[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Wed Nov 1 22:24:22 UTC 2017

Maybe try something like this, dont know it its right, i cant test it atm, and i never used its so.. 
But in krb5.conf try to match the failty one with a rule.

auth_to_local = RULE:[1:SAMDOM:$1]
Maybe it works maybe not, but imo, try-able ;-) , just an idee.. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Kacper Wirski via samba
> Verzonden: woensdag 1 november 2017 22:01
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication 
> for samba 4 domain member
> 
> Ok, at least I know that it's not the fault of my configuration.
> 
> I was hoping that there may be some kerberos/kinit option to modify
> systemwide default principal pattern, or maybe something 
> could be done with
> how winbind presents AD users to local OS while still.. Can't have
> everything it seems.
> 
> In this case there are is my follow-up question:
> - how will this work on DC's? I konw that winbind is 
> integrated into main
> "samba" process. I don't have test-dc right now and I can't 
> test it, but is
> at all possible to set "use defaultl domain = yes" on samba DC and not
> impair anything? On the DC's it's not as important to me, as only few
> actual domain users will ever actually log there (only 
> admins), but still
> I'd rather have as much consistency across all systems, as possible\
> 
> Regards,
> Kacper
> 
> 2017-11-01 21:21 GMT+01:00 Rowland Penny via samba 
> <samba at lists.samba.org>:
> 
> > On Wed, 1 Nov 2017 19:49:32 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > > On Wed, 1 Nov 2017 20:28:05 +0100
> > > Kacper Wirski <kacper.wirski at gmail.com> wrote:
> > >
> > > > I'm going to start with clean centos install, so I 
> might as well use
> > > > some additional guidelines, thank You.
> > > >
> > > > When You run kinit, does Your user have ticket already? What I
> > > > noticed is that when user has a ticket already, kinit 
> works fine,
> > > > uses as default principal the one from ticket.
> > > > Can you do kdestroy - then kinit?
> > > >
> > > > Also, on Fedora, did You install samba from source or 
> from repo's
> > > > RPM?
> > > >
> > > > And last question - for PAM did You manually edit 
> system-auth, or
> > > > with authconfig?
> > > > After I do some tests later on, I will update with 
> whatever I manage
> > > > to find/debug.
> > > >
> > >
> > > I realised I had a Centos 7 VM, so I started this, 
> updated it to 7.4
> > > set 'winbind use default domain = no' then logged in and ran
> > > 'kinit', I finally get your problem!!!
> > >
> > > Let me get back to you
> > >
> > > Rowland
> > >
> >
> > OK, I am back ;-)
> >
> > I understand it now, sigh
> > This is what I think is happening;
> > When you kinit as the user, it uses whatever is returned by 
> nsswitch,
> > but, as a single '\' is treated as an escape character and is
> > removed, you get DOMAINusername. If you use something else as the
> > winbind separator e.g. ':' you will get DOMAIN:username, but this
> > still will not not get you anywhere. You will get this:
> >
> > kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
> > Kerberos database while getting initial credentials
> >
> > It was this that pointed me in the right direction.
> > If you check the users object in AD, you will find the
> > userPrincipalName attribute, this will contain something like:
> >
> > rowland at samdom.example.com
> >
> > This is what kinit is looking for and if you run 'kinit 
> rowland', this
> > will work and if you run 'klist' you will find that the 'Default
> > principal' is rowland at SAMDOM.EXAMPLE.COM
> >
> > Net result, you will have to use 'winbind use default domain = yes'
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 