SMB and Kerberos support, NTLMv2 used instead

[trekgalaxy]

Hello,

I have a TrueNAS-12.0-U5 system joined to our AD domain. Our primary use of the system is IT department network shares for data archival and software installs, we share this data via SMB shares from the TrueNAS and use AD groups for the permissions.

Recently I began testing the AD "Protected Users" group, basically the key thing this does is prevent the use of NTLM (and v2) and to use Kerberos instead. Prior to adding our high privileged administration accounts to this group access worked, and access still does work for accounts NOT in the "Protected Users" group.

My question: What do I need to do to allow Kerberos, instead of NTLMv2, to be used for authentication for SMB shares from Windows 10 workstations?

Here is a log entry showing that NTLM is being used: /samba4/auth_audit.log.old

Code:

{"timestamp": "2021-08-11T11:58:58.030443-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "4809f4bf9822f609", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 16888", "clientDomain": "DOMAIN", "clientAccount": "dtest", "workstation": "FPS01", "becameAccount": "dtest", "becameDomain": "DOMAIN", "becameSid": "S-1-5-21-1298688581-1013366840-3435715919-62163", "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 226999}}

samba4/log.wb-DOMAIN

Code:

winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain DOMAIN

samba4/log.wb-DOMAIN

Code:

ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc04.DOMAIN.CA with user[TRUENAS$] realm[DOMAIN.CA]: Client not found in Kerberos database, fallback to NTLMSSP
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/dc04.DOMAIN.CA with user[TRUENAS$] realm=[DOMAIN.CA]: Invalid credentials

Note, the below configs have the domain name edited, domain.ca is a placeholder.

/etc/local/smb4.conf

Code:

#
# SMB.CONF(5)           The configuration file for the Samba suite
# $FreeBSD$
#

[global]
        dns proxy = No
        aio max threads = 2
        max log size = 5120
        load printers = No
        printing = bsd
        disable spoolss = Yes
        dos filemode = Yes
        kernel change notify = No
        directory name cache size = 0
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        unix charset = UTF-8
        log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
        obey pam restrictions = False
        enable web service discovery = True
        logging = file
        server min protocol = SMB2_02
        unix extensions = No
        map to guest = Bad User
        server string = TrueNAS Server
        bind interfaces only = Yes
        netbios name = truenas
        netbios aliases =
        server role = member server
        kerberos method = secrets and keytab
        workgroup = DOMAIN
        realm = DOMAIN.CA
        security = ADS
        local master = No
        domain master = No
        preferred master = No
        winbind cache time = 7200
        winbind max domain connections = 10
        client ldap sasl wrapping = seal
        template shell = /bin/sh
        template homedir = /home/%D/%U
        ads dns update = Yes
        allow trusted domains = No
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap config CARTEAD: backend = rid
        idmap config CARTEAD: range = 100000001-200000000
        idmap config *: backend = tdb
        idmap config *: range = 90000001-100000000
        registry shares = yes
        include = registry

/etc/krb5.conf

Code:

#
# krb5.conf(5) - configuration file for Kerberos 5
# $FreeBSD$
#

[appdefaults]
            pam = {
                   forwardable = true
                   ticket_lifetime = 86400
                   renew_lifetime = 86400
            }

[libdefaults]
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            clockskew = 300
            forwardable = true
            default_realm = CARTEAD.LOCAL

[domain_realm]
            domain.ca = DOMAIN.CA
            .domain.ca = DOMAIN.CA
            DOMAIN.CA = DOMAIN.CA
            .DOMAIN.CA = DOMAIN.CA

[realms]
            domain.ca = {
                   default_domain = DOMAIN.CA
            }

[logging]
            default = SYSLOG:INFO:LOCAL7

 

[trekgalaxy]

Bump

 

[trekgalaxy]

Bump. Still looking for any tips on this

 

[trekgalaxy]

Bump. Still looking for any tips on this

 

[trekgalaxy]

Bump. Still looking for any tips on this

 

[sretalla]

Just a quick google brought me to this article:

Samba/Kerberos - Community Help Wiki

Where I see a key element missing from your smb4.conf seems to be the password server = kdc.fqdn

Maybe @anodos has something more to say about it, but I don't know how popular the requirement is (your repeated bumps across several months seems to indicate it's not).

 

[anodos]

Kerberos works out of box. In my home AD domain I have NTLM administratively disabled via GPO. Winbind will typically try kerberos first and then fall back to ntlm in case of error. There are many ways for kerberos auth to fail though.

 

[trekgalaxy]

Hello,

Thanks for the lead. I tried what you suggested and as well as other things and the results are as follows:

I edited Services > SMB > Auxiliary parameters and added "password server = my-dc.mydomainname.ca" and then stopped and started the service. I verified I could see the change reflected in /etc/local/smb4.conf. I went onto a domain joined Windows server and tried to access a network share on the TrueNAS system, again same as prior with the account in the Protected Users group, and I get the same error that says:

Another thing I tried, I added to Directory Services > Kerberos Realms > My realm > Advanced. I added the fully qualified hostname for one of our DCs in each of the fields such as KDC. I stopped and started the SMB service, and assured that the change is reflected in /etc/krb5.conf. I re-did the connection test and the same result as above.

Another thing I tried, Directory Services > Kerberos Settings > Libdefaults Auxiliary Parameters. I re-did the connection test and the same result as above.

Code:

allow_weak_crypto = true

I will continue trying things and posting. Thanks for the responses guys.

 

[trekgalaxy]

Hello, just dropping in to say that by default Kerberos only auth still does not work by default on TrueNAS CORE 13.0-U2