kerberos + winbind + AD authentication for samba 4 domain member

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
Hello,

I'm setting up AD user logins for centos 7.4 box. I've almost managed to
do everything the way I want and the way I think it should be, but I'm
missing last piece:

   For ssh access I read parts of the
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on

Most docs recommend using setting in smb.conf:
winbind use default domain = no

that means that all domain users have DOMAIN\ prefix attached. As per
the aforementioned wiki documet I made the workaround for authentication
to krb5.conf, and it works OK.

What isn't working is "kinit" as-is for logged in AD user. To be more
precise: it works if I specify explicitly username
kinit myusername
or
kinit [hidden email]
It works as expected (asks for password and grants ticket)

  otherwise plain "kinit" uses by default posix username, which in this
case is DOMAIN\myusername, so it looks for:
[hidden email] and fails with no principle found in
database (and rightly so), because obviously it should use
[hidden email].

I know it's not strictly samba related, and I could simply change
winbind use default domain = yes
as a workaround, this way everything works as expected, except that in
all docs it's described as not recommended setup, because of possible
confusion which user is from DOMAIN and which is local, and of course
when multiple domains come into play.

So maybe someone knows of a valid workaorund, how to force kinit to
automatically remove/strip DOMAIN prefix from e.g.
[hidden email] and change it into
[hidden email]? My understanding is that krb5.conf
"auth_to_local" works the other way around, so it takes valid principal,
and rewrites it so that it matches posix user and won't work in this
case,as it's the other way round (posix user has to be translated into
valid principal).

My environment is:
centos 7.4 OS
samba 4.5.x is the AD DC
samba 4.6.9 is domain member server and all tests are done on this machine.

As i said, kerberos overall works fine, and it's not strictly samba
issue, but the issue is because of samba configuration and added DOMAIN
prefix.

Any help/input/comments are appreciated.

Regards, Kacper


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
On Tue, 31 Oct 2017 22:46:53 +0100
Kacper Wirski via samba <[hidden email]> wrote:

> Hello,
>
> I'm setting up AD user logins for centos 7.4 box. I've almost managed
> to do everything the way I want and the way I think it should be, but
> I'm missing last piece:
>
>    For ssh access I read parts of the
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>
> Most docs recommend using setting in smb.conf:
> winbind use default domain = no
>
> that means that all domain users have DOMAIN\ prefix attached. As per
> the aforementioned wiki documet I made the workaround for
> authentication to krb5.conf, and it works OK.
>
> What isn't working is "kinit" as-is for logged in AD user. To be more
> precise: it works if I specify explicitly username
> kinit myusername
> or
> kinit [hidden email]
> It works as expected (asks for password and grants ticket)
>
>   otherwise plain "kinit" uses by default posix username, which in
> this case is DOMAIN\myusername, so it looks for:
> [hidden email] and fails with no principle found in
> database (and rightly so), because obviously it should use
> [hidden email].
>
> I know it's not strictly samba related, and I could simply change
> winbind use default domain = yes
> as a workaround, this way everything works as expected, except that
> in all docs it's described as not recommended setup, because of
> possible confusion which user is from DOMAIN and which is local, and
> of course when multiple domains come into play.
>
> So maybe someone knows of a valid workaorund, how to force kinit to
> automatically remove/strip DOMAIN prefix from e.g.
> [hidden email] and change it into
> [hidden email]? My understanding is that krb5.conf
> "auth_to_local" works the other way around, so it takes valid
> principal, and rewrites it so that it matches posix user and won't
> work in this case,as it's the other way round (posix user has to be
> translated into valid principal).
>
> My environment is:
> centos 7.4 OS
> samba 4.5.x is the AD DC
> samba 4.6.9 is domain member server and all tests are done on this
> machine.
>
> As i said, kerberos overall works fine, and it's not strictly samba
> issue, but the issue is because of samba configuration and added
> DOMAIN prefix.
>
> Any help/input/comments are appreciated.
>
> Regards, Kacper
>
>

You have something set up incorrectly, if I log into a Unix domain
member and run 'kinit', it works:

rowland@devstation:~$ whoami
SAMDOM\rowland
rowland@devstation:~$ kinit
Password for [hidden email]:
rowland@devstation:~$

It also works on a DC.

Can you post the following files:
/etc/resolv.conf
/etc/hosts
/etc/hostname
/etc/krb5.conf
/etc/samba/smb.conf

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
Hello,

Thank You for fast response. I'm glad that it's a mistake somewhere on
my side, it means it will work when I fix it :)

Ok, first of all:


Everything is on centos 7.4

All config files will be below, but to start off: behaviour is stranger
than I thought, but there is a pattern:

when doing

[DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
Using default cache: /tmp/krb5cc_101003
Using principal: [hidden email]
kinit: Client '[hidden email]' not found in
Kerberos database while getting initial credentials


but then when I do:

[DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
Using default cache: /tmp/krb5cc_101003
Using principal: [hidden email]
Password for [hidden email]:
Warning: Your password will expire in 15 days on Thu 16 Nov 2017
01:50:48 PM CET
Authenticated to Kerberos v5


and after this, user DOMAIN\kacper_wirski can do "kinit", and it
correctly defaults to principal "[hidden email]":

[DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
Using principal: [hidden email]
Password for [hidden email]:


I don't know what gives. After full reboot it still works for "this"
user. When I log as DOMAIN\someotheruser it behaves exactly the same
(first adds DOMAIN prefix, then when once ticket is obtained correctly,
it seems to work...)

kerberos ssh authentication (windows via putty to centos with samba 4)
works perfectly:

Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to
DOMAIN\\kacper_wirski, krb5 principal [hidden email]
(ssh_gssapi_krb5_cmdok)
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]:
pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted access
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted
gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh

All file shares hosted by samba are correctly available to windows clients.

First of all:

On test box I'm using samba 4.6.9 compiled from source.

configure was run with simple --with-systemd --without-ad-dc

//etc/resolv.conf:/

//

/# Generated by NetworkManager//
//search ad.mydomain.com//
//nameserver 192.168.1.5//
//nameserver 192.168.1.6//
//nameserver 192.168.1.7/

all three IP's are DC's with DNS all work correctly

//etc/hostname//
//vs-files.ad.mydomain.com/

//etc/hosts//
//192.168.1.13 vs-files.ad.mydomain.com vs-files//
//127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4//
//::1         localhost localhost.localdomain localhost6
localhost6.localdomain6/

//etc/krb5.conf//
//[libdefaults]//
//    default_realm = AD.MYDOMAIN.COM//
//    dns_lookup_realm = true//
//    dns_lookup_kdc = true//
////
//[realms]//
//    AD.MYDOMAIN.COM = {//
//        auth_to_local = RULE:[1:MYDOMAIN\$1]//
//        }/

The above rule is taken directly from the linked samba wiki guide, and
it really works (without it I won't login with kerberos ticket, unless I
drop "DOMAIN\" part using "winbind use default domain = yes".

