[Samba] Missing domain user tickets with winbind

L. van Belle belle at samba.org
Wed Apr 1 12:41:07 UTC 2020

I would say in addition to Alexander's comment  

And Alexander or Rowland anyone...  ;-)  correct me if im wrong.. These are
the days to learn guys. 
Make good use of you "@ home" time. 

Read on..  

Ssh works because it use the "default" of ubuntu and like Debian these just
work for kerberos.
If all resolving works as it should 
These also dont need SPN/UPN. Just plain kerberos auth is suffient. 
(* or use hostname at SPN but that i dont know ). 

The debian and ubuntu defaults for winbind "should" be sufficient. 
(run : pam-auto-update see if you have winbind as option )
But i dont know it that also works with selfcompiled packages, 
i think you need to make that pam-config file first. 
Which is :

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
        [success=end default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
        [success=end default=ignore]    pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
Account-Type: Primary
        [success=end new_authtok_reqd=done default=ignore]
Password-Type: Primary
        [success=end default=ignore]    pam_winbind.so try_authtok
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
        optional                        pam_winbind.so


Which is in /etc/pam.d/samba 
Pointing to /etc/pam.d/common-auth ( and the others -account -pasword
-session.. ) 
Containing : 

account [success=1 new_authtok_reqd=done default=ignore]

auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass 

password        [success=1 default=ignore]      pam_winbind.so try_authtok

session optional                        pam_winbind.so

It works the same for my NFSv4, kerberos automounted homedirs.
Basilcy, your "computer" needs to have the rights to do the automount for
the user. 
And then it "just works" .. 

With : 
root/hostname.fqdn at REALM

COMPUTER$/hostname.fqdn at REALM

cifs/hostname.fqdn at REALM

(note, some need obligated uppercased SPN's, im not sure for cifs. ) 

And nfs
nfs/hostname.fqdn at REALM

There is a search order for above, but i lost the link where it shows it. 
Its in a manual somewhere. 

Now, then.. 
Add on the computer object allow delegation to the service (or all ) and
your almost done. 

If your user homedirs are not accessable by user root ( what i have here ) 
You need to add : ignore_k5login = true in  krb5.conf 

And then i use this for the mount service. 
Change Type  to cifs and correct the 'where' and 'what'. 

Your smb.conf looks fine, no need to change anything there. 

Also, below is based on systemd and its services files because its just easy
to setup. 

! Note, 
if you mounting in to /home/user your service have MUST BE..
It reflexs to the "where" path and is always PATH-FOLDER-SOMETHING.mount the

Description=users folder



# Default = 0755
# Directories of mount points (and any parent directories) are automatically
created if needed
# This option specifies the file system access mode used when creating these

# Default = disable = 0


And file: 

# home-users.automount
Description=Automount Home-users



Above is well tested as it runs now about 3 years without problems. 
There where a few in debian wheezy and stretch but now with buster
 its a brease to make this work. 

Check what you have now for SPN/UPN's 
kinit Administrator
net ads setspn list $(hostname -s)
Should show:  
Registered SPNs for hostname

Where i have nfs you should have cifs or add root that allows both, 
but also more so i preffer to set per SPN. 

On the samba client :  man net 
 search for keytab in it. 

Above has all info to make it work. 
If one has improvements, im all ears..  :-) 




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 1 april 2020 13:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Missing domain user tickets with winbind
> On 01/04/2020 12:20, L.P.H. van Belle via samba wrote:
> > For that to work, you need to add the 
> CIFS/hostname.fqdn at REALM to the host your logging in.
> > The COMPUTER$ should hold it.
> > Allow the computer to delegate the cifs service.  ( or all )
> Thing is, the OP is trying to use a users ticket to mount, 
> but seems to 
> be doing it as root, which isn't going to work, mainly because 'root' 
> will use the root ticket /tmp/krb5cc_0. He needs to use the users 
> ticket, typically /tmp/krb5cc_{user_id}
> He is also setting a credentials file in his mount command, 
> this should 
> be removed. Also, are libnss-winbind, libpam-winbind and libpam-krb5 
> installed ?
> I would also point him to your repo: http://apt.van-belle.nl/

Yeah, but he runs ubuntu 19.x i've not compiled these, im waiting for the
next LTS for that. 
And if its not to much work to make these python3.8 compliant. 

> This would save him having to compile Samba himself.
> Finally, I would suggest he installs libpam-mount, this will 
> do all the 
> heavy lifting for him.
> Rowland
> >
> >
> >>
> >> =======================================================
> >> Details of my setup:
> >> I'm using an Ubuntu 19.10 server VM.
> >> I'm mounting as the local root user, however, I'm using a 
> domain user
> >> credentials for mounting the using sec=krb5.
> >> Below are my mount options:
> >> vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credential
> > 
> s,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='doma> in
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba-technical mailing list