• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Samba, Kerberos Authentication Problem against Active Directory

suggestme

New Member

Thanks: 2
Messages: 17

#1
Hi,

I am configuring FreeRadius server on FreeBSD to perform authentication against Active Directory using Kerberos & Samba. I installed Samba, Kerberos server packages and did configuration changes on smb.conf file and /etc/krb5.conf file accordingly. From root I tried the command:

# net ads join -U username -S nt-server-hostname.company.com

It gives me the output as: (which I think might be OK)

Code:
Enter [B]username's[/B] password:
Using short domain name -- "   "
Joined '    ' to realm '      '
DNS update failed!
If I just try another command, it gives error:

# net join -U Administrator

It gives the output as :

Code:
Failed to join domain: failed to find DC for domain '     '
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain '    '
Unable to find a suitable server for domain '    '
I get authentication error when I try the following command as:

# wbinfo -a user%password

Code:
plaintext password authentication failed
Could not authenticate user [B]username[/B]%[B]password[/B] with plaintext password
could not obtain winbind interface details!
could not obtain winbind separator!
challenge/response password authentication failed
Could not authenticate user [B]username[/B] with challenge/response
Can anyone please tell me what might be the problem?

Thanks
 

AndyUKG

Well-Known Member

Thanks: 22
Messages: 456

#2
Did you setup the smb.conf with things like server name, PDC, domain name, security type as required? What documentation are you following for Samba?
 

suggestme

New Member

Thanks: 2
Messages: 17

#3
AndyUKG,

Yes I changed some configurations in smb.conf. I am following "deployingradius.com" steps for it. Some of the configurations I changed on smb.conf are as shown on BOLD LETTER:

Code:
workgroup = [B]MYDOMAIN[/B]

security = [B]ads[/B]

password server = [B]nt-server-hostname.company.com[/B]

realm = [B]REALM.COMPAMY.COM[/B]

[B]winbind separator = +[/B]
I also changed some configurations on /etc/krb5.conf, changes I have made is shown in BOLD LETTER:

Code:
[libdefaults]
        default_realm = [B]REALM.COMPANY.COM[/B]	
        clockskew = 300
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	

[realms]


	[B]REALM.COMPANY.COM[/B] = {
		kdc = [B]nt-server-hostname.company.com[/B]	
}
	OTHER.REALM = {
		v4_instance_convert = {
			kerberos = kerberos
			computer = computer.some.other.domain
		}
	}
[domain_realm]
	[B].my.domain [/B]= [B]REALM.COMPANY.COM[/B]
While executing [cmd=]# wbinfo -a user%password [/cmd]command it was giving winbind interface and separator error so, I just added
Code:
winbind separator = +
It eliminated that error, but still can't authenticate the user. Other errors are occuring as I mentioned in previous post.


Thanks,
 

suggestme

New Member

Thanks: 2
Messages: 17

#5
Sylhouette / Johan,

Thank you so much for the thread suggestion. I followed up all the configuration details mentioned under the thread provided But still I am having following issues.

I can join the domain by using the command:

[cmd=]# net ads join -U username -S nt-server-hostname.company.com[/cmd]

but can't join it by just using the command

[cmd=]# net join -U Administrator[/cmd]

My server is already showing up under the list of users under Domain users list. But if I try to see users or groups respectively using:

[cmd=]# wbinfo -u[/cmd]
[cmd=]# wbinfo -g[/cmd]

It doesn't show any users or groups. Also no error shows, just seems like no effect.

Also like before, while using the command:

[cmd=]# wbinfo -a user%password[/cmd]

It is not working and giving the same error as I mentioned in previous post.

Thanks
 

Sylhouette

Active Member

Thanks: 28
Messages: 198

#6
[cmd=]net join -U Administrator[/cmd]
It should read.

[cmd=]net ads join -Uadministrator[/cmd]

Do you have your /etc/resolv.conf entries pointed at your windows AD server?

Regards
Johan Hendriks
 

suggestme

New Member

Thanks: 2
Messages: 17

#7
Sylhouette,


Code:
# net ads join -U Administrator

Failed to join domain: failed to find DC for domain '   '
It also doesn't work. It gives the error. It's so strange that the following command allows to join the domain but I can't see the user and group using wbinfo -u and wbinfo -g commands.

[cmd=]# net ads join -U username -S nt-server-hostname.company.com[/cmd]
 

Sylhouette

Active Member

Thanks: 28
Messages: 198

#8
It looks like it can not find the domain. Can you show your /etc/nsswitch, /etc/krb5.conf, /etc/hosts and /etc/resolv.conf file?

regards
Johan
 

suggestme

New Member

Thanks: 2
Messages: 17

#9
Sylhouette,

Sorry, I forgot to mention the answer of:

Do you have your /etc/resolv.conf entries pointed at your windows AD server.