samba also auto-created it's own krb5.conf.DOMAIN file during net ads
join (in /usr/local/samba/var/lock/smb_krb5/
/[libdefaults]//
//        default_realm = AD.MYDOMAIN.COM//
//        default_etypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
//        dns_lookup_realm = false//
//
//[realms]//
//        AD.MYDOMAIN.COM = {//
//                kdc = 192.168.1.5//
//                kdc = 192.168.1.6//
//                kdc = 192.168.1.7//
//        }/


/etc/nsswitch.conf
/passwd: files winbind//
//shadow: files//
//group: files winbind/

And last but not least:

/usr/local/samba/etc/smb.conf (i compiled from source, so all samba
files reside in /usr/local/samba/...)
[global]
/        security = ADS//
//        netbios name = VS-FILES//
//        workgroup = DOMAIN//
//        realm = AD.MYDOMAIN.COM//
//        log file = /var/log/samba/%m.log//
//        log level = 5//
//
//   idmap config *:backend = tdb//
//   idmap config * : range = 1000-2000//
//   idmap config DOMAIN:backend = rid//
//   idmap config DOMAIN:range = 100000-110000//
////
//        vfs objects = acl_xattr//
//        map acl inherit = yes//
//        store dos attributes = yes//
//        template homedir = /home/%U@%D//
//        template shell = /bin/bash//
//        winbind enum groups = no//
//        winbind enum users = no//
//        kerberos method = secrets and keytab//
//        winbind refresh tickets = yes//
//        winbind use default domain = no//
//        winbind offline logon = yes/

Example output, when being logged as DOMAIN\kacper_wirski (login was
using kerberos, as shown in log, no password was required):
[DOMAIN\kacper_wirski@vs-files ~]$ whoami
DOMAIN\kacper_wirski
[DOMAIN\kacper_wirski@vs-files ~]$ id
uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users)
groups=100513(DOMAIN\domain users)... and some other groups from domain

but then:
[DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
Using default cache: /tmp/krb5cc_101003
Using principal: [hidden email]
kinit: Client '[hidden email]' not found in
Kerberos database while getting initial credentials

if do:

[DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
Using default cache: /tmp/krb5cc_101003
Using principal: [hidden email]
Password for [hidden email]:
Warning: Your password will expire in 15 days on Thu 16 Nov 2017
01:50:48 PM CET
Authenticated to Kerberos v5

then:
[DOMAIN\kacper_wirski@vs-files ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_101003
Default principal: [hidden email]

Valid starting       Expires              Service principal
11/01/2017 12:32:36  11/01/2017 22:32:36
krbtgt/[hidden email]
         renew until 11/02/2017 12:32:31

commands like:
wbinfo -u etc. everything works, except for the "default principal" used
when doing kinit.




Please help me understand, where else to look?

Could the RULE in krb5.conf be causing all this? I removed it, restarted
whole machine, but it didn't change much.

W dniu 2017-10-31 o 23:20, Rowland Penny pisze:

> On Tue, 31 Oct 2017 22:46:53 +0100
> Kacper Wirski via samba<[hidden email]>  wrote:
>
>> Hello,
>>
>> I'm setting up AD user logins for centos 7.4 box. I've almost managed
>> to do everything the way I want and the way I think it should be, but
>> I'm missing last piece:
>>
>>     For ssh access I read parts of the
>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>
>> Most docs recommend using setting in smb.conf:
>> winbind use default domain = no
>>
>> that means that all domain users have DOMAIN\ prefix attached. As per
>> the aforementioned wiki documet I made the workaround for
>> authentication to krb5.conf, and it works OK.
>>
>> What isn't working is "kinit" as-is for logged in AD user. To be more
>> precise: it works if I specify explicitly username
>> kinit myusername
>> or
>> [hidden email]
>> It works as expected (asks for password and grants ticket)
>>
>>    otherwise plain "kinit" uses by default posix username, which in
>> this case is DOMAIN\myusername, so it looks for:
>> [hidden email]  and fails with no principle found in
>> database (and rightly so), because obviously it should use
>> [hidden email].
>>
>> I know it's not strictly samba related, and I could simply change
>> winbind use default domain = yes
>> as a workaround, this way everything works as expected, except that
>> in all docs it's described as not recommended setup, because of
>> possible confusion which user is from DOMAIN and which is local, and
>> of course when multiple domains come into play.
>>
>> So maybe someone knows of a valid workaorund, how to force kinit to
>> automatically remove/strip DOMAIN prefix from e.g.
>> [hidden email]  and change it into
>> [hidden email]? My understanding is that krb5.conf
>> "auth_to_local" works the other way around, so it takes valid
>> principal, and rewrites it so that it matches posix user and won't
>> work in this case,as it's the other way round (posix user has to be
>> translated into valid principal).
>>
>> My environment is:
>> centos 7.4 OS
>> samba 4.5.x is the AD DC
>> samba 4.6.9 is domain member server and all tests are done on this
>> machine.
>>
>> As i said, kerberos overall works fine, and it's not strictly samba
>> issue, but the issue is because of samba configuration and added
>> DOMAIN prefix.
>>
>> Any help/input/comments are appreciated.
>>
>> Regards, Kacper
>>
>>
> You have something set up incorrectly, if I log into a Unix domain
> member and run 'kinit', it works:
>
> rowland@devstation:~$ whoami
> SAMDOM\rowland
> rowland@devstation:~$ kinit
> Password [hidden email]:
> rowland@devstation:~$
>
> It also works on a DC.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hosts
> /etc/hostname
> /etc/krb5.conf
> /etc/samba/smb.conf
>
> Rowland
>



---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
Also I rushed my response:

Behaviour is not strange, default principal was taken from cache.

So if run:

[DOMAIN\kacper_wirski@vs-files ~]$ kdestroy

Error returns (kinit uses [hidden email] as
kerberos principal).



W dniu 2017-11-01 o 13:11, Kacper Wirski pisze:

