[Samba] Use of S4U2Self in Winbind in a forest trust - obtaining group list

[Oscar Alonso | MailTecK]

Hi to all,

First of all, let this message serve as an introduction. Nice to be here.

A while back, we updated a server that still had Samba 4.13.17 on Ubuntu 20.04 LTS. We use this server for Winbind authentication in an Active Directory domain, to retrieve the list of groups from Active Directory, and then based on those groups, authorize or deny user access via SFTP with OpenSSH. After upgrading Samba to version 4.15.13 (the latest version available as of the date on Ubuntu 20.04 LTS), we started encountering issues in obtaining the list of groups for users connecting via SFTP using SSH key authentication, meaning they do not authenticate via Winbind. I understand that this is because without Winbind authentication against Active Directory, we cannot retrieve the list of groups through the Kerberos ticket PAC.

Previously, even without Kerberos authentication, we obtained the list of groups through that old functionality that allowed us to retrieve the user's group list via LDAP query using the server's computer account. Since the Samba update, this functionality has ceased to work.

As I could see in several slides by Stefan Metzmacher, the correct way to achieve this and what would be implemented is through S4U2Self. In this approach, the server would request a Kerberos ticket from Active Directory, impersonating the user, and thus obtain the group list from the PAC.

The question is, has this functionality already been implemented in Winbind? I've seen references to Samba 4.17 (I believe that was the version) implementing S4U2Self in a Samba AD DC, but I'm not sure if this means that using Winbind against a Windows AD DC allows you to obtain the group list via S4U2Self.

I also seemed to understand that to support S4U2Self, it's a requirement to use MIT Kerberos 1.20, while MIT Kerberos in Ubuntu 20.04 LTS has version 1.17. I was wondering if I could install an updated version of Samba+ on Ubuntu 20.04 LTS or 22.04 LTS and would I obtain the desired functionality of retrieving the user's group list.

In case it has any relevance, I should also clarify that these are users not directly belonging to the domain to which the machine is joined but belonging to another domain with which the machine's domain has a two-way trust relationship.

I would appreciate any assistance on this matter.

Best regards,
Oscar Alonso


Este correo electr?nico y la informaci?n contenida en ?l es confidencial, dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. Si usted no es el destinatario de este correo, no lo utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros." Los datos personales facilitados por usted o por terceros forman parte de un fichero responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relaci?n que mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser? su consentimiento, el inter?s leg?timo o la necesidad para gestionar una relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n, Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s - Madrid, o mediante un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at mailteck.com).