[discuss] NTLM to Kerberos SMB

[discuss] NTLM to Kerberos SMB

[NoSense via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 1303 bytes --]

I have a long running OmniOS SMB server currently running r151052 AD integrated and working fine on NTLMv2. As all other devices are off NTLM except this server, I have attempted to convert it over to Kerberos. I didn't even see any options in napp-it and so I used the OmniOS guide which indicates it is possible and works. Specifically, I followed this OmniOS guide Active Directory Integration and enabled Kerberos AES for all the accounts and get a Kerberos Session and Ticket showing AES, BUT the SMB server still uses NTLM, and disabling NTLM support from the Windows side kills all SMB access to the OmniOS server. What am I missing to get OmniOS to do Kerberos only SMB SSO, or at least prefer Kerberos over NTLM?

#klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: *admin account*@*domain*.NET

Valid starting Expires Service principal
10/02/2025 15:04 11/02/2025 01:04 krbtgt/*domain*@*domain*.NET
renew until 17/02/2025 15:04, Etype(skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M7ec4c7ec9b722d4d98cd8cb8
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 1931 bytes --]

Re: [discuss] NTLM to Kerberos SMB

[Toomas Soome via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 1925 bytes --]



> On 14. Feb 2025, at 01:50, NoSense via illumos-discuss <discuss@lists.illumos.org> wrote:
> 
> I have a long running OmniOS SMB server currently running r151052 AD integrated and working fine on NTLMv2. As all other devices are off NTLM except this server, I have attempted to convert it over to Kerberos. I didn't even see any options in napp-it and so I used the OmniOS guide which indicates it is possible and works. Specifically, I followed this OmniOS guide Active Directory Integration and enabled Kerberos AES for all the accounts and get a Kerberos Session and Ticket showing AES, BUT the SMB server still uses NTLM, and disabling NTLM support from the Windows side kills all SMB access to the OmniOS server. What am I missing to get OmniOS to do Kerberos only SMB SSO, or at least prefer Kerberos over NTLM?
> 
> #klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: *admin account*@*domain*.NET
> 
> Valid starting Expires Service principal
> 10/02/2025 15:04 11/02/2025 01:04 krbtgt/*domain*@*domain*.NET
> renew until 17/02/2025 15:04, Etype(skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
> illumos <https://illumos.topicbox.com/latest> / illumos-discuss / see discussions <https://illumos.topicbox.com/groups/discuss> + participants <https://illumos.topicbox.com/groups/discuss/members> + delivery options <https://illumos.topicbox.com/groups/discuss/subscription>Permalink <https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M7ec4c7ec9b722d4d98cd8cb8>
You would need domain mode setup:

        /*
         * In workgroup mode, skip Kerberos.
         */

rgds,
toomas
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M5aa6cd586b30eb7c66361d66
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 5932 bytes --]

[discuss] Re: NTLM to Kerberos SMB

[NoSense via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 285 bytes --]

Thomas, it is already in domain mode.
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-Mda9f1552629428b5bcb3c175
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 783 bytes --]

[discuss] Re: NTLM to Kerberos SMB

[NoSense via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

I have looked deeper at the traffic between the workstation and the OmniOS SMB server and I get the following:









where the last line above final response details from the OmniOS SMB server is shown below












Any ideas as to why the SMB server just ghosts the session is appreciated.



------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M732ac9f156931d8e6697c13d
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 314900 bytes --]

Re: [discuss] NTLM to Kerberos SMB

[Toomas Soome via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]

> On 17. Feb 2025, at 02:55, NoSense via illumos-discuss <discuss@lists.illumos.org> wrote:
> 
> I have looked deeper at the traffic between the workstation and the OmniOS SMB server and I get the following:
> 
> 
> 
> where the last line above final response details from the OmniOS SMB server is shown below
> 
> 
> 
> 
> Any ideas as to why the SMB server just ghosts the session is appreciated.
> 


you do get 

smb/ntstatus.h:#define  NT_STATUS_NTLM_BLOCKED                          0xC0000418

I’m not exactly sure why, because quick ‘git grep NT_STATUS_NTLM_BLOCKED’ only does list this error code defined, but not used… Of course, it wont hurt to check if the time is in sync and ntp is running;)

However, there are some hints - you do get error NTLM blocked, probably because the NTLM is blocked by AD, so it means that your client is opting to try NTLM:

https://stackoverflow.com/questions/67404157/how-to-use-kerberos-for-samba-authentication

Note the suggestion about username@REALM in referred page.