I can see two entries in this file:

Code:
domain  '     '           -----> It shows the domain name
nameserver      '     '   -----> It shows correct IP address of server
Thanks,
 

Sylhouette

Active Member

Thanks: 28
Messages: 198

#10
Ok I did reread your question.

Code:
workgroup = MYDOMAIN
security = ads
password server = nt-server-hostname.company.com
realm = REALM.COMPAMY.COM
Your workgroup must be the same name as your domain. So if your windows server is nt-server-hostname.company.com your workgroup name must be company. Your realm reads REALM.COMPANY.COM, this must read
Code:
realm = COMPANY.COM
The same thing goes for your /etc/krb5.conf file.

One more thing did you install the kerberos port, if so, do you need to edit /usr/local/etc/krb5.conf instead of /etc/krb5.conf. As I never install the kerberos port, I can not tell you if that is the case.

Also the krb5.conf file has a lot of things I do not know (I am not an expert). Try to use a config as minimal as needed, and later add things you need if you miss them.

In your case it would probably look like this.
Code:
[libdefaults]
        default_realm = COMPANY.COM
        clockskew = 600

[realms]
        COMPANY.COM = {
                kdc = tcp/nt-server-hostname.company.com
}

[domain_realms]
        .company.com = COMPANY.COM
Also your host must be in the same domain. so your /etc/hosts file must read something like this, where 192.168.1.1 is the ipaddress of your FreeBSD server.

Code:
192.168.1.1          bsd-server-hostname.company.com bsd-server-hostname
192.168.1.1          bsd-server-hostname.company.com
and in your /etc/rc.conf file your hosname must be set accordingly
Code:
hostname="bsd-server-hostname.company.com"
Your /etc/resolv.conf file must contain the following
Code:
domain company.com
nameserver 192.168.1.10
where 192.168.1.10 is the ip address off your AD server.

regards
Johan
 

Sylhouette

Active Member

Thanks: 28
Messages: 198

#12
I will try to use the tags more.

It is not my intention to waste your time.
BTW for what it is worth, i think you do a really excellent job here on the forums.

Ik zeg vooral zo doorgaan. :)

And i will watch my post format.

regards
Johan
 

suggestme

New Member

Thanks: 2
Messages: 17

#13
DutchDaemon,

I will try my best to format my posts correctly. I am new forum member so, trying to get used to with it. Sorry for any inconvenience caused by this.


Sylhouette,

I checked all the configurations and did all the modifications but I am still getting the same issue. Yes I installed Kerberos port. So, at first I was also confused with krb5.conf location. There was no krb5.conf file in /etc/krb5.conflocation before. It was in /usr/ports/net/samba35/work/samba-3.5.6/source4/setup/krb5.conf location from which I copied the file to /etc location. So there are krb5.conf files in two locations with the same configuration. I copied these because I read in so many sites the location of krb5.conf in /etc/krb5.conf . I am also new to FreeBSD and these samba, kerberos installation. So, I don't know this might be the issue.

Can anyone please suggest me anything in this matter. This time I am already suffering from this problem for so many days.

Thanks
 

Sylhouette

Active Member

Thanks: 28
Messages: 198

#14
Could you just copy and paste your config files.

that would be /etc/krb5.conf /etc/nsswitch /etc/hosts /usr/local/etc/smb.conf /etc/resolv.conf /etc/rc.conf

The name of the domain controller and its ipaddress.

Maybe i do not answer today anymore because i am on the road.!

regards
Johan
 

suggestme

New Member

Thanks: 2
Messages: 17

#15
Hello,

Finally I am able to authenticate user against Active Directory using Samba & Kerberos. I just rechecked and modified the configurations; Most importantly, synchronized the time with my Domain server time using NTP /etc/ntp.conf, and restarted the Samba & Kerberos Server. Now user authentication for Plaintext password and Challenge/response is successful.

Thank you so much AndyUKG & Sylhouette for all your feedbacks.
Also Thank you so much DutchDaemon for giving your valuable time for moderating this forum. This forum is really very helpful.
 

Sylhouette

Active Member

Thanks: 28
Messages: 198

#16
Nice to hear.
The funny thing is that i had the same issue once, and it was also the time.
But i got messages in my logs, something about time scew to great i believe.

regards
Johan
 

Avery Freeman

New Member


Messages: 5

#17
Sorry to revive old thread, but I am setting up FreeBSD 11.1-CURRENT as an AD member, and I just want to say that this helped me. The issues are still relevant in late 2017.

I did not find many threads that helped with my issues related specifically to FreeBSD, and this thread is old, so I thought mentioning that the info still works might help someone else with the same issues if they run across it like I did in my search.

I synchronized the member's datetime using the DC as the NTP in /etc/ntp.conf and restarted ntpd, and then I could join without error.

I also created /etc/nsswitch and /etc/krb5.conf as described in a thread Sylhouette replied to here: https://forums.freebsd.org/threads/20007/

I'm not sure this was necessary, I would recommend other people just try synchronizing NTP with the DC first.

Thanks! :)