Users and groups on member server without ssh

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Users and groups on member server without ssh

Samba - General mailing list
Hello,

I've a member server that is working fine as shared folder server (all
shares works and it permissions). My problem is that when I add the
nsswitch winbind entries then the server uses the DC to authenticate even
when I use ssh, so if Samba DC server fails I have problems to login into
the member server.

My nsswitch:
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


And my smb.conf:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
server role = member server
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999

winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

Is there any way to avoid that authentication method and use only the local
one? (I use tools like setfacl to change permissions so I need access to
domain users/groups).

Thanks and greetings!!

--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Users and groups on member server without ssh

Samba - General mailing list
On Wed, 27 Sep 2017 15:46:42 +0200
Daniel Carrasco via samba <[hidden email]> wrote:

> Hello,
>
> I've a member server that is working fine as shared folder server (all
> shares works and it permissions). My problem is that when I add the
> nsswitch winbind entries then the server uses the DC to authenticate
> even when I use ssh, so if Samba DC server fails I have problems to
> login into the member server.
>
> My nsswitch:
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> And my smb.conf:
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> Is there any way to avoid that authentication method and use only the
> local one? (I use tools like setfacl to change permissions so I need
> access to domain users/groups).
>
> Thanks and greetings!!
>

Try adding 'winbind offline logon = yes', this will allow
authentication even when the DC cannot be reached.

I would also remove the 'winbind enum' lines, you do not need them,
they only really allow the printing of all the users and groups.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Users and groups on member server without ssh

Samba - General mailing list
In reply to this post by Samba - General mailing list
Its all what you want.. You have a ton of options todo this.
But every server as a "first" user and by default unix accounts are allowed through pam.
The first user also as sudo rights, so let call him linuxadmin.

In debian install ssh-krb5 , that enables kerberos authorisation. ( ssh is reloaded automaticly )
And install : libpam-krb5 to make it all work, if not installed.

I've added this to my sshd_config.
# Allow groups ( linux and windows groups )
AllowGroups sshgroup servers-ssh

Now 2 groups.
Sshgroup is a full linux group.
addgroup sshgroup
adduser linuxadmin sshgroup

The servers-ssh is a windows group use on all servers.
That allows my windows (group member) users to login.
Any member of one of these groups is allowed.

If all DC's are down, i login with the linuxadmin. ( but i have 2 DC's and if you can setup also a second. )
And if as Rowland suggested, you added :
'winbind offline logon = yes

You can also use the winbind Pam.
Which looks like this.

cat /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_winbind.so
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_winbind.so use_authtok try_first_pass
Password-Initial:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        optional                        pam_winbind.so

If you add the above to the location its comming from.
Now if you run : pam-auth-update
Just select what you want to enable. ( keep all on is adviced )
What you see here results in the following.

1) try SSO auth kerberos
2) if fail, try winbind
3) if fail, use linuxadmin

Now you can always login.
Except... When you down you server ;-)


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Daniel Carrasco via samba
> Verzonden: woensdag 27 september 2017 15:47
> Aan: [hidden email]
> Onderwerp: [Samba] Users and groups on member server without ssh
>
> Hello,
>
> I've a member server that is working fine as shared folder
> server (all shares works and it permissions). My problem is
> that when I add the nsswitch winbind entries then the server
> uses the DC to authenticate even when I use ssh, so if Samba
> DC server fails I have problems to login into the member server.
>
> My nsswitch:
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> And my smb.conf:
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab kerberos method =
> secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307 idmap config
> DOMAIN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> Is there any way to avoid that authentication method and use
> only the local one? (I use tools like setfacl to change
> permissions so I need access to domain users/groups).
>
> Thanks and greetings!!
>
> --
> _________________________________________
>
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba