AD authentication in Samba (kerberos errors)
AD authentication in Samba (kerberos errors)
A bit vexed by a recent issue with a production fileserver.
- Over the weekend, Active Directory authentication stopped working within Samba; users could connect to shares on Friday, not so much on Monday.
- Users who try to connect do reach the point of being prompted for AD credentials; failures happen afterward.
- All flavors of client OS are affected: Windows, Mac and Linux (via smbclient).
- There have been no configuration changes to the system (especially/notably smb.conf) in 3+ weeks
- AD and SSSD continue to work fine within the operating system itself (SSH to the server works, can query AD for group information via ‘getent group GROUP’, etc.).
- Other services on the system (notably, NFS exports) continue to work just fine.
- Have yet to rule out issues on the far end (domain controllers)
SERVER INFO:
- CentOS 7.4.1708
- samba-4.6.2-12
- SSSD packages are all 1.15.2-50
While I can certainly provide a full smb.conf:
- Samba had been working fine since the server went into production on Feb 25, and no configuration changes have been made since then
- The Samba and sssd configurations are identical to another fileserver in our environment, which continues to serve shares without issue.
Notable findings:
$ smbclient –d=5 -L //server.domain.com
Enter password:
(lots of stuff; last two lines are):
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS
From log.smbd (after a ‘systemctl restart smb.service’):
[2018/03/19 10:53:15.520516, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
kerberos_kinit_password SERVER$@DOMAIN.COM failed: Preauthentication failed
[2018/03/19 10:53:15.520606, 1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/domain-controllerN.company.com with user[SERVER$] realm=[DOMAIN.COM]: Preauthentication failed
‘net ads info’ looks reasonable:
$ net ads info
LDAP server: 1.2.3.4
LDAP server name: DC10.company.com
Realm: COMPANY.COM
Bind Path: dc=COMPANY,dc=COM
LDAP port: 389
Server time: Wed, 21 Mar 2018 09:24:41 EDT
KDC server: 1.2.3.4
Server time offset: 0
Last machine account password change: Fri, 16 Feb 2018 15:45:38 EST
and yet:
$ net ads testjoin
kerberos_kinit_password SERVER$@COMPANY.COM failed: Preauthentication failed
kerberos_kinit_password SERVER$@COMPANY.COM failed: Preauthentication failed
Join to domain is not valid: Logon failure
Any help would be greatly appreciated!!
Tom
- Over the weekend, Active Directory authentication stopped working within Samba; users could connect to shares on Friday, not so much on Monday.
- Users who try to connect do reach the point of being prompted for AD credentials; failures happen afterward.
- All flavors of client OS are affected: Windows, Mac and Linux (via smbclient).
- There have been no configuration changes to the system (especially/notably smb.conf) in 3+ weeks
- AD and SSSD continue to work fine within the operating system itself (SSH to the server works, can query AD for group information via ‘getent group GROUP’, etc.).
- Other services on the system (notably, NFS exports) continue to work just fine.
- Have yet to rule out issues on the far end (domain controllers)
SERVER INFO:
- CentOS 7.4.1708
- samba-4.6.2-12
- SSSD packages are all 1.15.2-50
While I can certainly provide a full smb.conf:
- Samba had been working fine since the server went into production on Feb 25, and no configuration changes have been made since then
- The Samba and sssd configurations are identical to another fileserver in our environment, which continues to serve shares without issue.
Notable findings:
$ smbclient –d=5 -L //server.domain.com
Enter password:
(lots of stuff; last two lines are):
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS
From log.smbd (after a ‘systemctl restart smb.service’):
[2018/03/19 10:53:15.520516, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
kerberos_kinit_password SERVER$@DOMAIN.COM failed: Preauthentication failed
[2018/03/19 10:53:15.520606, 1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/domain-controllerN.company.com with user[SERVER$] realm=[DOMAIN.COM]: Preauthentication failed
‘net ads info’ looks reasonable:
$ net ads info
LDAP server: 1.2.3.4
LDAP server name: DC10.company.com
Realm: COMPANY.COM
Bind Path: dc=COMPANY,dc=COM
LDAP port: 389
Server time: Wed, 21 Mar 2018 09:24:41 EDT
KDC server: 1.2.3.4
Server time offset: 0
Last machine account password change: Fri, 16 Feb 2018 15:45:38 EST
and yet:
$ net ads testjoin
kerberos_kinit_password SERVER$@COMPANY.COM failed: Preauthentication failed
kerberos_kinit_password SERVER$@COMPANY.COM failed: Preauthentication failed
Join to domain is not valid: Logon failure
Any help would be greatly appreciated!!
Tom
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: AD authentication in Samba (kerberos errors)
Have you tried to 'leave' and then 'join' again via the 'realm' command?
This way you will know if it's a software/network issue or not.
This way you will know if it's a software/network issue or not.
Re: AD authentication in Samba (kerberos errors)
Hi Tom,
I am facing exactly the same problem. Got Samba shares installed on two CentOS7 servers.
Similar time of operation as you described in your post.
When I took one system out of the realm completely and rejoined from scratch (sssd and Samba) the Samba share worked again.
Could it be that some Kerberos ticket has expired ?
How could this be checked / fixed ?
Unfortunately I do not know enough about Kerberos to debug much further.
Any advice would be most appreciated !
Thanks, Uli
I am facing exactly the same problem. Got Samba shares installed on two CentOS7 servers.
Similar time of operation as you described in your post.
When I took one system out of the realm completely and rejoined from scratch (sssd and Samba) the Samba share worked again.
Could it be that some Kerberos ticket has expired ?
How could this be checked / fixed ?
Unfortunately I do not know enough about Kerberos to debug much further.
Any advice would be most appreciated !
Thanks, Uli
-
- Posts: 1
- Joined: 2018/08/13 17:37:24
Re: AD authentication in Samba (kerberos errors)
Hi Tom,
I have had the, I am having a similar issue. Kerberos authentication logs on the DC dosn't show kerberos failures or failures to login.
Similiar to Uli when we have the samba server leave to domain and then join, the shares are available to users again. This is required almost daily.
Have tried quite a few configuration adjustments and am compleatly lost on what to do.
If anyone finds a solution, any advice or help would be greatly aprechiated.
I have had the, I am having a similar issue. Kerberos authentication logs on the DC dosn't show kerberos failures or failures to login.
Similiar to Uli when we have the samba server leave to domain and then join, the shares are available to users again. This is required almost daily.
Have tried quite a few configuration adjustments and am compleatly lost on what to do.
If anyone finds a solution, any advice or help would be greatly aprechiated.
Re: AD authentication in Samba (kerberos errors)
This problem was reported in 7.4 which used samba 4.6.2. CentOS 7.5 is out and now has samba 4.7.1. Are you up to date?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 1
- Joined: 2018/09/18 12:00:04
Re: AD authentication in Samba (kerberos errors)
I'm having the same issue CentOS 7.5 with Samba 4.7.1.
Just had to unbind and rebind yesterday.
Just had to unbind and rebind yesterday.
Re: AD authentication in Samba (kerberos errors)
The same issue with CENTOS7, Samba 4.8.3-4.
I don't like to idea of manual workaround by re-joining...
Any ideas how to fix this issue?
I don't like to idea of manual workaround by re-joining...
Any ideas how to fix this issue?
Re: AD authentication in Samba (kerberos errors)
Is there a way to solve this problem now?
Re: AD authentication in Samba (kerberos errors)
Hi,
and sorry to renew this post, but what was the solution ??
regards.
Philippe
and sorry to renew this post, but what was the solution ??
regards.
Philippe