Missing domain user tickets with winbind

Alexander Bokovoy ab at samba.org
Wed Apr 1 11:34:59 UTC 2020

On ke, 01 huhti 2020, Shyam Prasad N via samba-technical wrote:
> Hi,
> My name is Shyam Prasad. I work at Microsoft in the Azure Files team.
> For the past few days, I've been working on getting the Azure Linux VMs to
> join the AD domain in Azure, login as domain users, and mount Azure file
> shares over SMB3.
> Most things work fine. Except that I need perform a few Kerberos related
> tasks manually, for the SMB3 mount to work with domain user credentials.
> I did some debugging of the issue, and looks like cifs.upcall (the
> userspace helper program for cifs.ko) is unable to find the krb5 TGT for
> the domain user in the cred-cache. If the cred-cache is missing, it looks
> for it in the system krb5.keytab.
> Since winbind is configured with kerberos method "secrets and keytab", I
> would expect either the secrets.tdb or the krb5.keytab to have an entry for
> the domain user lxsmbadmin. Even with the domain user already logged in
> through ssh, I'm unable to get those in both those places. cred-cache file
> is not created in the first place.
> With the domain user already logged in through ssh, I expected that the
> kerberos TGT would already have been retrieved and stored locally.
> Where does winbind store its Kerberos tickets, so that I can point
> cifs.upcall to look there for tickets instead?

It all depends how you configured pam_winbind. Please see pam_winbind
man page for Kerberos-related options (this outpout is from 4.11.7,
newer versions have more ccache type variants):

	   pam_winbind can authenticate using Kerberos when winbindd is
	   talking to an Active Directory domain controller. Kerberos
	   authentication must be enabled with this parameter. When
	   Kerberos authentication can not succeed (e.g. due to clock
	   skew), winbindd will fallback to samlogon authentication over
	   MSRPC. When this parameter is used in conjunction with
	   winbind refresh tickets, winbind will keep your Ticket
	   Granting Ticket (TGT) uptodate by refreshing it whenever

	   When pam_winbind is configured to try kerberos authentication
	   by enabling the krb5_auth option, it can store the retrieved
	   Ticket Granting Ticket (TGT) in a credential cache. The type
	   of credential cache can be set with this option.  Currently
	   the only supported value is: FILE. In that case a credential
	   cache in the form of /tmp/krb5cc_UID will be created, where
	   UID is replaced with the numeric user id. Leave empty to just
	   do kerberos authentication without having a
           ticket cache after the logon has succeeded.

> The mount only works when I use kinit to populate the cred-cache with the
> domain user.
> Any help in troubleshooting this issue is appreciated.
> Also, I'm interested to know, how can I enable the debug logs in the
> libkrb5 shared libraries that are built from the samba source code? I don't
> see the debug logs in that code being logged, even if log level is set to
> maximum in smb.conf.
> Regards,
> Shyam
> =======================================================
> Details of my setup:
> I'm using an Ubuntu 19.10 server VM.
> I'm mounting as the local root user, however, I'm using a domain user
> credentials for mounting the using sec=krb5.
> Below are my mount options:
> vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credentials,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='domain
> users'
> The VM is already joined to the AD domain aaddomain.example.com using
> winbind.
> This is what my smb.conf looks like for winbind:
> localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf
> [global]
>    workgroup = AADDOMAIN
>    security = ADS
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    winbind use default domain = Yes
>    load printers = No
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = Yes
>    log file = /var/log/samba/log.%m
>    log level = 10
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>    idmap config AADDOMAIN : backend = rid
>    idmap config AADDOMAIN : range = 10000-999999
>    template shell = /bin/bash
>    template homedir = /home/%U
> localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf
> [libdefaults]
>         default_realm = AADDOMAIN.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> Initially, I tried to use the ubuntu apt packages to install winbind and
> related packages.
> After going through a bit of code, I wanted to be able to print the debug
> logs.
> So I decided to install winbind from the latest source:
> master branch on git://git.samba.org/samba.git
> Here is the configure I used to build it:
> ./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin
> --libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba
> --localstatedir=/run/samba --includedir=/usr/include/
> --datadir=/usr/share/samba --mandir /usr/share/man --enable-debug
> --enable-developer --systemd-install-services
> --with-systemddir=/usr/lib/systemd/system
> --with-privatedir=/var/lib/samba/private --with-systemd --with-pam
> After tweaking a few config files here and there, I've now reached the same
> state as when I was running winbind from Ubuntu packages.
> I'm now able to ssh/su as the domain user to this system.
> However, I do not see the cred-cache populated.
> localadmin at lxsmb-canvm13:~/samba$ sudo klist
> klist: No ticket file: /tmp/krb5cc_0
> localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb*
> ls: cannot access '/tmp/krb*': No such file or directory
> After a bit of code reading of cifs.upcall, it looks to me like the
> expectation is that cred-cache would be populated for the domain user.
> If in case the cred-cache is missing, then it creates a new cred-cache from
> the keytab at /etc/krb5.keytab
> So clearly, the expectation is that atleast the keytab is already
> populated.
> The kerberos method that I've chosen in smb.conf is "secrets and keytab".
> So I expect either the secrets.tdb or the krb5.keytab to have an entry for
> the domain user lxsmbadmin.
> However, I do not see those entries in either of them:
> localadmin at lxsmb-canvm13:~$ sudo tdbdump
> /var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin
> localadmin at lxsmb-canvm13:~$
> localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin
> localadmin at lxsmb-canvm13:~$
> With the domain user already logged in through ssh, I expected that the
> kerberos TGT would already have been retrieved and stored locally.
> Where would I find that?
> Do note that if I populate the cred-cache manually with the kinit utility
> like so:
> localadmin at lxsmb-canvm13:~$ sudo kinit lxsmbadmin at aaddomain.example.com
> lxsmbadmin at aaddomain.example.com's Password:
> localadmin at lxsmb-canvm13:~$
> The cred-cache does get populated and I'm then able to mount the file share
> successfully.
> With the log level set to 10 in smb.conf, the logging in /var/log/samba/ is
> pretty verbose. I can share those if needed for further debugging.
> =======================================================

/ Alexander Bokovoy

More information about the samba-technical mailing list