4

We currently have a NAC server set up to authenticate against a Samba4 AD using the ntlm_auth utility and would like to make it more tolerant to network outages.

Currently, when the NAC loses connectivity to the Samba4 Active Directory, every login attempt fails. This situation used to be acceptable but has become more problematic now that our network topology has changed.

I have added "winbind offline logon = true" in the smb.conf of the NAC and of the Samba4 AD as per the Samba documentation.

In order to test offline authentication, I added two iptables rules that drop all traffic to the Samba4 Active Directory server.

When I try to authenticate using winbind, it works as expected :

16:52:11-root@hq-networkserv@-
/var/log/samba: wbinfo -K COMPANY\\super-user%superpassword
plaintext kerberos password authentication for [COMPANY\super-user%superpassword] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0

On the other hand, if I try with ntlm_auth using the following options, it fails :

16:52:35-root@hq-networkserv@-
/var/log/samba: ntlm_auth --use-cached-creds  --username=super-user --password=superpassword --domain= COMPANY
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)

The NAC server is joined to the Samba4 domain and everything works just fine as long as connectivity is maintained. I understand that this proposed solution would only allow authentication of previously authenticated clients but that would already be a great improvement.

Is there any way I can get ntlm_auth to authenticate successfully during a period where it is unable to connect to the AD as winbind is able to do ?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60
  • What would happen if you got rid of the space after your "--domain=" parameter in the ntlm_auth command? Are you certain the cached credentials haven't expired yet at the time you run ntlm_auth (seems unlikely by your timestamps). See the answers here for more info: http://serverfault.com/questions/461139/ntlm-auth-can-login-in-ad-with-both-old-and-new-passwords Also, can you try offline simulation through some other means than iptables entries? – Jon Oct 21 '14 at 16:32
  • If you can't get anything to work, can you please run the ntlm_auth command again, this time turn on the log file to maximum verbosity and paste the output? See man for how to: https://www.samba.org/samba/docs/man/manpages/ntlm_auth.1.html – Jon Oct 21 '14 at 16:33
  • I have actually tried offline simulation by just cutting off the AD, nothing changed. Tried removing the space as well, didn't help. – Antoine Benkemoun Oct 22 '14 at 12:14
  • Well ntlm_auth should be using winbind, so if it's working for winbind but *not* for ntlm_auth, then it would stand to reason that there is either something wrong with the config of or a bug in ntlm_auth. Either possibility could be aided by full logs which might give more information around the failure. – Jon Oct 22 '14 at 15:58

0 Answers0