search

abbra / freeipa

Mirror of FreeIPA, an integrated security information management solution
http://www.freeipa.org
GNU General Public License v3.0
2 stars 1 forks source link

gc-wip: Can not login to Windows from Linux via winrm with login+password #66

Closed wladich closed 3 years ago

wladich commented 3 years ago

Setup on Windows machine: 

net localgroup Administrators "TESTRELM.TEST\logintest" /add

Testing on linux machine:

import winrm
session = winrm.Session(ad_client_hostname, ('TESTRELM.TEST\\logintest', 'Secret123'), transport='ntlm')
session.run_cmd('whoami')

This raises exception:

winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server

All other variants of username also fail: upn/down-level, lowercase/uppercase, full/abbreviated domain name. I guess the problem is that ntlm is used which is not supported in Fedora/RHEL.

abbra commented 3 years ago

Following works for me:

# cat ~/testwinrm.py 
import winrm
ad_client_hostname = 'ad1.win2016.test'

def try_connect(host, user, password):
    session = winrm.Session(host, (user, password), transport='ntlm')
    ret = session.run_cmd('whoami')
    print("Return code: {}\nOutput:{}\nError channel:{}\n".format(
          ret.status_code,
          ret.std_out.decode(encoding='utf-8'),
          ret.std_err.decode(encoding='utf-8')))

for user in ('IPA\idmuser', 'IPA.TEST\idmuser', 'idmuser@ipa.test'):
    print('-'*30)
    print('Trying "{}"'.format(user))
    try:
        try_connect(ad_client_hostname, user, 'Secret123')
    except Exception as e:
        print("Got error: {}".format(str(e)))

Output:

# python3 ~/testwinrm.py
------------------------------
Trying "IPA\idmuser"
Return code: 0
Output:ipa.test\idmuser

Error channel:

------------------------------
Trying "IPA.TEST\idmuser"
Got error: the specified credentials were rejected by the server
------------------------------
Trying "idmuser@ipa.test"
Return code: 0
Output:ipa.test\idmuser

Error channel:

I need to check what exactly is sent (whether it is sent at all) in the 'IPA.TEST\idmuser' case, but the other two variants work for me with NTLM now that I fixed UPN lookups.

abbra commented 3 years ago

Ok, this is clear: winbindd doesn't know how to process IPA.TEST as it is not a domain it knows about. 

[2020/11/11 09:22:52.421469, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:742(process_request_send)
  process_request_send: process_request: Handling async request smbd(42677):PAM_AUTH_CRAP
[2020/11/11 09:22:52.421484,  3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam_auth_crap.c:110(winbindd_pam_auth_crap_send)
  [42677]: pam auth crap domain: [IPA.TEST] user: idmuser
[2020/11/11 09:22:52.421512,  3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam.c:409(find_auth_domain)
  Authentication for domain [IPA.TEST] refused as it is not a trusted domain
[2020/11/11 09:22:52.421576, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done)
  process_request_done: [smbd(42677):PAM_AUTH_CRAP]: NT_STATUS_NO_SUCH_USER
[2020/11/11 09:22:52.421603, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:855(process_request_written)
  process_request_written: [smbd(42677):PAM_AUTH_CRAP]: delivered response to client

in addition, other auth_sam modules fail it so it fails completely. Winbindd lookup is the last one.

[2020/11/11 09:23:53.283055,  3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [IPA.TEST]\[idmuser]@[] with the new password interface
[2020/11/11 09:23:53.283073,  3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [IPA.TEST]\[idmuser]@[]
[2020/11/11 09:23:53.283082, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:213(auth_check_ntlm_password)
  check_ntlm_password: auth_context challenge created by fixed
[2020/11/11 09:23:53.283091, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:216(auth_check_ntlm_password)
  challenge is: 
[2020/11/11 09:23:53.283099,  5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../lib/util/util.c:678(dump_data)
  [0000] 41 72 07 86 7B D3 3C 74                             Ar..{.<t 
[2020/11/11 09:23:53.283113, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:209(auth_sam_netlogon3_auth)
  auth_sam_netlogon3_auth: Check auth for: [IPA.TEST]\[idmuser]
[2020/11/11 09:23:53.283123,  5, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:234(auth_sam_netlogon3_auth)
  auth_sam_netlogon3_auth: IPA.TEST is not our domain name (DC for IPA)
[2020/11/11 09:23:53.283131, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:249(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_netlogon3 had nothing to say
[2020/11/11 09:23:53.283141, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_winbind.c:51(check_winbind_security)
  Check auth for: [idmuser]
[2020/11/11 09:23:53.283151,  4, pid=42677, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 2
[2020/11/11 09:23:53.283162,  4, pid=42677, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/uid.c:565(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/11/11 09:23:53.283196,  4, pid=42677, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2020/11/11 09:23:53.283212,  5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../libcli/security/security_token.c:52(security_token_debug)
  Security token: (NULL)
[2020/11/11 09:23:53.283224,  5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/11/11 09:23:53.283893,  4, pid=42677, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1
[2020/11/11 09:23:53.283909, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_winbind.c:105(check_winbind_security)
  check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2020/11/11 09:23:53.283927, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:249(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind had nothing to say
[2020/11/11 09:23:53.283936,  5, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [idmuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
[2020/11/11 09:23:53.283948,  2, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [idmuser] -> [idmuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
abbra commented 3 years ago

I submitted https://gitlab.com/samba-team/samba/-/merge_requests/1677 to fix it.

abbra commented 3 years ago

With the fix from Samba merge request 1677, I see all methods passing the test:

# python3 ~/testwinrm.py
------------------------------
Trying "IPA\idmuser"
Return code: 0
Output:ipa.test\idmuser

Error channel:

------------------------------
Trying "IPA.TEST\idmuser"
Return code: 0
Output:ipa.test\idmuser

Error channel:

------------------------------
Trying "idmuser@ipa.test"
Return code: 0
Output:ipa.test\idmuser

Error channel:
abbra commented 3 years ago

I updated COPR repo

wladich commented 3 years ago

Test results with last updates (same results on AD controller and client:

username Success
user@ipa.test +
user@IPA.TEST +
user@Ipa.Test +
user@ipa -
user@IPA -
user@Ipa -
ipa.test\user +
IPA.TEST\user +
Ipa.Test\user +
ipa\user +
IPA\user +
Ipa\user +
USER@ipa.test +
User@ipa.test +
IPA.TEST\USER +
IPA.TEST\User +
abbra commented 3 years ago

Great. The unqualified NetBIOS domain name variants aren't going to work until we get Kerberos realm aliasing in place. I'll close this issue when https://gitlab.com/samba-team/samba/-/merge_requests/1677 is merged to Samba upstream.

abbra commented 3 years ago

The Samba MR was merged.