Quantcast

Samba authentication using non-AD Kerberos?

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
On Thu, 2017-04-20 at 10:42 -0600, S P Arif Sahari Wibowo via samba
wrote:

> On 2017-04-20, 07:46, Rowland Penny via samba wrote:
> > I don't think you can.
>
> It will be very sad if that's the case, since it means Samba is 
> not adequate tool for this purpose. If we need to manage 
> separate passwords database anyway, no difference than just have 
> the Windows support person setup a Windows box to do the file 
> sharing.
>
> I was hoping to convince decission maker to use Samba with real 
> advantage to integrate with main LDAP/Kerberos ID management 
> infrastructure. It will be sad to see that this is something 
> that cannot be done by FOSS community.

Please avoid the 'moral blackmail' implication.  Perhaps it was not
your intention, but occasionally we get folks who come here with a
sense that somehow Samba or the Free Software world is poorer if their
use case isn't addressed.  That is, it feels like we are being goaded
into providing an answer or fix, and that isn't nice.

Please do use Samba where it works well for your use case, were it fits
how you like to run your network, whether practically, ethically or
financially.

> > just what do you need to get to work with AD,
>
> The LDAP/Kerberos is already established - extensively used and 
> secured - so it won't go anywhere. I want to use Samba but it 
> has to be integrated into existing authentication mechanism.

This wasn't at all clear in your original message.  It does help to
have the full context.  It isn't nearly as common as pure AD, but you
can run Samba as I described, for clients that have a Kerberos ticket.

Environments such as you describe should already have established
procedures for extracting a keytab for a new service, so follow those
for that part, and configure Samba as I instructed, with
'security=user' and 'use kerberos keytab = system keytab'.

However, this won't kerberise Windows or MacOS clients that were not
already kerberised by some other means.  Windows clients are the
hardest in this context.

I don't think your IO_TIMEOUT message you mentioned is the last word on
this.  You should first get Samba working with a local passdb (eg set a
password for the users with smbpasswd -a) file, then move to Kerberos
once you get that working.

I hope this helps clarify things.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-04-20 at 07:25 -0600, S P Arif Sahari Wibowo via samba
wrote:

> On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba wrote:
> > I was looking into samba wiki pages and cannot find 
> > documentation for this. Generally most the documentation pages 
> > either discussing samba as AD member or standalone.
>
> So still looking at this.
>
> So this is the state currently: kerberos setup (krb5.conf and 
> keytab) is working in the server, I can do kinit properly. But 
> setting of Samba still not working. Here is what I have in 
> /etc/smb.conf:
>
> [global]
>          workgroup = MYREALM
>          server string = UATest Samba Server Version %v
>          netbios name = myserver
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          security = ads

As I mentioned first up, please set
security=user

>          realm = MYREALM.CA
>          password server = mykerberos.myrealm.ca

Don't set this.  Samba won't be contacting the KDC, in Kerberos that is
the client's job.  

>          kerberos method = system keytab
>          log level = 3 passdb:5 auth:10
>
>          load printers = no
>          cups options = raw
>          printing = bsd
> [tmp]
>          comment = Temporary Stuff
>          path = /tmp
>          public = yes
>          writable = yes
>          printable = no

I hope this helps,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-22, 02:12, Andrew Bartlett via samba wrote:
> To be clear, this would be an 'MIT Trust'.  This isn't
> currently supported, but would allow you to authenticate with
> the username and password via krb5 from the trusted domain,
> but use the ticket to log in to the Windows desktop and the
> Samba file server.

Actually no. I fork this thread to specifically asking question
about setting up Samba AD DC / ADS with external Kerberos
server. Sorry the title a bit confusin, I fixed it a little bit.
So presumably the client can login as if login to normal AD DC /
ADS.

Thank you!

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> Not windows clients without much pain.  In theory Windows can
> join a non-AD KDC, but it is incredibly rarely done.

Would you mind to give clearer picture how much pain we are
talking about here? Any link to somebody who did it? I need to
compare it to the pain of another alternatives I have in the
table, like let clients mount files using sshfs.

On 2017-04-22, 02:27, Andrew Bartlett via samba wrote:
> As I mentioned first up, please set
> security=user
...
>>          password server = mykerberos.myrealm.ca
>
> Don't set this.  Samba won't be contacting the KDC, in
> Kerberos that is the client's job.

