Quantcast

Samba authentication using non-AD Kerberos?

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba authentication using non-AD Kerberos?

Samba - General mailing list
Hi!

Do you know any example Samba configuration that authenticate to
plain - non-AD, e.g. MIT KDC - Kerberos server? Would you mind
point me to that configuration? What will be the issue of this
kind of configuration?

Thank you.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via samba
wrote:
> Hi!
>
> Do you know any example Samba configuration that authenticate to 
> plain - non-AD, e.g. MIT KDC - Kerberos server?

This a normal and fully supported configuration.  It maps to normal
unix users.

> Would you mind 
> point me to that configuration? What will be the issue of this 
> kind of configuration?

From memory:

security=user

use kerberos keytab = system keytab

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On 2017-04-13, 01:58, Andrew Bartlett via samba wrote:
> On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via
> samba wrote:
>> Do you know any example Samba configuration that authenticate
>> to plain - non-AD, e.g. MIT KDC - Kerberos server?
>
> This a normal and fully supported configuration.  It maps to
> normal unix users.

Thanks! is it mean that the OS (Linux) have to setup for login
using Kerberos as well?

I was looking into samba wiki pages and cannot find
documentation for this. Generally most the documentation pages
either discussing samba as AD member or standalone.

> From memory:
>
> security=user
>
> use kerberos keytab = system keytab

Thanks! Obviously there is no "net ads join" command, so
anything to be done instead of that?

Thank you.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On 2017-04-13, 01:58, Andrew Bartlett via samba wrote:
> On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via samba wrote:
> > Do you know any example Samba configuration that
> > authenticate to plain - non-AD, e.g. MIT KDC - Kerberos
> > server?
>
> This a normal and fully supported configuration.  It maps to
> normal unix users.

Thanks! is it mean that the OS (Linux) have to setup for login
using Kerberos as well?

I was looking into samba wiki pages and cannot find
documentation for this. Generally most the documentation pages
either discussing samba as AD member or standalone.

> From memory:
>
> security=user
>
> use kerberos keytab = system keytab

Thanks! Obviously there is no "net ads join" command, so
anything to be done instead of that?

Thank you.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On Sun, 2017-04-16 at 19:06 -0600, S P Arif Sahari Wibowo via samba
wrote:

> On 2017-04-13, 01:58, Andrew Bartlett via samba wrote:
> > On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via samba
> > wrote:
> > > Do you know any example Samba configuration that 
> > > authenticate to plain - non-AD, e.g. MIT KDC - Kerberos 
> > > server?
> >
> > This a normal and fully supported configuration.  It maps to 
> > normal unix users.
>
> Thanks! is it mean that the OS (Linux) have to setup for login 
> using Kerberos as well?

No, but your clients will need to get a ticket somehow.  That is
presumably already happening otherwise you wouldn't be asking for this.

> I was looking into samba wiki pages and cannot find 
> documentation for this. Generally most the documentation pages 
> either discussing samba as AD member or standalone.
>
> > From memory:
> >
> > security=user
> >
> > use kerberos keytab = system keytab
>
> Thanks! Obviously there is no "net ads join" command, so 
> anything to be done instead of that?

You need a keytab for cifs/hostname just as you would for IMAP or some
other kerberised service.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On 2017-04-17, 15:23, Andrew Bartlett via samba wrote:
> No, but your clients will need to get a ticket somehow.  That
> is presumably already happening otherwise you wouldn't be
> asking for this.

No, the situation is that currently I only have Kerberos server,
but not ADS. I like to setup Samba server so MS Windows and
macOS clients (in various IP address) can login to it, but I
like to use existing Kerberos server as the authentication
source.

Will this be possible?

Can this be done without the MS Windows and macOS client have
direct access to the Kerberos server?

> You need a keytab for cifs/hostname just as you would for IMAP
> or some other kerberised service.

Do you know how this works in MS Windows / macOS?

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list


Am 18.04.2017 um 20:36 schrieb S P Arif Sahari Wibowo via samba:

> On 2017-04-17, 15:23, Andrew Bartlett via samba wrote:
>> No, but your clients will need to get a ticket somehow.  That is
>> presumably already happening otherwise you wouldn't be asking for this.
>
> No, the situation is that currently I only have Kerberos server, but not
> ADS. I like to setup Samba server so MS Windows and macOS clients (in
> various IP address) can login to it, but I like to use existing Kerberos
> server as the authentication source.
>
> Will this be possible?
>
> Can this be done without the MS Windows and macOS client have direct
> access to the Kerberos server?
>
>> You need a keytab for cifs/hostname just as you would for IMAP or some
>> other kerberised service.
>
> Do you know how this works in MS Windows / macOS?
>


There is a tutorial how to make a Kerberos server to be a samba server too.

