[Samba] Missing domain user tickets with winbind
L. van Belle
belle at samba.org
Wed Apr 1 12:41:07 UTC 2020
I would say in addition to Alexander's comment
And Alexander or Rowland anyone... ;-) correct me if im wrong.. These are
the days to learn guys.
Make good use of you "@ home" time.
Read on..
Ssh works because it use the "default" of ubuntu and like Debian these just
work for kerberos.
If all resolving works as it should
These also dont need SPN/UPN. Just plain kerberos auth is suffient.
(* or use hostname at SPN but that i dont know ).
The debian and ubuntu defaults for winbind "should" be sufficient.
(run : pam-auto-update see if you have winbind as option )
But i dont know it that also works with selfcompiled packages,
i think you need to make that pam-config file first.
Which is :
/usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore]
pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so try_authtok
try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
And
Which is in /etc/pam.d/samba
Pointing to /etc/pam.d/common-auth ( and the others -account -pasword
-session.. )
Containing :
account [success=1 new_authtok_reqd=done default=ignore]
pam_winbind.so
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
password [success=1 default=ignore] pam_winbind.so try_authtok
try_first_pass
session optional pam_winbind.so
It works the same for my NFSv4, kerberos automounted homedirs.
Basilcy, your "computer" needs to have the rights to do the automount for
the user.
And then it "just works" ..
With :
root/hostname.fqdn at REALM
Or
COMPUTER$/hostname.fqdn at REALM
Or
cifs/hostname.fqdn at REALM
(note, some need obligated uppercased SPN's, im not sure for cifs. )
And nfs
nfs/hostname.fqdn at REALM
There is a search order for above, but i lost the link where it shows it.
Its in a manual somewhere.
Now, then..
Add on the computer object allow delegation to the service (or all ) and
your almost done.
Note:
If your user homedirs are not accessable by user root ( what i have here )
You need to add : ignore_k5login = true in krb5.conf
And then i use this for the mount service.
Change Type to cifs and correct the 'where' and 'what'.
Your smb.conf looks fine, no need to change anything there.
Also, below is based on systemd and its services files because its just easy
to setup.
! Note,
if you mounting in to /home/user your service have MUST BE..
home-users.(auto)mount
It reflexs to the "where" path and is always PATH-FOLDER-SOMETHING.mount the
"Where"
#home-users.mount
[Unit]
Description=users folder
[Mount]
What=server.domain.tld:/users
Where=/home/users
Type=nfs
#SloppyOptions=
#LazyUnmount=
#ForceUnmount=
# Default = 0755
# Directories of mount points (and any parent directories) are automatically
created if needed
# This option specifies the file system access mode used when creating these
directories
#DirectoryMode=
# Default = disable = 0
TimeoutSec=300
[Install]
WantedBy=multi-user.target
And file:
# home-users.automount
[Unit]
Description=Automount Home-users
[Automount]
Where=/home/users
[Install]
WantedBy=multi-user.target
Above is well tested as it runs now about 3 years without problems.
There where a few in debian wheezy and stretch but now with buster
its a brease to make this work.
Check what you have now for SPN/UPN's
kinit Administrator
net ads setspn list $(hostname -s)
Should show:
Registered SPNs for hostname
HOST/hostname
HOST/hostname.internal.dom.tld
nfs/hostname.internal.dom.tld
Where i have nfs you should have cifs or add root that allows both,
but also more so i preffer to set per SPN.
On the samba client : man net
search for keytab in it.
Above has all info to make it work.
If one has improvements, im all ears.. :-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: woensdag 1 april 2020 13:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Missing domain user tickets with winbind
>
> On 01/04/2020 12:20, L.P.H. van Belle via samba wrote:
> > For that to work, you need to add the
> CIFS/hostname.fqdn at REALM to the host your logging in.
> > The COMPUTER$ should hold it.
> > Allow the computer to delegate the cifs service. ( or all )
>
> Thing is, the OP is trying to use a users ticket to mount,
> but seems to
> be doing it as root, which isn't going to work, mainly because 'root'
> will use the root ticket /tmp/krb5cc_0. He needs to use the users
> ticket, typically /tmp/krb5cc_{user_id}
>
> He is also setting a credentials file in his mount command,
> this should
> be removed. Also, are libnss-winbind, libpam-winbind and libpam-krb5
> installed ?
>
> I would also point him to your repo: http://apt.van-belle.nl/
Yeah, but he runs ubuntu 19.x i've not compiled these, im waiting for the
next LTS for that.
And if its not to much work to make these python3.8 compliant.
>
> This would save him having to compile Samba himself.
>
> Finally, I would suggest he installs libpam-mount, this will
> do all the
> heavy lifting for him.
>
> Rowland
>
>
> >
> >
> >>
> >> =======================================================
> >> Details of my setup:
> >> I'm using an Ubuntu 19.10 server VM.
> >> I'm mounting as the local root user, however, I'm using a
> domain user
> >> credentials for mounting the using sec=krb5.
> >> Below are my mount options:
> >> vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credential
> >
> s,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='doma> in
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba-technical
mailing list