Turn out when I manage to get it working, neither option matter,
I can set it up either way and still works. This is the
configuration that works:

[global]
         workgroup = MYREALM.CA
         server string = MyTest Samba Server Version %v
         netbios name = myserver
         dns proxy = no
         log file = /var/log/samba/log.%m
         max log size = 50
         realm = MYREALM.CA
         kerberos method = dedicated keytab
         dedicated keytab file = /etc/krb5.keytab
         log level = 3 passdb:5 auth:10
         obey pam restrictions = no
         load printers = no
         cups options = raw
         printing = bsd
[tmp]
         comment = Temporary Stuff
         path = /tmp
         public = yes
         writable = yes
         printable = no

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
On Tue, 2017-04-25 at 15:23 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> > Not windows clients without much pain.  In theory Windows can 
> > join a non-AD KDC, but it is incredibly rarely done.
>
> Would you mind to give clearer picture how much pain we are 
> talking about here? Any link to somebody who did it? I need to 
> compare it to the pain of another alternatives I have in the 
> table, like let clients mount files using sshfs.

This looks like the instructions:

https://social.technet.microsoft.com/wiki/contents/articles/2751.kerber
os-interoperability-step-by-step-guide-for-windows-server-
2003.aspx#Using_an_MIT_KDC_with_a_Stand-
alone_Windows_Server_TwentyOhThree_Client

In terms of pain, let me put it this way:  You are the first person I
can remember asking about this on the Samba lists.  

Also, you still have to create all the user accounts on each Windows
client, you just get to share the passwords.  

All in all, you start to see why we built Samba's AD DC.  You might not
be able to use it, but we didn't think the alternative was practical
either.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
>  Not windows clients without much pain.  In theory Windows
>  can join a non-AD KDC, but it is incredibly rarely done.

Would you mind to give clearer picture how much pain we are
talking about here? Any link to somebody who did it? I need to
compare it to the pain of another alternatives I have on the
table, like let clients mount shares using sshfs.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 04/25/17 17:04, S P Arif Sahari Wibowo via samba wrote:

> On 2017-04-22, 02:12, Andrew Bartlett via samba wrote:
>> To be clear, this would be an 'MIT Trust'.  This isn't currently
>> supported, but would allow you to authenticate with the username and
>> password via krb5 from the trusted domain, but use the ticket to log
>> in to the Windows desktop and the Samba file server.
>
> Actually no. I fork this thread to specifically asking question about
> setting up Samba AD DC / ADS with external Kerberos server. Sorry the
> title a bit confusin, I fixed it a little bit. So presumably the
> client can login as if login to normal AD DC / ADS.
>
> Thank you!
>

A Samba AD directory server (domain controller) is its own kerberos
server.  I don't see how you could configure it to use another
KDC.       Depending on how may computers in your environment, it may be
easier to have the non-AD Kerberos clients use to the Samba DC as the KDC.







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-25, 15:40, Andrew Bartlett via samba wrote:
> This looks like the instructions:
> https://social.technet.microsoft.com/wiki/contents/articles/2751.kerberos-interoperability-step-by-step-guide-for-windows-server-2003.aspx#Using_an_MIT_KDC_with_a_Stand-alone_Windows_Server_TwentyOhThree_Client

Thanks Andrew! This is quiet useful info.

> Also, you still have to create all the user accounts on each
> Windows client, you just get to share the passwords.

Noted.

> All in all, you start to see why we built Samba's AD DC.  You
> might not be able to use it, but we didn't think the
> alternative was practical either.

I brought up the question about using that in a forked thread,
it seems like Rowland Penny thing it will be impossible either.

My requirement is simple, we have existing OpenLDAP and Kerberos
authentication system, and I want MS Windows to be able to mount
shares from my server using credentials from that authentication
system. In the old days (Samba 3), it can use LDAP for login but
doing that by storing password in LDAP field using unsecure
encryption, and I cannot do that now. I thought now with Samba 4
it will be possible to do with Kerberos.

Thank you.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
> A Samba AD directory server (domain controller) is its own
> kerberos server. I don't see how you could configure it to use
> another KDC.

I don't know Kerberos much, so I am wondering can something like
this "delegated"?

> Depending on how may computers in your environment, it may be
> easier to have the non-AD Kerberos clients use to the Samba DC
> as the KDC.

Definitely not easier in my case. The current OpenLDAP &
Kerberos server will definitely stay and most services will
still use it. I need to get a way for MS Windows to mount shares
from my server using credentials from existing OpenLDAP &
Kerberos authentication system.

