots of stuff; last two lines are):
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS


From log.smbd (after a ‘systemctl restart smb.service’):

[2018/03/19 10:53:15.520516,  0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password SERVER$@DOMAIN.COM failed: Preauthentication failed
[2018/03/19 10:53:15.520606,  1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
  ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/domain-controllerN.company.com with user[SERVER$] realm=[DOMAIN.COM]: Preauthentication failed



‘net ads info’ looks reasonable:

$ net ads info
LDAP server: 1.2.3.4
LDAP server name: DC10.company.com
Realm: COMPANY.COM
Bind Path: dc=COMPANY,dc=COM
LDAP port: 389
Server time: Wed, 21 Mar 2018 09:24:41 EDT
KDC server: 1.2.3.4
Server time offset: 0
Last machine account password change: Fri, 16 Feb 2018 15:45:38 EST



and yet:

$ net ads testjoin
kerberos_kinit_password SERVER$@COMPANY.COM failed: Preauthentication failed
kerberos_kinit_password SERVER$@COMPANY.COM failed: Preauthentication failed
Join to domain is not valid: Logon failure



Any help would be greatly appreciated!!

Tom

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: AD authentication in Samba (kerberos errors)

Post by hunter86_bg » 2018/03/23 04:55:21

Have you tried to 'leave' and then 'join' again via the 'realm' command?
This way you will know if it's a software/network issue or not.

Uli
Posts: 1
Joined: 2018/04/03 18:19:46

Re: AD authentication in Samba (kerberos errors)

Post by Uli » 2018/04/03 18:55:28

Hi Tom,

I am facing exactly the same problem. Got Samba shares installed on two CentOS7 servers.
Similar time of operation as you described in your post.

When I took one system out of the realm completely and rejoined from scratch (sssd and Samba) the Samba share worked again.

Could it be that some Kerberos ticket has expired ?
How could this be checked / fixed ?
Unfortunately I do not know enough about Kerberos to debug much further.

Any advice would be most appreciated !

Thanks, Uli

nicholashempen
Posts: 1
Joined: 2018/08/13 17:37:24

Re: AD authentication in Samba (kerberos errors)

Post by nicholashempen » 2018/08/13 17:42:02

Hi Tom,

I have had the, I am having a similar issue. Kerberos authentication logs on the DC dosn't show kerberos failures or failures to login.

Similiar to Uli when we have the samba server leave to domain and then join, the shares are available to users again. This is required almost daily.

Have tried quite a few configuration adjustments and am compleatly lost on what to do.

If anyone finds a solution, any advice or help would be greatly aprechiated.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: AD authentication in Samba (kerberos errors)

Post by TrevorH » 2018/08/14 08:29:30

This problem was reported in 7.4 which used samba 4.6.2. CentOS 7.5 is out and now has samba 4.7.1. Are you up to date?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

freedomops
Posts: 1
Joined: 2018/09/18 12:00:04

Re: AD authentication in Samba (kerberos errors)

Post by freedomops » 2018/09/18 12:14:17

I'm having the same issue CentOS 7.5 with Samba 4.7.1.

Just had to unbind and rebind yesterday.

vitaly_il
Posts: 3
Joined: 2009/07/09 09:08:35

Re: AD authentication in Samba (kerberos errors)

Post by vitaly_il » 2019/03/20 11:06:31

The same issue with CENTOS7, Samba 4.8.3-4.
I don't like to idea of manual workaround by re-joining...
Any ideas how to fix this issue?

lizhipeng
Posts: 1
Joined: 2019/11/19 08:33:31

Re: AD authentication in Samba (kerberos errors)

Post by lizhipeng » 2019/11/19 08:36:04

Is there a way to solve this problem now?

wayat91
Posts: 1
Joined: 2020/03/02 15:12:35

Re: AD authentication in Samba (kerberos errors)

Post by wayat91 » 2020/03/02 15:15:01

Hi,

and sorry to renew this post, but what was the solution ??

regards.
Philippe

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: AD authentication in Samba (kerberos errors)

Post by sml » 2020/03/02 19:21:25

Uli wrote:
2018/04/03 18:55:28
When I took one system out of the realm completely and rejoined from scratch (sssd and Samba) the Samba share worked again.

Post Reply