>
> Hello,
>
> Thank You for fast response. I'm glad that it's a mistake somewhere on
> my side, it means it will work when I fix it :)
>
> Ok, first of all:
>
>
> Everything is on centos 7.4
>
> All config files will be below, but to start off: behaviour is
> stranger than I thought, but there is a pattern:
>
> when doing
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: [hidden email]
> kinit: Client '[hidden email]' not found in
> Kerberos database while getting initial credentials
>
>
> but then when I do:
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: [hidden email]
> Password for [hidden email]:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> 01:50:48 PM CET
> Authenticated to Kerberos v5
>
>
> and after this, user DOMAIN\kacper_wirski can do "kinit", and it
> correctly defaults to principal "[hidden email]":
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> Using principal: [hidden email]
> Password for [hidden email]:
>
>
> I don't know what gives. After full reboot it still works for "this"
> user. When I log as DOMAIN\someotheruser it behaves exactly the same
> (first adds DOMAIN prefix, then when once ticket is obtained
> correctly, it seems to work...)
>
> kerberos ssh authentication (windows via putty to centos with samba 4)
> works perfectly:
>
> Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to
> DOMAIN\\kacper_wirski, krb5 principal [hidden email]
> (ssh_gssapi_krb5_cmdok)
> Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]:
> pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted access
> Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted
> gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh
>
> All file shares hosted by samba are correctly available to windows
> clients.
>
> First of all:
>
> On test box I'm using samba 4.6.9 compiled from source.
>
> configure was run with simple --with-systemd --without-ad-dc
>
> //etc/resolv.conf:/
>
> //
>
> /# Generated by NetworkManager//
> //search ad.mydomain.com//
> //nameserver 192.168.1.5//
> //nameserver 192.168.1.6//
> //nameserver 192.168.1.7/
>
> all three IP's are DC's with DNS all work correctly
>
> //etc/hostname//
> //vs-files.ad.mydomain.com/
>
> //etc/hosts//
> //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> //127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4//
> //::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6/
>
> //etc/krb5.conf//
> //[libdefaults]//
> //    default_realm = AD.MYDOMAIN.COM//
> //    dns_lookup_realm = true//
> //    dns_lookup_kdc = true//
> ////
> //[realms]//
> //    AD.MYDOMAIN.COM = {//
> //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> //        }/
>
> The above rule is taken directly from the linked samba wiki guide, and
> it really works (without it I won't login with kerberos ticket, unless
> I drop "DOMAIN\" part using "winbind use default domain = yes".
>
> samba also auto-created it's own krb5.conf.DOMAIN file during net ads
> join (in /usr/local/samba/var/lock/smb_krb5/
> /[libdefaults]//
> //        default_realm = AD.MYDOMAIN.COM//
> //        default_etypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> //        dns_lookup_realm = false//
> //
> //[realms]//
> //        AD.MYDOMAIN.COM = {//
> //                kdc = 192.168.1.5//
> //                kdc = 192.168.1.6//
> //                kdc = 192.168.1.7//
> //        }/
>
>
> /etc/nsswitch.conf
> /passwd: files winbind//
> //shadow: files//
> //group: files winbind/
>
> And last but not least:
>
> /usr/local/samba/etc/smb.conf (i compiled from source, so all samba
> files reside in /usr/local/samba/...)
> [global]
> /        security = ADS//
> //        netbios name = VS-FILES//
> //        workgroup = DOMAIN//
> //        realm = AD.MYDOMAIN.COM//
> //        log file = /var/log/samba/%m.log//
> //        log level = 5//
> //
> //   idmap config *:backend = tdb//
> //   idmap config * : range = 1000-2000//
> //   idmap config DOMAIN:backend = rid//
> //   idmap config DOMAIN:range = 100000-110000//
> //
> //        vfs objects = acl_xattr//
> //        map acl inherit = yes//
> //        store dos attributes = yes//
> //        template homedir = /home/%U@%D//
> //        template shell = /bin/bash//
> //        winbind enum groups = no//
> //        winbind enum users = no//
> //        kerberos method = secrets and keytab//
> //        winbind refresh tickets = yes//
> //        winbind use default domain = no//
> //        winbind offline logon = yes/
>
> Example output, when being logged as DOMAIN\kacper_wirski (login was
> using kerberos, as shown in log, no password was required):
> [DOMAIN\kacper_wirski@vs-files ~]$ whoami
> DOMAIN\kacper_wirski
> [DOMAIN\kacper_wirski@vs-files ~]$ id
> uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users)
> groups=100513(DOMAIN\domain users)... and some other groups from domain
>
> but then:
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: [hidden email]
> kinit: Client '[hidden email]' not found in
> Kerberos database while getting initial credentials
>
> if do:
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: [hidden email]
> Password for [hidden email]:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> 01:50:48 PM CET
> Authenticated to Kerberos v5
>
> then:
> [DOMAIN\kacper_wirski@vs-files ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_101003
> Default principal: [hidden email]
>
> Valid starting       Expires              Service principal
> 11/01/2017 12:32:36  11/01/2017 22:32:36
> krbtgt/[hidden email]
>         renew until 11/02/2017 12:32:31
>
> commands like:
> wbinfo -u etc. everything works, except for the "default principal"
> used when doing kinit.
>
>
>
>
> Please help me understand, where else to look?
>
> Could the RULE in krb5.conf be causing all this? I removed it,
> restarted whole machine, but it didn't change much.
>
> W dniu 2017-10-31 o 23:20, Rowland Penny pisze:
>> On Tue, 31 Oct 2017 22:46:53 +0100
>> Kacper Wirski via samba<[hidden email]>  wrote:
>>
>>> Hello,
>>>
>>> I'm setting up AD user logins for centos 7.4 box. I've almost managed
>>> to do everything the way I want and the way I think it should be, but
>>> I'm missing last piece:
>>>
>>>     For ssh access I read parts of the
>>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>>
>>> Most docs recommend using setting in smb.conf:
>>> winbind use default domain = no
>>>
>>> that means that all domain users have DOMAIN\ prefix attached. As per
>>> the aforementioned wiki documet I made the workaround for
>>> authentication to krb5.conf, and it works OK.
>>>
>>> What isn't working is "kinit" as-is for logged in AD user. To be more
>>> precise: it works if I specify explicitly username
>>> kinit myusername
>>> or
>>> [hidden email]
>>> It works as expected (asks for password and grants ticket)
>>>
>>>    otherwise plain "kinit" uses by default posix username, which in
>>> this case is DOMAIN\myusername, so it looks for:
>>> [hidden email]  and fails with no principle found in
>>> database (and rightly so), because obviously it should use
>>> [hidden email].
>>>
>>> I know it's not strictly samba related, and I could simply change
>>> winbind use default domain = yes
>>> as a workaround, this way everything works as expected, except that
>>> in all docs it's described as not recommended setup, because of
>>> possible confusion which user is from DOMAIN and which is local, and
>>> of course when multiple domains come into play.
>>>
>>> So maybe someone knows of a valid workaorund, how to force kinit to
>>> automatically remove/strip DOMAIN prefix from e.g.
>>> [hidden email]  and change it into
>>> [hidden email]? My understanding is that krb5.conf
>>> "auth_to_local" works the other way around, so it takes valid
>>> principal, and rewrites it so that it matches posix user and won't
>>> work in this case,as it's the other way round (posix user has to be
>>> translated into valid principal).
>>>
>>> My environment is:
>>> centos 7.4 OS
>>> samba 4.5.x is the AD DC
>>> samba 4.6.9 is domain member server and all tests are done on this
>>> machine.
>>>
>>> As i said, kerberos overall works fine, and it's not strictly samba
>>> issue, but the issue is because of samba configuration and added
>>> DOMAIN prefix.
>>>
>>> Any help/input/comments are appreciated.
>>>
>>> Regards, Kacper
>>>
>>>
>> You have something set up incorrectly, if I log into a Unix domain
>> member and run 'kinit', it works:
>>
>> rowland@devstation:~$ whoami
>> SAMDOM\rowland
>> rowland@devstation:~$ kinit
>> Password [hidden email]:
>> rowland@devstation:~$
>>
>> It also works on a DC.
>>
>> Can you post the following files:
>> /etc/resolv.conf
>> /etc/hosts
>> /etc/hostname
>> /etc/krb5.conf
>> /etc/samba/smb.conf
>>
>> Rowland
>>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> Wolny od wirusów. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>



---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
Hai,

Now, i'll start with.. I know (almost) nothing about centos and i compaired you debug with my debug.
Now, i'll give some pointer to check.

