Missing domain user tickets with winbind

Alexander Bokovoy ab at samba.org
Wed Apr 1 13:01:14 UTC 2020 

On ke, 01 huhti 2020, Shyam Prasad N via samba-technical wrote:
> Thanks. That worked. :)
> 
> However, I see the krb5cc file only if I login to ssh using the password.
> If I use ssh private keys to login, I do not see this file being generated.
> I guess this is because it doesn't use krb5 authentication with the AD
> server in that case. This is not a major bottleneck, but wanted to
> understand the scenario.

That's expected, yes. You are authenticating to ssh daemon only,
winbindd is not involved in this process.

> 
> Regards,
> Shyam
> 
> On Wed, Apr 1, 2020 at 5:05 PM Alexander Bokovoy <ab at samba.org> wrote:
> 
> > On ke, 01 huhti 2020, Shyam Prasad N via samba-technical wrote:
> > > Hi,
> > >
> > > My name is Shyam Prasad. I work at Microsoft in the Azure Files team.
> > > For the past few days, I've been working on getting the Azure Linux VMs
> > to
> > > join the AD domain in Azure, login as domain users, and mount Azure file
> > > shares over SMB3.
> > >
> > > Most things work fine. Except that I need perform a few Kerberos related
> > > tasks manually, for the SMB3 mount to work with domain user credentials.
> > > I did some debugging of the issue, and looks like cifs.upcall (the
> > > userspace helper program for cifs.ko) is unable to find the krb5 TGT for
> > > the domain user in the cred-cache. If the cred-cache is missing, it looks
> > > for it in the system krb5.keytab.
> > >
> > > Since winbind is configured with kerberos method "secrets and keytab", I
> > > would expect either the secrets.tdb or the krb5.keytab to have an entry
> > for
> > > the domain user lxsmbadmin. Even with the domain user already logged in
> > > through ssh, I'm unable to get those in both those places. cred-cache
> > file
> > > is not created in the first place.
> > >
> > > With the domain user already logged in through ssh, I expected that the
> > > kerberos TGT would already have been retrieved and stored locally.
> > > Where does winbind store its Kerberos tickets, so that I can point
> > > cifs.upcall to look there for tickets instead?
> >
> > It all depends how you configured pam_winbind. Please see pam_winbind
> > man page for Kerberos-related options (this outpout is from 4.11.7,
> > newer versions have more ccache type variants):
> >
> >        krb5_auth
> >            pam_winbind can authenticate using Kerberos when winbindd is
> >            talking to an Active Directory domain controller. Kerberos
> >            authentication must be enabled with this parameter. When
> >            Kerberos authentication can not succeed (e.g. due to clock
> >            skew), winbindd will fallback to samlogon authentication over
> >            MSRPC. When this parameter is used in conjunction with
> >            winbind refresh tickets, winbind will keep your Ticket
> >            Granting Ticket (TGT) uptodate by refreshing it whenever
> >            necessary.
> >
> >        krb5_ccache_type=[type]
> >            When pam_winbind is configured to try kerberos authentication
> >            by enabling the krb5_auth option, it can store the retrieved
> >            Ticket Granting Ticket (TGT) in a credential cache. The type
> >            of credential cache can be set with this option.  Currently
> >            the only supported value is: FILE. In that case a credential
> >            cache in the form of /tmp/krb5cc_UID will be created, where
> >            UID is replaced with the numeric user id. Leave empty to just
> >            do kerberos authentication without having a
> >            ticket cache after the logon has succeeded.
> >
> >
> > >
> > > The mount only works when I use kinit to populate the cred-cache with the
> > > domain user.
> > >
> > > Any help in troubleshooting this issue is appreciated.
> > >
> > > Also, I'm interested to know, how can I enable the debug logs in the
> > > libkrb5 shared libraries that are built from the samba source code? I
> > don't
> > > see the debug logs in that code being logged, even if log level is set to
> > > maximum in smb.conf.
> > >
> > > Regards,
> > > Shyam
> > >
> > > =======================================================
> > > Details of my setup:
> > > I'm using an Ubuntu 19.10 server VM.
> > > I'm mounting as the local root user, however, I'm using a domain user
> > > credentials for mounting the using sec=krb5.
> > > Below are my mount options:
> > >
> > vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credentials,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='domain
> > > users'
> > >
> > > The VM is already joined to the AD domain aaddomain.example.com using
> > > winbind.
> > > This is what my smb.conf looks like for winbind:
> > > localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf
> > > [global]
> > >    workgroup = AADDOMAIN
> > >    security = ADS
> > >    realm = AADDOMAIN.EXAMPLE.COM
> > >
> > >    winbind refresh tickets = Yes
> > >    vfs objects = acl_xattr
> > >    map acl inherit = Yes
> > >    store dos attributes = Yes
> > >
> > >    dedicated keytab file = /etc/krb5.keytab
> > >    kerberos method = secrets and keytab
> > >
> > >    winbind use default domain = Yes
> > >
> > >    load printers = No
> > >    printing = bsd
> > >    printcap name = /dev/null
> > >    disable spoolss = Yes
> > >
> > >    log file = /var/log/samba/log.%m
> > >    log level = 10
> > >
> > >    idmap config * : backend = tdb
> > >    idmap config * : range = 3000-7999
> > >
> > >    idmap config AADDOMAIN : backend = rid
> > >    idmap config AADDOMAIN : range = 10000-999999
> > >
> > >    template shell = /bin/bash
> > >    template homedir = /home/%U
> > >
> > > localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf
> > > [libdefaults]
> > >         default_realm = AADDOMAIN.EXAMPLE.COM
> > >         dns_lookup_realm = false
> > >         dns_lookup_kdc = true
> > >
> > > Initially, I tried to use the ubuntu apt packages to install winbind and
> > > related packages.
> > > After going through a bit of code, I wanted to be able to print the debug
> > > logs.
> > > So I decided to install winbind from the latest source:
> > > master branch on git://git.samba.org/samba.git
> > >
> > > Here is the configure I used to build it:
> > > ./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin
> > > --libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba
> > > --localstatedir=/run/samba --includedir=/usr/include/
> > > --datadir=/usr/share/samba --mandir /usr/share/man --enable-debug
> > > --enable-developer --systemd-install-services
> > > --with-systemddir=/usr/lib/systemd/system
> > > --with-privatedir=/var/lib/samba/private --with-systemd --with-pam
> > >
> > > After tweaking a few config files here and there, I've now reached the
> > same
> > > state as when I was running winbind from Ubuntu packages.
> > > I'm now able to ssh/su as the domain user to this system.
> > >
> > > However, I do not see the cred-cache populated.
> > > localadmin at lxsmb-canvm13:~/samba$ sudo klist
> > > klist: No ticket file: /tmp/krb5cc_0
> > > localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb*
> > > ls: cannot access '/tmp/krb*': No such file or directory
> > >
> > > After a bit of code reading of cifs.upcall, it looks to me like the
> > > expectation is that cred-cache would be populated for the domain user.
> > > If in case the cred-cache is missing, then it creates a new cred-cache
> > from
> > > the keytab at /etc/krb5.keytab
> > >
> > > So clearly, the expectation is that atleast the keytab is already
> > > populated.
> > >
> > > The kerberos method that I've chosen in smb.conf is "secrets and keytab".
> > > So I expect either the secrets.tdb or the krb5.keytab to have an entry
> > for
> > > the domain user lxsmbadmin.
> > > However, I do not see those entries in either of them:
> > >
> > > localadmin at lxsmb-canvm13:~$ sudo tdbdump
> > > /var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin
> > > localadmin at lxsmb-canvm13:~$
> > >
> > > localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin
> > > localadmin at lxsmb-canvm13:~$
> > >
> > > With the domain user already logged in through ssh, I expected that the
> > > kerberos TGT would already have been retrieved and stored locally.
> > > Where would I find that?
> > >
> > > Do note that if I populate the cred-cache manually with the kinit utility
> > > like so:
> > > localadmin at lxsmb-canvm13:~$ sudo kinit lxsmbadmin at aaddomain.example.com
> > > lxsmbadmin at aaddomain.example.com's Password:
> > > localadmin at lxsmb-canvm13:~$
> > >
> > > The cred-cache does get populated and I'm then able to mount the file
> > share
> > > successfully.
> > >
> > > With the log level set to 10 in smb.conf, the logging in /var/log/samba/
> > is
> > > pretty verbose. I can share those if needed for further debugging.
> > >
> > > =======================================================
> >
> > --
> > / Alexander Bokovoy
> >
> 
> 
> -- 
> -Shyam

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list