Thank you.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 27 Apr 2017 07:17:22 -0600 (MDT)
S P Arif Sahari Wibowo via samba <[hidden email]> wrote:

>
> My requirement is simple, we have existing OpenLDAP and Kerberos
> authentication system, and I want MS Windows to be able to mount
> shares from my server using credentials from that authentication
> system. In the old days (Samba 3), it can use LDAP for login but
> doing that by storing password in LDAP field using unsecure
> encryption, and I cannot do that now. I thought now with Samba 4
> it will be possible to do with Kerberos.

You probably could use Samba 4 in the same way as you used Samba 3,
but then it wouldn't be AD.

What you are trying to do isn't easy, if it was, Microsoft wouldn't
have gone to all the trouble of creating AD.

You are not the first to try and get AD to work with your setup,
rather than getting your setup to work with AD. Believe me, it will be
easier to do the later rather than the former.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
I currently have the following configuration:


  * My "authentication" servers are  Samba 4 "classic" domain controllers.
  * Samba uses LDAP backend (specifically Oracle Directory Server.)    
    The user accounts have both unix and samba attributes.
  * The authentication servers are also configured as Oracle Solaris
    kerberos KDC's.     The kerberos principal and password data is
    also  stored in LDAP.


Active directory doesn't play a role.

The result is that one user account can be used to authenticate windows
clients (joined to the domain) and unix clients (using kerberos)   and
internal web sites that use LDAP authentication. The catch is that each
user actually has 3 passwords (one for kerberos, one for windows, one
for ldap.)    The work around is to have the samba password sync script
change ldap and kerberos passwords at the same time a user changes his
or her windows password.       Unix users will use the smbpasswd command
to change passwords.


Since I have Oracle KDC with Oracle LDAP server on Oracle Solaris OS,
integrating kerberos and LDAP is not that difficult.   You still use
kadmin to manage kerberos principals.  Having kerberos data in LDAP
makes replicating data between multi-master KDC's much easier.






On 04/27/17 09:22, S P Arif Sahari Wibowo via samba wrote:

> On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
>> A Samba AD directory server (domain controller) is its own kerberos
>> server. I don't see how you could configure it to use another KDC.
>
> I don't know Kerberos much, so I am wondering can something like this
> "delegated"?
>
>> Depending on how may computers in your environment, it may be easier
>> to have the non-AD Kerberos clients use to the Samba DC as the KDC.
>
> Definitely not easier in my case. The current OpenLDAP & Kerberos
> server will definitely stay and most services will still use it. I
> need to get a way for MS Windows to mount shares from my server using
> credentials from existing OpenLDAP & Kerberos authentication system.
>
> Thank you.
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-04-27, 07:41, Rowland Penny via samba wrote:
> You probably could use Samba 4 in the same way as you used
> Samba 3,

For security and hard-to-maintain reason, it is not an option.

> You are not the first to try and get AD to work with your
> setup, rather than getting your setup to work with AD. Believe
> me, it will be easier to do the later rather than the former.

As I said before, the later is not an option, and I don't
control that.

--
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba authentication using non-AD Kerberos?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-04-27 at 07:17 -0600, S P Arif Sahari Wibowo via samba
wrote:
> In the old days (Samba 3), it can use LDAP for login but 
> doing that by storing password in LDAP field using unsecure 
> encryption, and I cannot do that now. 

To be clear, as I think Rowland has already mentioned, (almost)
everything that Samba could do previously with 'Samba 3', it can still
do.

If your LDAP/Kerberos system has dropped storing the sambaNTPassword
however, then that change on your end is not something we can do
anything about.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-04-27 at 07:22 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
> > A Samba AD directory server (domain controller) is its own 
> > kerberos server. I don't see how you could configure it to use 
> > another KDC.
>
> I don't know Kerberos much, so I am wondering can something like 
> this "delegated"?

This is the (unimplemented) 'MIT Trust' I described earlier.

> > Depending on how may computers in your environment, it may be 
> > easier to have the non-AD Kerberos clients use to the Samba DC 
> > as the KDC.
>
> Definitely not easier in my case. The current OpenLDAP & 
> Kerberos server will definitely stay and most services will 
> still use it. I need to get a way for MS Windows to mount shares 
> from my server using credentials from existing OpenLDAP & 
> Kerberos authentication system.

Then I don't really see a practical way out.  I'm surprised you lasted
so long into 2017 with the Windows clients unconnected to this system
(this isn't really a Samba issue at this point), but the infinite
variety in IT systems in this world never ceases to amaze me.

I wish you the very best with your deployment, however you choose to
handle it.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...