Is ssh going through pam, then check if you have things like this.

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
( and remember these configs are from Debian Stretch )

The server in question, does it have delegate rights ( set in ADUC )?

Using principal: [hidden email]
Is missing a \
If you go though your logs, and you see : DOMAIN\\[hidden email]  ( see the putty logs part)

> > [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: [hidden email]
> > kinit: Client '[hidden email]' not found in
> > Kerberos database while getting initial credentials

This show that the separator is you problem.
You can try it again with setting the separator to "/" and not "\"
And maybe you should try this one first.

[realms]
    SAMDOM.EXAMPLE.COM = {
        auth_to_local = RULE:[1:SAMDOM\\$1]
#or  auth_to_local = RULE:[1:SAMDOM/$1]
    }

ps, / is replace to \ in most config setups, even in windows, but again i dont know about centos.

Thats the best i can say about your setup.
I hope it helps you bit more in the right direction.
I say, check above and try it out and report back.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Kacper Wirski via samba
> Verzonden: woensdag 1 november 2017 13:17
> Aan: Rowland Penny; [hidden email]
> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
> for samba 4 domain member
>
> Also I rushed my response:
>
> Behaviour is not strange, default principal was taken from cache.
>
> So if run:
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kdestroy
>
> Error returns (kinit uses [hidden email] as
> kerberos principal).
>
>
>
> W dniu 2017-11-01 o 13:11, Kacper Wirski pisze:
> >
> > Hello,
> >
> > Thank You for fast response. I'm glad that it's a mistake
> somewhere on
> > my side, it means it will work when I fix it :)
> >
> > Ok, first of all:
> >
> >
> > Everything is on centos 7.4
> >
> > All config files will be below, but to start off: behaviour is
> > stranger than I thought, but there is a pattern:
> >
> > when doing
> >
> > [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: [hidden email]
> > kinit: Client '[hidden email]' not found in
> > Kerberos database while getting initial credentials
> >
> >
> > but then when I do:
> >
> > [DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: [hidden email]
> > Password for [hidden email]:
> > Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> > 01:50:48 PM CET
> > Authenticated to Kerberos v5
> >
> >
> > and after this, user DOMAIN\kacper_wirski can do "kinit", and it
> > correctly defaults to principal "[hidden email]":
> >
> > [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> > Using principal: [hidden email]
> > Password for [hidden email]:
> >
> >
> > I don't know what gives. After full reboot it still works
> for "this"
> > user. When I log as DOMAIN\someotheruser it behaves exactly
> the same
> > (first adds DOMAIN prefix, then when once ticket is obtained
> > correctly, it seems to work...)
> >
> > kerberos ssh authentication (windows via putty to centos
> with samba 4)
> > works perfectly:
> >
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to
> > DOMAIN\\kacper_wirski, krb5 principal [hidden email]
> > (ssh_gssapi_krb5_cmdok)
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]:
> > pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski'
> granted access
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted
> > gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32
> port 55825 ssh
> >
> > All file shares hosted by samba are correctly available to windows
> > clients.
> >
> > First of all:
> >
> > On test box I'm using samba 4.6.9 compiled from source.
> >
> > configure was run with simple --with-systemd --without-ad-dc
> >
> > //etc/resolv.conf:/
> >
> > //
> >
> > /# Generated by NetworkManager//
> > //search ad.mydomain.com//
> > //nameserver 192.168.1.5//
> > //nameserver 192.168.1.6//
> > //nameserver 192.168.1.7/
> >
> > all three IP's are DC's with DNS all work correctly
> >
> > //etc/hostname//
> > //vs-files.ad.mydomain.com/
> >
> > //etc/hosts//
> > //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> > //127.0.0.1   localhost localhost.localdomain localhost4
> > localhost4.localdomain4//
> > //::1         localhost localhost.localdomain localhost6
> > localhost6.localdomain6/
> >
> > //etc/krb5.conf//
> > //[libdefaults]//
> > //    default_realm = AD.MYDOMAIN.COM//
> > //    dns_lookup_realm = true//
> > //    dns_lookup_kdc = true//
> > ////
> > //[realms]//
> > //    AD.MYDOMAIN.COM = {//
> > //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> > //        }/
> >
> > The above rule is taken directly from the linked samba wiki
> guide, and
> > it really works (without it I won't login with kerberos
> ticket, unless
> > I drop "DOMAIN\" part using "winbind use default domain = yes".
> >
> > samba also auto-created it's own krb5.conf.DOMAIN file
> during net ads
> > join (in /usr/local/samba/var/lock/smb_krb5/
> > /[libdefaults]//
> > //        default_realm = AD.MYDOMAIN.COM//
> > //        default_etypes = aes256-cts-hmac-sha1-96
> > aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> > //        dns_lookup_realm = false//
> > //
> > //[realms]//
> > //        AD.MYDOMAIN.COM = {//
> > //                kdc = 192.168.1.5//
> > //                kdc = 192.168.1.6//
> > //                kdc = 192.168.1.7//
> > //        }/
> >
> >
> > /etc/nsswitch.conf
> > /passwd: files winbind//
> > //shadow: files//
> > //group: files winbind/
> >
> > And last but not least:
> >
> > /usr/local/samba/etc/smb.conf (i compiled from source, so all samba
> > files reside in /usr/local/samba/...)
> > [global]
> > /        security = ADS//
> > //        netbios name = VS-FILES//
> > //        workgroup = DOMAIN//
> > //        realm = AD.MYDOMAIN.COM//
> > //        log file = /var/log/samba/%m.log//
> > //        log level = 5//
> > //
> > //   idmap config *:backend = tdb//
> > //   idmap config * : range = 1000-2000//
> > //   idmap config DOMAIN:backend = rid//
> > //   idmap config DOMAIN:range = 100000-110000//
> > //
> > //        vfs objects = acl_xattr//
> > //        map acl inherit = yes//
> > //        store dos attributes = yes//
> > //        template homedir = /home/%U@%D//
> > //        template shell = /bin/bash//
> > //        winbind enum groups = no//
> > //        winbind enum users = no//
> > //        kerberos method = secrets and keytab//
> > //        winbind refresh tickets = yes//
> > //        winbind use default domain = no//
> > //        winbind offline logon = yes/
> >
> > Example output, when being logged as DOMAIN\kacper_wirski
> (login was
> > using kerberos, as shown in log, no password was required):
> > [DOMAIN\kacper_wirski@vs-files ~]$ whoami
> > DOMAIN\kacper_wirski
> > [DOMAIN\kacper_wirski@vs-files ~]$ id
> > uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users)
> > groups=100513(DOMAIN\domain users)... and some other groups
> from domain
> >
> > but then:
> > [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: [hidden email]
> > kinit: Client '[hidden email]' not found in
> > Kerberos database while getting initial credentials
> >
> > if do:
> >
> > [DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: [hidden email]
> > Password for [hidden email]:
> > Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> > 01:50:48 PM CET
> > Authenticated to Kerberos v5
> >
> > then:
> > [DOMAIN\kacper_wirski@vs-files ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_101003
> > Default principal: [hidden email]
> >
> > Valid starting       Expires              Service principal
> > 11/01/2017 12:32:36  11/01/2017 22:32:36
> > krbtgt/[hidden email]
> >         renew until 11/02/2017 12:32:31
> >
> > commands like:
> > wbinfo -u etc. everything works, except for the "default principal"
> > used when doing kinit.
> >
> >
> >
> >
> > Please help me understand, where else to look?
> >
> > Could the RULE in krb5.conf be causing all this? I removed it,
> > restarted whole machine, but it didn't change much.
> >
> > W dniu 2017-10-31 o 23:20, Rowland Penny pisze:
> >> On Tue, 31 Oct 2017 22:46:53 +0100
> >> Kacper Wirski via samba<[hidden email]>  wrote:
> >>
> >>> Hello,
> >>>
> >>> I'm setting up AD user logins for centos 7.4 box. I've
> almost managed
> >>> to do everything the way I want and the way I think it
> should be, but
> >>> I'm missing last piece:
> >>>
> >>>     For ssh access I read parts of the
> >>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> >>>
> >>> Most docs recommend using setting in smb.conf:
> >>> winbind use default domain = no
> >>>
> >>> that means that all domain users have DOMAIN\ prefix
> attached. As per
> >>> the aforementioned wiki documet I made the workaround for
> >>> authentication to krb5.conf, and it works OK.
> >>>
> >>> What isn't working is "kinit" as-is for logged in AD
> user. To be more
> >>> precise: it works if I specify explicitly username
> >>> kinit myusername
> >>> or
> >>> [hidden email]
> >>> It works as expected (asks for password and grants ticket)
> >>>
> >>>    otherwise plain "kinit" uses by default posix
> username, which in
> >>> this case is DOMAIN\myusername, so it looks for:
> >>> [hidden email]  and fails with no
> principle found in
> >>> database (and rightly so), because obviously it should use
> >>> [hidden email].
> >>>
> >>> I know it's not strictly samba related, and I could simply change
> >>> winbind use default domain = yes
> >>> as a workaround, this way everything works as expected,
> except that
> >>> in all docs it's described as not recommended setup, because of
> >>> possible confusion which user is from DOMAIN and which is
> local, and
> >>> of course when multiple domains come into play.
> >>>
> >>> So maybe someone knows of a valid workaorund, how to
> force kinit to
> >>> automatically remove/strip DOMAIN prefix from e.g.
> >>> [hidden email]  and change it into
> >>> [hidden email]? My understanding is that krb5.conf
> >>> "auth_to_local" works the other way around, so it takes valid
> >>> principal, and rewrites it so that it matches posix user and won't
> >>> work in this case,as it's the other way round (posix user
> has to be
> >>> translated into valid principal).
> >>>
> >>> My environment is:
> >>> centos 7.4 OS
> >>> samba 4.5.x is the AD DC
> >>> samba 4.6.9 is domain member server and all tests are done on this
> >>> machine.
> >>>
> >>> As i said, kerberos overall works fine, and it's not
> strictly samba
> >>> issue, but the issue is because of samba configuration and added
> >>> DOMAIN prefix.
> >>>
> >>> Any help/input/comments are appreciated.
> >>>
> >>> Regards, Kacper
> >>>
> >>>
> >> You have something set up incorrectly, if I log into a Unix domain
> >> member and run 'kinit', it works:
> >>
> >> rowland@devstation:~$ whoami
> >> SAMDOM\rowland
> >> rowland@devstation:~$ kinit
> >> Password [hidden email]:
> >> rowland@devstation:~$
> >>
> >> It also works on a DC.
> >>
> >> Can you post the following files:
> >> /etc/resolv.conf
> >> /etc/hosts
> >> /etc/hostname
> >> /etc/krb5.conf
> >> /etc/samba/smb.conf
> >>
> >> Rowland
> >>
> >
> >
> >
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=l
ink&utm_campaign=sig-email&utm_content=emailclient>
> > Wolny od wirusów. www.avast.com
> >
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=l
ink&utm_campaign=sig-email&utm_content=emailclient>

