Reputation: 41
How to use Kerberos for samba authentication
I have WS 2016 running as AD/DC on which NTLM/NTLMv2 is disabled (Kerberos is a way to go). I have successfully joined Ubuntu machine to it, using this tutorial "Integrate Ubuntu with AD". Everything if working correctly (except Samba), can view users and groups on AD and can login to Ubuntu machine using AD user.
Now when I try to login with AD user to samba share I get NT_STATUS_NTLM_BLOCKED, which is expected, sense NTLM is blocked by AD.
Now my question is how to setup (force) Samba to use kerberos instead NTLM ?
Upvotes: 0
Views: 12193
Answers (2)
Reputation: 16552
It sounds like you're thinking that the SMB server just receives your password and then uses either NTLM or Kerberos to validate it. That's not how it works. (Indeed doing so would entirely defeat the point of NTLM or Kerberos, both of which exist to avoid having to send the plain password.)
In SMB, it's the client which speaks NTLM or Kerberos when connecting to the server – and accordingly needs to support them in its code. So you cannot force the server to use Kerberos because that is not the server's decision; it can either offer Kerberos or not, but it cannot make the client support Kerberos if the client wasn't programmed to support it.
The Samba server can be configured to only offer Kerberos (with ntlm auth = disabled), but if the client only supports NTLM, then the only choice for the client is to immediately disconnect.
I'm connecting to Samba server from android device,
Most mobile SMB client libraries do not have any Kerberos support (due to its relative complexity); as a result Android apps will only use NTLM.
I've tried to login with domain (DOMAIN\username) and without (username)
The correct format would be username@REALM. Well, it won't help you anything with Android, but in case you ever have a need to connect from a Windows non-domain-joined machine instead, then DOMAIN\username would still result in the client trying NTLM, but username@REALM would have the client use Kerberos.
Upvotes: 1
Reputation: 41
My "solution" to this issue was simply to exclude specific server from NTLM restriction policy.
There are two policies, on active directory server, in "Local Group Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security options":
- Network security: Restrict NTLM: Add server exceptions in this domain
- Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
So servers that are defined under those two policies are able to use NTLM.
Not a solution, but for now it's a workaround.
Upvotes: 0
Related Questions
- linux kerberos auth to two domains
- Samba 4.13.17 breaks domain login with Kerberos errors
- Kerberos on Windows Server out of domain
- Using MIT Kerberos as account domain for Windows AD Domain
- Mounting cifs-share with kerberos fails: mount error(126): Required key not available
- Kerberos Authentication always unsuccessful
- Authentication against Active Directory with C++ on Linux
- PHP Active Directory authentication with Kerberos
- kerberos authentication in Windows 7
- How to authenticate users in Active Directory using AuthType.Kerberos?