0

so I've got the dreaded 'samba keeps asking for password' issue in Debian Stretch.

My environment:

2x AD DCs running WS2012R2

A few physical computers and several VMs running on ESXi 6.7

All machines can log into domain and access domain shares

All machines can authenticate using the domain users

Samba changed the syntax for smb.conf in version 4.6 so I thought it might have been a problem related to the Stretch standard repo packages being 4.5.12, so I added a Samba repo for Ubuntu called 'Samba Latest':

https://launchpad.net/~linux-schools/+archive/ubuntu/samba-latest

I'm currently using the one for Xenial, which is 4.7.8

I derived my AD join configuration straight from the Samba official wiki. It's been trivial in the past for me to get machines ranging from FreeBSD 11.1-RELEASE to OpenSUSE Leap 15 for the Raspberry Pi 3B+ working with Samba using my configuration. It doesn't make any sense that it wouldn't work with Debian Stretch with either the 4.5.12 standard repo packages or the 4.7.8 packages from Samba-latest.

I also just set up Ubuntu 18.04 Bionic Beaver on a laptop and was able to authenticate as domain users for the desktop and via SSH and su. I am surprised that Debian would be giving me issues if Ubuntu is working fine because they are so similar.

So the only one that isn't working is Debian Stretch. Shame, since usually I like Debian very much, but it seems to really suck for Samba out of the box.

Please note, that I tried all the variables I am about to detail on both the standard repo Samba version 4.5.12 and also the Samba-latest repo 4.7.8

Here's my configs:

[global]
    netbios name = DEBIAN
    security = ADS
    workgroup = WEBTOOL
    realm = WEBTOOL.SPACE
    client use spnego = no
    client signing = auto
    ;server signing = auto
    ;client ntlmv2 auth = yes
    ;encrypt passwords = yes

    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config WEBTOOL : backend = ad
    idmap config WEBTOOL : schema_mode = rfc2307
    idmap config WEBTOOL : range = 10000-999999
    idmap config WEBTOOL : unix_nss_info = yes
    idmap config WEBTOOL : unix_primary_group = yes

    ;winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind offline logon = yes
    ;winbind nested groups = yes
    winbind refresh tickets = yes
    winbind nss info = rfc2307

    ;winbind nss info = template
    ;template shell = /bin/bash
    ;template homedir = /home/%D/%U

My hostname and /etc/hosts settings are correct, my dns pointers point to the two DCs.

My NTP is synced as checked with ntpq -p and:

 $ date
 Sat Jun 30 16:52:23 PDT 2018

Matches all other computers on my domain.

I have krb5-user installed and got keytabs from the DCs as administrator as both user and root.

My kinit works but my net ads join -k or net ads join -U administrator@WEBTOOL.SPACE shows: 

$ sudo net ads join -U administrator@WEBTOOL.SPACE
Enter administrator@WEBTOOL.SPACE's password:
Using short domain name -- WEBTOOL
Joined 'DEBIAN' to dns domain 'webtool.space'
DNS Update for debian.webtool.space failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

I don't have this message on any of my other VMs, but I should note that if I did in the past the VM would still join the domain and act properly, and then it was just a matter of figuring out the issue from there.

Here's what I've tried:

Commenting out anything to do with authentication in the first paragraph of [global]

Changing client use spnego = yes to = no, Changing client signing = yes to = auto, Commenting out server signing = yes and trying = auto, Commenting out client ntlmv2 auth = yes Commenting out encrypt passwords = yes and changing it to = no

Does anyone have any ideas?

AveryFreeman
  • 279
  • 1
  • 3
  • 12
  • `net ads testjoin` confirms the join is ok? When you say "Samba keeps asking for a password", is this when your Linux-based client you're referencing here tries to access a share on a different server? If so, a Windows or Linux-based server? Or do you mean that some other client (Windows? Linux?) keeps prompting for a password when you try to connect to a share on _this_ server? If it's the latter please include the relevant share section definition in your question. And the result of `ls -ld` for the share's base directory. – roaima Jul 01 '18 at 20:56
  • Keeps asking for a password when trying to connect from Windows. Should be able to connect to computer via domain whether a share configured or not, but a homes share is configured - just omitted for sake of brevity. I didn't know about net ads testjoin, but it tested OK before I even got a keytab. net ads status showed kerberos_kinit_password root@WEBTOOL.SPACE failed: Client not found in Kerberos database - I added the keytab with kinit administrator and then net ads status worked OK. tl;dr I don't think net ads testjoin is really providing any useful information. Thanks though :) – AveryFreeman Jul 02 '18 at 09:05
  • I would have expected `net ads status` to fail with its implicit root user account _on the domain_. `net ads status -U administrator` is far more likely to work. – roaima Jul 02 '18 at 10:04
  • You haven't got two different machines called DEBIAN have you? When you joined the machine and got the DNS error did you already have entries for DEBIAN either/both in AD and DNS? – roaima Jul 02 '18 at 10:12
  • Increase the `log level` from 1 to (say) 4 or maybe even 5. Retry the connection from your client and see what error messages get dropped in the log file(s). – roaima Jul 02 '18 at 10:14

0 Answers0