> >
> >
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
>
>
> ---
> Ta wiadomo???? zosta??a sprawdzona na obecno???? wirusów
> przez oprogramowanie antywirusowe Avast.
> https://www.avast.com/antivirus
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
In reply to this post by Samba - General mailing list


As luck would have it, I installed a Samba Unix domain member on Fedora
26 yesterday, so I started it again and it works on that as well, so
it should work on Centos.

See comments below:

On Wed, 1 Nov 2017 13:11:29 +0100
Kacper Wirski <[hidden email]> wrote:

> Hello,
>
> Thank You for fast response. I'm glad that it's a mistake somewhere
> on my side, it means it will work when I fix it :)
>
> Ok, first of all:
>
>
> Everything is on centos 7.4
>
> All config files will be below, but to start off: behaviour is
> stranger than I thought, but there is a pattern:
>
> when doing
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: [hidden email]
> kinit: Client '[hidden email]' not found in
> Kerberos database while getting initial credentials
>
>
> but then when I do:
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: [hidden email]
> Password for [hidden email]:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> 01:50:48 PM CET
> Authenticated to Kerberos v5
>
>
> and after this, user DOMAIN\kacper_wirski can do "kinit", and it
> correctly defaults to principal "[hidden email]":
>
> [DOMAIN\kacper_wirski@vs-files ~]$ kinit -V
> Using principal: [hidden email]
> Password for [hidden email]:
>
>
> I don't know what gives. After full reboot it still works for "this"
> user. When I log as DOMAIN\someotheruser it behaves exactly the same
> (first adds DOMAIN prefix, then when once ticket is obtained
> correctly, it seems to work...)

No idea why this is happening, all I can say is, it doesn't work like
that on Devuan, it just works ;-)

> //etc/hostname//
> //vs-files.ad.mydomain.com/

The FQDN is not the hostname, why does red-hat do this ?
I would change this to:

vs-files

>
> //etc/hosts//
> //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> //127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4//
> //::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6/

There is no such thing as 'localdomain', I would change this to:

127.0.0.1 localhost
::1 localhost
192.168.1.13 vs-files.ad.mydomain.com vs-files

>
> //etc/krb5.conf//
> //[libdefaults]//
> //    default_realm = AD.MYDOMAIN.COM//
> //    dns_lookup_realm = true//
> //    dns_lookup_kdc = true//
> ////
> //[realms]//
> //    AD.MYDOMAIN.COM = {//
> //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> //        }/
>
> The above rule is taken directly from the linked samba wiki guide,
> and it really works (without it I won't login with kerberos ticket,
> unless I drop "DOMAIN\" part using "winbind use default domain = yes".