It is available at:
http://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/8/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On Wed, 19 Apr 2017 09:22:47 +0200
Stefan Just via samba <[hidden email]> wrote:

>
> There is a tutorial how to make a Kerberos server to be a samba
> server too.
>
> It is available at:
> http://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/8/
>

There is a big problem with that tutorial, one of the first things
it tells you to do is to install libpam-smbpass. This has been
remove from Samba. If you do follow the instructions, a subsequent
update may upgrade Samba, and you may find it suddenly stops working.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list


Am 19.04.2017 um 14:37 schrieb Rowland Penny via samba:

> On Wed, 19 Apr 2017 09:22:47 +0200
> Stefan Just via samba <[hidden email]> wrote:
>
>>
>> There is a tutorial how to make a Kerberos server to be a samba
>> server too.
>>
>> It is available at:
>> http://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/8/
>>
>
> There is a big problem with that tutorial, one of the first things
> it tells you to do is to install libpam-smbpass. This has been
> remove from Samba. If you do follow the instructions, a subsequent
> update may upgrade Samba, and you may find it suddenly stops working.
>
> Rowland
>
libpam-smbpass was dropped with Samba 4.4. So you have to use samba 4.3.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On 2017-04-19, 01:22, Stefan Just via samba wrote:
> There is a tutorial how to make a Kerberos server to be a
> samba server too.

I don't have option to do changes in the Kerberos server, at
least not now. Is that the only way to have samba authenticated
from a non-AD Kerberos server to be connectable from MS Windows
and macOS clients?

On 2017-04-19, 08:10, Stefan Just via samba wrote:
> libpam-smbpass was dropped with Samba 4.4. So you have to use
> samba 4.3.

Is there any other solution that not yet obsoleted?

Thank you!

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On Wed, 2017-04-19 at 10:09 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-19, 01:22, Stefan Just via samba wrote:
> > There is a tutorial how to make a Kerberos server to be a 
> > samba server too.
>
> I don't have option to do changes in the Kerberos server, at 
> least not now. Is that the only way to have samba authenticated 
> from a non-AD Kerberos server to be connectable from MS Windows 
> and macOS clients?

Not windows clients without much pain.  In theory Windows can join a
non-AD KDC, but it is incredibly rarely done.  MacOS should be able to
kinit.

I think you really want to move to Samba as an AD DC.  Everything else
will just be painful in the long run.

I hope this helps,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba wrote:
> I was looking into samba wiki pages and cannot find
> documentation for this. Generally most the documentation pages
> either discussing samba as AD member or standalone.

So still looking at this.

So this is the state currently: kerberos setup (krb5.conf and
keytab) is working in the server, I can do kinit properly. But
setting of Samba still not working. Here is what I have in
/etc/smb.conf:

[global]
         workgroup = MYREALM
         server string = UATest Samba Server Version %v
         netbios name = myserver
         log file = /var/log/samba/log.%m
         max log size = 50
         security = ads
         realm = MYREALM.CA
         password server = mykerberos.myrealm.ca
         kerberos method = system keytab
         log level = 3 passdb:5 auth:10

         load printers = no
         cups options = raw
         printing = bsd
[tmp]
         comment = Temporary Stuff
         path = /tmp
         public = yes
         writable = yes
         printable = no


When I try to connect locally:

# kinit mykerbuser
Password for [hidden email]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting     Expires            Service principal
20/04/17 07:24:13  21/04/17 08:24:10  krbtgt/[hidden email]
# smbclient -k -U mykerbuser -L localhost
session setup failed: NT_STATUS_IO_TIMEOUT


If I do tcpdump on the Kerberos server, I see this output
repeated:

07:18:55.708609 mykerberos.myrealm.ca > 172.1.1.111: icmp: mykerberos.myrealm.ca udp port netbios-ns unreachable
07:18:56.709751 172.1.1.111.34265 > mykerberos.myrealm.ca.netbios-ns: udp 50 (DF)

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> I think you really want to move to Samba as an AD DC.

In that case, how can I setup a Samba AD DC which has its
authentication came from another non-AD Kerberos service?
Preferably in a separate server from the Kerberos service.

I also have a LDAP service synchronized with the Kerberos
service, but I cannot have the old solution where AD user
passwords are stored separately in LDAP field. In general I
cannot use solution where AD user passwords are stored
separately from and need to be synchronized with LDAP / Kerberos
user passwords.

Thank you!

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
On Thu, 20 Apr 2017 07:32:16 -0600 (MDT)
S P Arif Sahari Wibowo via samba <[hidden email]> wrote:

> On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> > I think you really want to move to Samba as an AD DC.
>
> In that case, how can I setup a Samba AD DC which has its
> authentication came from another non-AD Kerberos service?
> Preferably in a separate server from the Kerberos service.

I don't think you can.

