trekgalaxy
Cadet
- Joined
- Aug 23, 2021
- Messages
- 7
Hello,
I have a TrueNAS-12.0-U5 system joined to our AD domain. Our primary use of the system is IT department network shares for data archival and software installs, we share this data via SMB shares from the TrueNAS and use AD groups for the permissions.
Recently I began testing the AD "Protected Users" group, basically the key thing this does is prevent the use of NTLM (and v2) and to use Kerberos instead. Prior to adding our high privileged administration accounts to this group access worked, and access still does work for accounts NOT in the "Protected Users" group.
My question: What do I need to do to allow Kerberos, instead of NTLMv2, to be used for authentication for SMB shares from Windows 10 workstations?
Here is a log entry showing that NTLM is being used: /samba4/auth_audit.log.old
samba4/log.wb-DOMAIN
samba4/log.wb-DOMAIN
Note, the below configs have the domain name edited, domain.ca is a placeholder.
/etc/local/smb4.conf
/etc/krb5.conf
I have a TrueNAS-12.0-U5 system joined to our AD domain. Our primary use of the system is IT department network shares for data archival and software installs, we share this data via SMB shares from the TrueNAS and use AD groups for the permissions.
Recently I began testing the AD "Protected Users" group, basically the key thing this does is prevent the use of NTLM (and v2) and to use Kerberos instead. Prior to adding our high privileged administration accounts to this group access worked, and access still does work for accounts NOT in the "Protected Users" group.
My question: What do I need to do to allow Kerberos, instead of NTLMv2, to be used for authentication for SMB shares from Windows 10 workstations?
Here is a log entry showing that NTLM is being used: /samba4/auth_audit.log.old
Code:
{"timestamp": "2021-08-11T11:58:58.030443-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "4809f4bf9822f609", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 16888", "clientDomain": "DOMAIN", "clientAccount": "dtest", "workstation": "FPS01", "becameAccount": "dtest", "becameDomain": "DOMAIN", "becameSid": "S-1-5-21-1298688581-1013366840-3435715919-62163", "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 226999}}
samba4/log.wb-DOMAIN
Code:
winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain DOMAIN
samba4/log.wb-DOMAIN
Code:
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc04.DOMAIN.CA with user[TRUENAS$] realm[DOMAIN.CA]: Client not found in Kerberos database, fallback to NTLMSSP ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/dc04.DOMAIN.CA with user[TRUENAS$] realm=[DOMAIN.CA]: Invalid credentials
Note, the below configs have the domain name edited, domain.ca is a placeholder.
/etc/local/smb4.conf
Code:
# # SMB.CONF(5) The configuration file for the Samba suite # $FreeBSD$ # [global] dns proxy = No aio max threads = 2 max log size = 5120 load printers = No printing = bsd disable spoolss = Yes dos filemode = Yes kernel change notify = No directory name cache size = 0 nsupdate command = /usr/local/bin/samba-nsupdate -g unix charset = UTF-8 log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log obey pam restrictions = False enable web service discovery = True logging = file server min protocol = SMB2_02 unix extensions = No map to guest = Bad User server string = TrueNAS Server bind interfaces only = Yes netbios name = truenas netbios aliases = server role = member server kerberos method = secrets and keytab workgroup = DOMAIN realm = DOMAIN.CA security = ADS local master = No domain master = No preferred master = No winbind cache time = 7200 winbind max domain connections = 10 client ldap sasl wrapping = seal template shell = /bin/sh template homedir = /home/%D/%U ads dns update = Yes allow trusted domains = No winbind enum users = Yes winbind enum groups = Yes idmap config CARTEAD: backend = rid idmap config CARTEAD: range = 100000001-200000000 idmap config *: backend = tdb idmap config *: range = 90000001-100000000 registry shares = yes include = registry
/etc/krb5.conf
Code:
# # krb5.conf(5) - configuration file for Kerberos 5 # $FreeBSD$ # [appdefaults] pam = { forwardable = true ticket_lifetime = 86400 renew_lifetime = 86400 } [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h clockskew = 300 forwardable = true default_realm = CARTEAD.LOCAL [domain_realm] domain.ca = DOMAIN.CA .domain.ca = DOMAIN.CA DOMAIN.CA = DOMAIN.CA .DOMAIN.CA = DOMAIN.CA [realms] domain.ca = { default_domain = DOMAIN.CA } [logging] default = SYSLOG:INFO:LOCAL7