It should be 'dns_lookup_realm = false'

>
> samba also auto-created it's own krb5.conf.DOMAIN file during net ads
> join (in /usr/local/samba/var/lock/smb_krb5/
> /[libdefaults]//
> //        default_realm = AD.MYDOMAIN.COM//
> //        default_etypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> //        dns_lookup_realm = false//
> //
> //[realms]//
> //        AD.MYDOMAIN.COM = {//
> //                kdc = 192.168.1.5//
> //                kdc = 192.168.1.6//
> //                kdc = 192.168.1.7//
> //        }/
>

I have never seen a Samba created krb5.conf like that

>
> /usr/local/samba/etc/smb.conf (i compiled from source, so all samba
> files reside in /usr/local/samba/...)
> [global]
> /        security = ADS//
> //        netbios name = VS-FILES//
> //        workgroup = DOMAIN//
> //        realm = AD.MYDOMAIN.COM//
> //        log file = /var/log/samba/%m.log//
> //        log level = 5//
> //
> //   idmap config *:backend = tdb//
> //   idmap config * : range = 1000-2000//
> //   idmap config DOMAIN:backend = rid//
> //   idmap config DOMAIN:range = 100000-110000//
> ////
> //        vfs objects = acl_xattr//
> //        map acl inherit = yes//
> //        store dos attributes = yes//
> //        template homedir = /home/%U@%D//

I would have used '/home/%D/%U'

I changed the files on my Fedora 26 machine to match the Samba wikipage
you referred to and it still works, I can login as a domain user and
run 'kinit' and it works:

[SAMDOM\rowland@f26 ~]$ kinit
Password for [hidden email]:
[SAMDOM\rowland@f26 ~]$

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
"k.wirski babkamedica.pl" <[hidden email]> wrote:

> Thank You,
>
> /etc/hostname i set it myself, never seen issue with FQDN, I'll
> change it
>
> localdomain in /etc/hosts is from the default config
>
> this auto krb5.conf.DOMAIN - could it be, that by default samba
> builds with heimdall, and centos (as RHEL) uses MIT krb, and
> something in /etc/krb5.conf was not ok  during join, for whatever
> reason? The "auth_to_local" is MIT kerberos specific.
>
> Also auth_to_local is used when logging to machine, and my issue with
> kinit is when mapping is done from local to UPN.
>
>
> I removed whole /usr/local/samba dir, installed from scratch,
> re-added to domain, recreated krb5.keytab, and issue is 100% the same.
>
>
> I tried changing winbind separater from default to + and changed
> krb5.conf rule accordingly, it changed nothing. Issue is not with
> kerberos for login, it works a-ok. The issue is that for whatever
> reason POSIX user is used with full name as principal.
>
> When i changed winbind separator, my posix user was
> "DOMAIN+kacper_wirski", and "kinit" used
>
> [hidden email] as  principal.
>
>
> I consider setting up new machine from scratch from centos minimal
> and go from there or I'll take my risks and set "use default domain =
> yes", then everything works perfectly.
>
>
> Can this issue be caused by something outside this machine, and
> something wrong with the domain overall? I don't believe it, since it
> seems very local OS specific, but maybe it is?
>

All I can say is that when I set up Fedora 26 yesterday in the way I
would set up a Devuan computer, 'kinit' works in the way you want.

You are correct in that Samba uses Heimdal rather than MIT, but this is
supplied with Samba and is only used if you compile for a DC, you
haven't.

Whilst it isn't recommended to use 'use default domain = yes' it is
used rather a lot. The only time it definitely shouldn't be used is if
you have more than one DOMAIN set in smb.conf

If it helps, I can send you the notes I made whilst setting up Fedora 26

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
I'm going to start with clean centos install, so I might as well use some
additional guidelines, thank You.

When You run kinit, does Your user have ticket already? What I noticed is
that when user has a ticket already, kinit works fine, uses as default
principal the one from ticket.
Can you do kdestroy - then kinit?

Also, on Fedora, did You install samba from source or from repo's RPM?

And last question - for PAM did You manually edit system-auth, or with
authconfig?
After I do some tests later on, I will update with whatever I manage to
find/debug.

1 lis 2017 18:51 "Rowland Penny via samba" <[hidden email]>
napisał(a):

> On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
> "k.wirski babkamedica.pl" <[hidden email]> wrote:
>
> > Thank You,
> >
> > /etc/hostname i set it myself, never seen issue with FQDN, I'll
> > change it
> >
> > localdomain in /etc/hosts is from the default config
> >
> > this auto krb5.conf.DOMAIN - could it be, that by default samba
> > builds with heimdall, and centos (as RHEL) uses MIT krb, and
> > something in /etc/krb5.conf was not ok  during join, for whatever
> > reason? The "auth_to_local" is MIT kerberos specific.
> >
> > Also auth_to_local is used when logging to machine, and my issue with
> > kinit is when mapping is done from local to UPN.
> >
> >
> > I removed whole /usr/local/samba dir, installed from scratch,
> > re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> >
> >
> > I tried changing winbind separater from default to + and changed
> > krb5.conf rule accordingly, it changed nothing. Issue is not with
> > kerberos for login, it works a-ok. The issue is that for whatever
> > reason POSIX user is used with full name as principal.
> >
> > When i changed winbind separator, my posix user was
> > "DOMAIN+kacper_wirski", and "kinit" used
> >
> > [hidden email] as  principal.
> >
> >
> > I consider setting up new machine from scratch from centos minimal
> > and go from there or I'll take my risks and set "use default domain =
> > yes", then everything works perfectly.
> >
> >
> > Can this issue be caused by something outside this machine, and
> > something wrong with the domain overall? I don't believe it, since it
> > seems very local OS specific, but maybe it is?
> >
>
> All I can say is that when I set up Fedora 26 yesterday in the way I
> would set up a Devuan computer, 'kinit' works in the way you want.
>
> You are correct in that Samba uses Heimdal rather than MIT, but this is
> supplied with Samba and is only used if you compile for a DC, you
> haven't.
>
> Whilst it isn't recommended to use 'use default domain = yes' it is
> used rather a lot. The only time it definitely shouldn't be used is if
> you have more than one DOMAIN set in smb.conf
>
> If it helps, I can send you the notes I made whilst setting up Fedora 26
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
On Wed, 1 Nov 2017 20:28:05 +0100
Kacper Wirski <[hidden email]> wrote:

> I'm going to start with clean centos install, so I might as well use
> some additional guidelines, thank You.
>
> When You run kinit, does Your user have ticket already? What I
> noticed is that when user has a ticket already, kinit works fine,
> uses as default principal the one from ticket.
> Can you do kdestroy - then kinit?
>
> Also, on Fedora, did You install samba from source or from repo's RPM?
>
> And last question - for PAM did You manually edit system-auth, or with
> authconfig?
> After I do some tests later on, I will update with whatever I manage
> to find/debug.
>

I realised I had a Centos 7 VM, so I started this, updated it to 7.4
set 'winbind use default domain = no' then logged in and ran
'kinit', I finally get your problem!!!