I do not have AD myself, so I can only guess there;)
rgds,
toomas
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-Me372faec91c987ec685a1fab
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 318256 bytes --]

Re: [discuss] NTLM to Kerberos SMB

[NoSense via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 1553 bytes --]

Thomas, thanks for the ideas. 

Yes, sync and npt are running and all systems in the network are using the same local ntp server which is sync'd externally.

Yes, NTLM is blocked on the DC only but not on the workstation that was accessing the SMB server in the network trace above. This is to force the SMB server to use Kerberos for authentication since I can't seem to disable NTLM on the SMB server. This in turn forces the workstation to ramp up to Kerberos from NTLM as seen in the negotiation with the SMB server. That all seems to go well and they both agree to use Kerberos. 

As for the login @REALM issue, this is a login on windows machine (not Android) with a domain account. no matter which syntax you login with the SAMAccountName is always what is presented to the SMB server. 

Right now, I think the issue might be that none of the AD users have individually defined rights to the file shares. They are all defined by AD Groups the user belongs to.  Howerver, idmap dump -n shows the GIDs for all the wingroups and works perfectly when using NTLMv2. Is the Kerberos lookup failing the group lookup and denying access to the resource?

Under Kerberos is it not able to figure that out? How do I get more detailed logs on the SMB server side?

So close but not quite there!
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M800f241f508720b9bc725bb2
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 2255 bytes --]

Re: [discuss] NTLM to Kerberos SMB

[Toomas Soome via illumos-discuss]

[-- Attachment #1: Type: text/plain, Size: 1988 bytes --]



> On 17. Feb 2025, at 19:23, NoSense via illumos-discuss <discuss@lists.illumos.org> wrote:
> 
> Thomas, thanks for the ideas. 
> 
> Yes, sync and npt are running and all systems in the network are using the same local ntp server which is sync'd externally.
> 
> Yes, NTLM is blocked on the DC only but not on the workstation that was accessing the SMB server in the network trace above. This is to force the SMB server to use Kerberos for authentication since I can't seem to disable NTLM on the SMB server. This in turn forces the workstation to ramp up to Kerberos from NTLM as seen in the negotiation with the SMB server. That all seems to go well and they both agree to use Kerberos. 
> 
> As for the login @REALM issue, this is a login on windows machine (not Android) with a domain account. no matter which syntax you login with the SAMAccountName is always what is presented to the SMB server. 
> 
> Right now, I think the issue might be that none of the AD users have individually defined rights to the file shares. They are all defined by AD Groups the user belongs to.  Howerver, idmap dump -n shows the GIDs for all the wingroups and works perfectly when using NTLMv2. Is the Kerberos lookup failing the group lookup and denying access to the resource?
> 
> Under Kerberos is it not able to figure that out? How do I get more detailed logs on the SMB server side?
> 

Well, the error code itself is suggesting that the server knows about the policy, but as I noted, on very quick check I was not able to find the relevant bit in code.

log is in /var/svc/log/network-smb-server:default.log and smbd also does syslog as daemon.level, so you want to set up syslog with daemon.debug or like…

rgds,
toomas
------------------------------------------
illumos: illumos-discuss
Permalink: https://illumos.topicbox.com/groups/discuss/Tef371e0d901b265f-M4ca2e4ce7ddb02af3f5ba852
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription

[-- Attachment #2: Type: text/html, Size: 3461 bytes --]