>
> I also have a LDAP service synchronized with the Kerberos
> service, but I cannot have the old solution where AD user
> passwords are stored separately in LDAP field. In general I
> cannot use solution where AD user passwords are stored
> separately from and need to be synchronized with LDAP / Kerberos
> user passwords.
>

You normally use AD for the users passwords and get your service to use
AD for authentication, just what do you need to get to work with AD, a
mailserver or squid or something else ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 20 Apr 2017 07:25:14 -0600 (MDT)
S P Arif Sahari Wibowo via samba <[hidden email]> wrote:


> # smbclient -k -U mykerbuser -L localhost
> session setup failed: NT_STATUS_IO_TIMEOUT
>
>

It works against a Samba AD DC from a Unix domain member, provided you
change 'localhost' to the domain members short hostname.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 20 Apr 2017 07:25:14 -0600 (MDT)
S P Arif Sahari Wibowo via samba <[hidden email]> wrote:

Aha, very funny, cc'ed the OP and got this:

From: S P Arif Sahari Wibowo <[hidden email]>
To: Rowland Penny <[hidden email]>
Subject: Auto Response: Re: [Samba] Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
Date: Thu, 20 Apr 2017 13:46:28 +0000 (UTC)

If you know I am expecting the message you sent just now, please disregard this message.
Otherwise, I am not checking this account regularly. You may get a response much later and in some occasion you may never get one. If you need to get in touch with me in timely and reliable manner, please start from this web page:
 http://www.arifsaha.com/contact/ 
 Thank you for your understanding.
 69928b34ff78b0c185aa82f72b5407f0

but when you go to 'http://www.arifsaha.com/contact/', you get this:

 Software error:

Can't locate HTML/Template.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at index.cgi line 32.
BEGIN failed--compilation aborted at index.cgi line 32.

Please e-mail the error message above, either directly to [hidden email]
or by first sending an e-mail an empty e-mail to [hidden email],
then e-mail the error message to the e-mail address provided in the
bounce e-mail (something like
[hidden email]). Thank you!!


Please turn this rubbish off!!!!

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-20, 08:03, Rowland Penny via samba wrote:
> It works against a Samba AD DC from a Unix domain member,

There are no Samba AD DC, as the title said, I am setting Samba
to authenticate with non-AD Kerberos.

> provided you change 'localhost' to the domain members short
> hostname.

No change:

# smbclient -k -U mykerbuser -L myserver
session setup failed: NT_STATUS_IO_TIMEOUT


I already remove any firewall blocking, BTW.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-20, 07:46, Rowland Penny via samba wrote:
> I don't think you can.

It will be very sad if that's the case, since it means Samba is
not adequate tool for this purpose. If we need to manage
separate passwords database anyway, no difference than just have
the Windows support person setup a Windows box to do the file
sharing.

I was hoping to convince decission maker to use Samba with real
advantage to integrate with main LDAP/Kerberos ID management
infrastructure. It will be sad to see that this is something
that cannot be done by FOSS community.

> just what do you need to get to work with AD,

The LDAP/Kerberos is already established - extensively used and
secured - so it won't go anywhere. I want to use Samba but it
has to be integrated into existing authentication mechanism.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 20 Apr 2017 10:11:49 -0600 (MDT)
S P Arif Sahari Wibowo via samba <[hidden email]> wrote:

> On 2017-04-20, 08:03, Rowland Penny via samba wrote:
> > It works against a Samba AD DC from a Unix domain member,
>
> There are no Samba AD DC, as the title said, I am setting Samba
> to authenticate with non-AD Kerberos.

What I was trying to point out that was it works on a Unix Samba
domain member against a Samba DC and if it doesn't work for you against
your kdc, then this is another reason to use an AD DC.

>
> > provided you change 'localhost' to the domain members short
> > hostname.
>
> No change:
>
> # smbclient -k -U mykerbuser -L myserver
> session setup failed: NT_STATUS_IO_TIMEOUT

There you go, it doesn't work against a standalone kerberos server. You
could try setting up your Samba server as per here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Use the 'rid' backend and start the 'winbind' binary.

If this doesn't work, you will probably have to setup a Samba AD DC.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-04-20 at 14:46 +0100, Rowland Penny via samba wrote:

> On Thu, 20 Apr 2017 07:32:16 -0600 (MDT)
> S P Arif Sahari Wibowo via samba <[hidden email]> wrote:
>
> > On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> > > I think you really want to move to Samba as an AD DC.
> >
> > In that case, how can I setup a Samba AD DC which has its 
> > authentication came from another non-AD Kerberos service? 
> > Preferably in a separate server from the Kerberos service.
>
> I don't think you can.

To be clear, this would be an 'MIT Trust'.  This isn't currently
supported, but would allow you to authenticate with the username and
password via krb5 from the trusted domain, but use the ticket to log in
to the Windows desktop and the Samba file server.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...