Let me get back to you

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <[hidden email]> wrote:

> On Wed, 1 Nov 2017 20:28:05 +0100
> Kacper Wirski <[hidden email]> wrote:
>
> > I'm going to start with clean centos install, so I might as well use
> > some additional guidelines, thank You.
> >
> > When You run kinit, does Your user have ticket already? What I
> > noticed is that when user has a ticket already, kinit works fine,
> > uses as default principal the one from ticket.
> > Can you do kdestroy - then kinit?
> >
> > Also, on Fedora, did You install samba from source or from repo's
> > RPM?
> >
> > And last question - for PAM did You manually edit system-auth, or
> > with authconfig?
> > After I do some tests later on, I will update with whatever I manage
> > to find/debug.
> >
>
> I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> set 'winbind use default domain = no' then logged in and ran
> 'kinit', I finally get your problem!!!
>
> Let me get back to you
>
> Rowland
>

OK, I am back ;-)

I understand it now, sigh
This is what I think is happening;
When you kinit as the user, it uses whatever is returned by nsswitch,
but, as a single '\' is treated as an escape character and is
removed, you get DOMAINusername. If you use something else as the
winbind separator e.g. ':' you will get DOMAIN:username, but this
still will not not get you anywhere. You will get this:

kinit: Client 'SAMDOM:[hidden email]' not found in
Kerberos database while getting initial credentials

It was this that pointed me in the right direction.
If you check the users object in AD, you will find the
userPrincipalName attribute, this will contain something like:

[hidden email]

This is what kinit is looking for and if you run 'kinit rowland', this
will work and if you run 'klist' you will find that the 'Default
principal' is [hidden email]

Net result, you will have to use 'winbind use default domain = yes'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
Ok, at least I know that it's not the fault of my configuration.

I was hoping that there may be some kerberos/kinit option to modify
systemwide default principal pattern, or maybe something could be done with
how winbind presents AD users to local OS while still.. Can't have
everything it seems.

In this case there are is my follow-up question:
- how will this work on DC's? I konw that winbind is integrated into main
"samba" process. I don't have test-dc right now and I can't test it, but is
at all possible to set "use defaultl domain = yes" on samba DC and not
impair anything? On the DC's it's not as important to me, as only few
actual domain users will ever actually log there (only admins), but still
I'd rather have as much consistency across all systems, as possible\

Regards,
Kacper

2017-11-01 21:21 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Wed, 1 Nov 2017 19:49:32 +0000
> Rowland Penny via samba <[hidden email]> wrote:
>
> > On Wed, 1 Nov 2017 20:28:05 +0100
> > Kacper Wirski <[hidden email]> wrote:
> >
> > > I'm going to start with clean centos install, so I might as well use
> > > some additional guidelines, thank You.
> > >
> > > When You run kinit, does Your user have ticket already? What I
> > > noticed is that when user has a ticket already, kinit works fine,
> > > uses as default principal the one from ticket.
> > > Can you do kdestroy - then kinit?
> > >
> > > Also, on Fedora, did You install samba from source or from repo's
> > > RPM?
> > >
> > > And last question - for PAM did You manually edit system-auth, or
> > > with authconfig?
> > > After I do some tests later on, I will update with whatever I manage
> > > to find/debug.
> > >
> >
> > I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> > set 'winbind use default domain = no' then logged in and ran
> > 'kinit', I finally get your problem!!!
> >
> > Let me get back to you
> >
> > Rowland
> >
>
> OK, I am back ;-)
>
> I understand it now, sigh
> This is what I think is happening;
> When you kinit as the user, it uses whatever is returned by nsswitch,
> but, as a single '\' is treated as an escape character and is
> removed, you get DOMAINusername. If you use something else as the
> winbind separator e.g. ':' you will get DOMAIN:username, but this
> still will not not get you anywhere. You will get this:
>
> kinit: Client 'SAMDOM:[hidden email]' not found in
> Kerberos database while getting initial credentials
>
> It was this that pointed me in the right direction.
> If you check the users object in AD, you will find the
> userPrincipalName attribute, this will contain something like:
>
> [hidden email]
>
> This is what kinit is looking for and if you run 'kinit rowland', this
> will work and if you run 'klist' you will find that the 'Default
> principal' is [hidden email]
>
> Net result, you will have to use 'winbind use default domain = yes'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
On Wed, 1 Nov 2017 22:00:59 +0100
Kacper Wirski <[hidden email]> wrote:

> Ok, at least I know that it's not the fault of my configuration.
>
> I was hoping that there may be some kerberos/kinit option to modify
> systemwide default principal pattern, or maybe something could be
> done with how winbind presents AD users to local OS while still..
> Can't have everything it seems.
>
> In this case there are is my follow-up question:
> - how will this work on DC's? I konw that winbind is integrated into
> main "samba" process. I don't have test-dc right now and I can't test
> it, but is at all possible to set "use defaultl domain = yes" on
> samba DC and not impair anything? On the DC's it's not as important
> to me, as only few actual domain users will ever actually log there
> (only admins), but still I'd rather have as much consistency across
> all systems, as possible\
>
> Regards,
> Kacper
>

This is one thing that was throwing me, 'winbind use default domain =
yes' has no effect on a DC.

But:

SAMDOM\rowland@dc3:~$ whoami
SAMDOM\rowland
SAMDOM\rowland@dc3:~$ kinit
Password for [hidden email]:
SAMDOM\rowland@dc3:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_g4wijO
Default principal: [hidden email]

Like a lot of things, it works differently on a DC

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
In reply to this post by Samba - General mailing list
Maybe try something like this, dont know it its right, i cant test it atm, and i never used its so..
But in krb5.conf try to match the failty one with a rule.

auth_to_local = RULE:[1:SAMDOM:$1]
Maybe it works maybe not, but imo, try-able ;-) , just an idee..

