Linux clients can't login on samba share while windows and mac can (active directory env)

Question

Setup

server

• Centos 7.6
• Samba 4.8
• Winbind
• SSSD
• Kerberos

This machine is attached to the company active directory as member server but not domain controller (I followed the RadHat documentation to join the machine in domain and configure smb)

added that too

net ads keytab add cifs

net ads testjoin and status give me positive results

• Windows clients can connect using DOMAIN\username and password credentials
• Mac OSX clients can connect using [email protected] and password credentials (other options are not accepted like DOMAIN\username)
• Linux client can't connect using mount.cifs, I tried with those options
  • username=username,domain=DOMAIN
  • username=username,domain=FULL.DOMAIN.TLD (caps or not)
  • username=DOMAIN\username
  • username=FULL.DOMAIN.TLD\username
  • username=username@DOMAIN
  • ...etc

Clients used for this tests are

• Windows 10
• Centos 7
• Debian 9
• Ubuntu 18
• OSX Mojave

Some clients are part of the ActiveDirectory and some not. Result is the same anyway, only windows and OSX can mount the share.

I also played with sec= and vers= using more-less all the possibilities, files_mode and dir_mode set to 777 or 644/755 without success neither. Also tried a credentials file and a line in fstab.

I always receive a: mount error(13): Permission denied

The funky point is, I can mount the share using a local account set on the server with smbpasswd... but this is not what I want obviously

Then other funky point, I can connect the server from Thunar under XFCE using smb://user@... this works also with smbclient

Here are my conf files

smb.conf

[global]
 workgroup = DOMAIN
 security = ads
 client signing = yes
 client use spnego = yes
 realm = DOMAIN.DOM.CH
 server role = MEMBER SERVER
 passdb backend = tdbsam
 kerberos method = secrets and keytab
 idmap config * : range = 10000-99999999
 idmap config * : backend = tdb
 wins server = xx.xx.xx.xx
 winbind use default domain = yes

 load printers = no
 disable spoolss = yes
 show add printer wizard = No

 local master = No
 dns proxy = No
 logging = file
 log file = /var/log/samba/smb-%I.log
 log level = 4
 max log size = 10000
 follow symlinks = yes

 min protocol = SMB2
 client min protocol = SMB2

 debug hires timestamp = No
 acl group control = yes
 delete readonly = yes
 acl allow execute always = yes
 dos filemode = Yes
 inherit permissions = Yes
 store dos attributes = Yes

 vfs objects = acl_xattr

[MyShare]
 inherit acls = Yes
 path = /srv/samba/partage
 read only = no
 admin users = @"DOMAIN\GROUP-AdminsU" "DOMAIN\user"
 vfs objects = acl_xattr

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/


includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}


default_realm = DOMAIN.DOM.CH
[realms]
 DOMAIN.DOM.CH = {
  kdc = domain.dom.ch
  admin_server = domain.dom.ch
 }


[domain_realm]
 domain.dom.ch = DOMAIN.DOM.CH
 .domain.dom.ch = DOMAIN.DOM.CH

sssd.conf

[sssd]
domains = domain.dom.ch
config_file_version = 2
services = nss, pam
default_domain_suffix = DOMAIN.DOM.CH

[domain/domain.dom.ch]
ad_domain = domain.dom.ch
krb5_realm = DOMAIN.DOM.CH
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

I had a look in samba logs level 10 and here is the possible exploitable errors. To make things a bit more clear, I did split the logs by module.

auth:

 Got user=[user] domain=[DOMAIN] workstation=[] len1=0 len2=166
 Mapping user [DOMAIN]\[user] from workstation []
 ...
 check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[user]@[] with the new password interface
 check_ntlm_password:  mapped user is: [DOMAIN]\[user]@[]
 check_ntlm_password: auth_context challenge created by random
 challenge is:
 Check auth for: [user]
 auth_check_ntlm_password: guest had nothing to say
 Check auth for: [user]
 check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
 auth_check_ntlm_password: sam had nothing to say
 Check auth for: [user]
 check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE
 auth_check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 check_ntlm_password:  Authentication for user [user] -> [user] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
 ntlmssp_server_auth_send: Checking NTLMSSP password for DOMAIN\user failed: NT_STATUS_LOGON_FAILURE
 gensec_update_done: ntlmssp[0x55ad6e4aba70]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ab680/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_ntlmssp_update_state (0x55ad6e4ab810)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:239]
 gensec_update_done: spnego[0x55ad6e4aaf00]: NT_STATUS_LOGON_FAILURE tevent_req[0x55ad6e4ac860/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55ad6e4ac9f0)] timer[(nil)] finish[../auth/gensec/spnego.c:2065]

The curious point here is this "workstation=[]". With windows and mac clients, I always have a workstation name in brackets but nothing when it's a linux client.

auth_audit:

 Auth: [SMB2,(null)] user [DOMAIN]\[user] at [Wed, 17 Apr 2019 07:54:56.191467 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:xxx.xxx.xxx.xxx:57124] mapped to [DOMAIN]\[user]. local host [ipv4:xxx.xxx.xxx.xxx:445]

smb2:

 Selected protocol SMB3_11
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../source3/smbd/smb2_negprot.c:662
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 1
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:194] at ../source3/smbd/smb2_sesssetup.c:174
 smbd_smb2_request idx[1] of 5 vectors
 smbd_smb2_request_dispatch: opcode[SMB2_OP_SESSSETUP] mid = 2
 smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3219
 smbd_server_connection_terminate_ex: conn[ipv4:xxx.xxx.xxx.xxx:57054] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986

From my linux client I can SSH the server using my ActiveDirectory credentials.

I really don't know what else to do.

Update 1

When connecting this share, my login request is received by the Domain Controller and password accepted. So, the issue is not on this side. I also tried to add uid=(id from my account,0,root) in the mount options but without success

Update 2

I could mount this share after creating a kerberos ticket with kinit and add sec=krb5 in the mount options. It's better than nothing but why is it acting like that?!

Update 3

Okay, after all the documents I could read, it looks like the only solution to authenticate against active directory and kerberos is to create first a krb ticket using kinit and then mount the share with -o sec=krb5 option. I honestly don't understand why linux is acting like that when OSX don't but anyway... for now, I don't have any other solution...

Answer 1

I found this article which may help you mount the SMB shares.

https://askubuntu.com/questions/1026316/cifs-mounts-and-kerberos-permissions-on-access-or-best-practice

I believe that the issue is related to Kerberos and Sebastian Stark does a great job of explaining exactly what I would have said.