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Kacper Wirski via samba
> Verzonden: woensdag 1 november 2017 22:01
> Aan: Rowland Penny
> CC: [hidden email]
> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
> for samba 4 domain member
>
> Ok, at least I know that it's not the fault of my configuration.
>
> I was hoping that there may be some kerberos/kinit option to modify
> systemwide default principal pattern, or maybe something
> could be done with
> how winbind presents AD users to local OS while still.. Can't have
> everything it seems.
>
> In this case there are is my follow-up question:
> - how will this work on DC's? I konw that winbind is
> integrated into main
> "samba" process. I don't have test-dc right now and I can't
> test it, but is
> at all possible to set "use defaultl domain = yes" on samba DC and not
> impair anything? On the DC's it's not as important to me, as only few
> actual domain users will ever actually log there (only
> admins), but still
> I'd rather have as much consistency across all systems, as possible\
>
> Regards,
> Kacper
>
> 2017-11-01 21:21 GMT+01:00 Rowland Penny via samba
> <[hidden email]>:
>
> > On Wed, 1 Nov 2017 19:49:32 +0000
> > Rowland Penny via samba <[hidden email]> wrote:
> >
> > > On Wed, 1 Nov 2017 20:28:05 +0100
> > > Kacper Wirski <[hidden email]> wrote:
> > >
> > > > I'm going to start with clean centos install, so I
> might as well use
> > > > some additional guidelines, thank You.
> > > >
> > > > When You run kinit, does Your user have ticket already? What I
> > > > noticed is that when user has a ticket already, kinit
> works fine,
> > > > uses as default principal the one from ticket.
> > > > Can you do kdestroy - then kinit?
> > > >
> > > > Also, on Fedora, did You install samba from source or
> from repo's
> > > > RPM?
> > > >
> > > > And last question - for PAM did You manually edit
> system-auth, or
> > > > with authconfig?
> > > > After I do some tests later on, I will update with
> whatever I manage
> > > > to find/debug.
> > > >
> > >
> > > I realised I had a Centos 7 VM, so I started this,
> updated it to 7.4
> > > set 'winbind use default domain = no' then logged in and ran
> > > 'kinit', I finally get your problem!!!
> > >
> > > Let me get back to you
> > >
> > > Rowland
> > >
> >
> > OK, I am back ;-)
> >
> > I understand it now, sigh
> > This is what I think is happening;
> > When you kinit as the user, it uses whatever is returned by
> nsswitch,
> > but, as a single '\' is treated as an escape character and is
> > removed, you get DOMAINusername. If you use something else as the
> > winbind separator e.g. ':' you will get DOMAIN:username, but this
> > still will not not get you anywhere. You will get this:
> >
> > kinit: Client 'SAMDOM:[hidden email]' not found in
> > Kerberos database while getting initial credentials
> >
> > It was this that pointed me in the right direction.
> > If you check the users object in AD, you will find the
> > userPrincipalName attribute, this will contain something like:
> >
> > [hidden email]
> >
> > This is what kinit is looking for and if you run 'kinit
> rowland', this
> > will work and if you run 'klist' you will find that the 'Default
> > principal' is [hidden email]
> >
> > Net result, you will have to use 'winbind use default domain = yes'
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: kerberos + winbind + AD authentication for samba 4 domain member

Samba - General mailing list
I'm using this rule, it works, but it's used the other way round. It
means that principal "[hidden email]" will match local user
DOMAIN\[hidden email] BUT it doesn't work the other way
round, so local user DOMAIN\[hidden email] will not match
"[hidden email]

I know that SSSD has a setting that allows matching kerberos principals
to local users via pattern, and it works both ways - maybe one day
winbind will have similar option:)

I am actually thinking of trying SSSD instead of winbind auth, as both
methods are equally supported on rhel/centos, except that it might cause
issues on the DC, since it's best to use either/or. Does anyone have
experience and might shed some light, is running SSSD for user domain
authorization on samba 4 DC problematic?

Also after some thought, I realized that there is a workaround to have
"everything" working with "winbind use default domain = no", and short
answer is "use credential delegation"

scenario:
in smb.conf i set "winbind use default domain = no"

kinit by default uses:
a) principal from cached ticket (if there  is one)
b) unix username (if there is no ticket)

So, if I turn on credential delegation:

WHen i log into windows machine, I automatically get my ticket, then i
SSH with putty to the centos machine as DOMAIN\kacper_wirski
I log in passwordless (kerberos is used) THEN, because of credential
delegation, I have my ticket simply forwarded, and kinit works
perfectly, because it will use by default principal from cache, rather
then posix username. Once I run "kdestroy", to obtain new ticket on the
centos box I will still have type my full username, rather than just "kinit"

Without delegation, there is no ticket in cache (nothing was forwarded),
and centos can't obtain one automatically, because of the issue already
explained before.

So there's that at least


W dniu 2017-11-01 o 23:24, L.P.H. van Belle via samba pisze:

> Maybe try something like this, dont know it its right, i cant test it atm, and i never used its so..
> But in krb5.conf try to match the failty one with a rule.
>
> auth_to_local = RULE:[1:SAMDOM:$1]
> Maybe it works maybe not, but imo, try-able ;-) , just an idee..
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens
>> Kacper Wirski via samba
>> Verzonden: woensdag 1 november 2017 22:01
>> Aan: Rowland Penny
>> CC: [hidden email]
>> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
>> for samba 4 domain member
>>
>> Ok, at least I know that it's not the fault of my configuration.
>>
>> I was hoping that there may be some kerberos/kinit option to modify
>> systemwide default principal pattern, or maybe something
>> could be done with
>> how winbind presents AD users to local OS while still.. Can't have
>> everything it seems.
>>
>> In this case there are is my follow-up question:
>> - how will this work on DC's? I konw that winbind is
>> integrated into main
>> "samba" process. I don't have test-dc right now and I can't
>> test it, but is
>> at all possible to set "use defaultl domain = yes" on samba DC and not
>> impair anything? On the DC's it's not as important to me, as only few
>> actual domain users will ever actually log there (only
>> admins), but still
>> I'd rather have as much consistency across all systems, as possible\
>>
>> Regards,
>> Kacper
>>
>> 2017-11-01 21:21 GMT+01:00 Rowland Penny via samba
>> <[hidden email]>:
>>
>>> On Wed, 1 Nov 2017 19:49:32 +0000
>>> Rowland Penny via samba <[hidden email]> wrote:
>>>
>>>> On Wed, 1 Nov 2017 20:28:05 +0100
>>>> Kacper Wirski <[hidden email]> wrote:
>>>>
>>>>> I'm going to start with clean centos install, so I
>> might as well use
>>>>> some additional guidelines, thank You.
>>>>>
>>>>> When You run kinit, does Your user have ticket already? What I
>>>>> noticed is that when user has a ticket already, kinit
>> works fine,
>>>>> uses as default principal the one from ticket.
>>>>> Can you do kdestroy - then kinit?
>>>>>
>>>>> Also, on Fedora, did You install samba from source or
>> from repo's
>>>>> RPM?
>>>>>
>>>>> And last question - for PAM did You manually edit
>> system-auth, or
>>>>> with authconfig?
>>>>> After I do some tests later on, I will update with
>> whatever I manage
>>>>> to find/debug.
>>>>>
>>>> I realised I had a Centos 7 VM, so I started this,
>> updated it to 7.4
>>>> set 'winbind use default domain = no' then logged in and ran
>>>> 'kinit', I finally get your problem!!!
>>>>
>>>> Let me get back to you
>>>>
>>>> Rowland
>>>>
>>> OK, I am back ;-)
>>>
>>> I understand it now, sigh
>>> This is what I think is happening;
>>> When you kinit as the user, it uses whatever is returned by
>> nsswitch,
>>> but, as a single '\' is treated as an escape character and is
>>> removed, you get DOMAINusername. If you use something else as the
>>> winbind separator e.g. ':' you will get DOMAIN:username, but this
>>> still will not not get you anywhere. You will get this:
>>>
>>> kinit: Client 'SAMDOM:[hidden email]' not found in
>>> Kerberos database while getting initial credentials
>>>
>>> It was this that pointed me in the right direction.
>>> If you check the users object in AD, you will find the
>>> userPrincipalName attribute, this will contain something like:
>>>
>>> [hidden email]
>>>
>>> This is what kinit is looking for and if you run 'kinit
>> rowland', this
>>> will work and if you run 'klist' you will find that the 'Default
>>> principal' is [hidden email]
>>>
>>> Net result, you will have to use 'winbind use default domain = yes'
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba