Missing domain user tickets with winbind
Alexander Bokovoy
ab at samba.org
Wed Apr 1 13:01:14 UTC 2020
On ke, 01 huhti 2020, Shyam Prasad N via samba-technical wrote:
> Thanks. That worked. :)
>
> However, I see the krb5cc file only if I login to ssh using the password.
> If I use ssh private keys to login, I do not see this file being generated.
> I guess this is because it doesn't use krb5 authentication with the AD
> server in that case. This is not a major bottleneck, but wanted to
> understand the scenario.
That's expected, yes. You are authenticating to ssh daemon only,
winbindd is not involved in this process.
>
> Regards,
> Shyam
>
> On Wed, Apr 1, 2020 at 5:05 PM Alexander Bokovoy <ab at samba.org> wrote:
>
> > On ke, 01 huhti 2020, Shyam Prasad N via samba-technical wrote:
> > > Hi,
> > >
> > > My name is Shyam Prasad. I work at Microsoft in the Azure Files team.
> > > For the past few days, I've been working on getting the Azure Linux VMs
> > to
> > > join the AD domain in Azure, login as domain users, and mount Azure file
> > > shares over SMB3.
> > >
> > > Most things work fine. Except that I need perform a few Kerberos related
> > > tasks manually, for the SMB3 mount to work with domain user credentials.
> > > I did some debugging of the issue, and looks like cifs.upcall (the
> > > userspace helper program for cifs.ko) is unable to find the krb5 TGT for
> > > the domain user in the cred-cache. If the cred-cache is missing, it looks
> > > for it in the system krb5.keytab.
> > >
> > > Since winbind is configured with kerberos method "secrets and keytab", I
> > > would expect either the secrets.tdb or the krb5.keytab to have an entry
> > for
> > > the domain user lxsmbadmin. Even with the domain user already logged in
> > > through ssh, I'm unable to get those in both those places. cred-cache
> > file
> > > is not created in the first place.
> > >
> > > With the domain user already logged in through ssh, I expected that the
> > > kerberos TGT would already have been retrieved and stored locally.
> > > Where does winbind store its Kerberos tickets, so that I can point
> > > cifs.upcall to look there for tickets instead?
> >
> > It all depends how you configured pam_winbind. Please see pam_winbind
> > man page for Kerberos-related options (this outpout is from 4.11.7,
> > newer versions have more ccache type variants):
> >
> > krb5_auth
> > pam_winbind can authenticate using Kerberos when winbindd is
> > talking to an Active Directory domain controller. Kerberos
> > authentication must be enabled with this parameter. When
> > Kerberos authentication can not succeed (e.g. due to clock
> > skew), winbindd will fallback to samlogon authentication over
> > MSRPC. When this parameter is used in conjunction with
> > winbind refresh tickets, winbind will keep your Ticket
> > Granting Ticket (TGT) uptodate by refreshing it whenever
> > necessary.
> >
> > krb5_ccache_type=[type]
> > When pam_winbind is configured to try kerberos authentication
> > by enabling the krb5_auth option, it can store the retrieved
> > Ticket Granting Ticket (TGT) in a credential cache. The type
> > of credential cache can be set with this option. Currently
> > the only supported value is: FILE. In that case a credential
> > cache in the form of /tmp/krb5cc_UID will be created, where
> > UID is replaced with the numeric user id. Leave empty to just
> > do kerberos authentication without having a
> > ticket cache after the logon has succeeded.
> >
> >
> > >
> > > The mount only works when I use kinit to populate the cred-cache with the
> > > domain user.
> > >
> > > Any help in troubleshooting this issue is appreciated.
> > >
> > > Also, I'm interested to know, how can I enable the debug logs in the
> > > libkrb5 shared libraries that are built from the samba source code? I
> > don't
> > > see the debug logs in that code being logged, even if log level is set to
> > > maximum in smb.conf.
> > >
> > > Regards,
> > > Shyam
> > >
> > > =======================================================
> > > Details of my setup:
> > > I'm using an Ubuntu 19.10 server VM.
> > > I'm mounting as the local root user, however, I'm using a domain user
> > > credentials for mounting the using sec=krb5.
> > > Below are my mount options:
> > >
> > vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credentials,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='domain
> > > users'
> > >
> > > The VM is already joined to the AD domain aaddomain.example.com using
> > > winbind.
> > > This is what my smb.conf looks like for winbind:
> > > localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf
> > > [global]
> > > workgroup = AADDOMAIN
> > > security = ADS
> > > realm = AADDOMAIN.EXAMPLE.COM
> > >
> > > winbind refresh tickets = Yes
> > > vfs objects = acl_xattr
> > > map acl inherit = Yes
> > > store dos attributes = Yes
> > >
> > > dedicated keytab file = /etc/krb5.keytab
> > > kerberos method = secrets and keytab
> > >
> > > winbind use default domain = Yes
> > >
> > > load printers = No
> > > printing = bsd
> > > printcap name = /dev/null
> > > disable spoolss = Yes
> > >
> > > log file = /var/log/samba/log.%m
> > > log level = 10
> > >
> > > idmap config * : backend = tdb
> > > idmap config * : range = 3000-7999
> > >
> > > idmap config AADDOMAIN : backend = rid
> > > idmap config AADDOMAIN : range = 10000-999999
> > >
> > > template shell = /bin/bash
> > > template homedir = /home/%U
> > >
> > > localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf
> > > [libdefaults]
> > > default_realm = AADDOMAIN.EXAMPLE.COM
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = true
> > >
> > > Initially, I tried to use the ubuntu apt packages to install winbind and
> > > related packages.
> > > After going through a bit of code, I wanted to be able to print the debug
> > > logs.
> > > So I decided to install winbind from the latest source:
> > > master branch on git://git.samba.org/samba.git
> > >
> > > Here is the configure I used to build it:
> > > ./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin
> > > --libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba
> > > --localstatedir=/run/samba --includedir=/usr/include/
> > > --datadir=/usr/share/samba --mandir /usr/share/man --enable-debug
> > > --enable-developer --systemd-install-services
> > > --with-systemddir=/usr/lib/systemd/system
> > > --with-privatedir=/var/lib/samba/private --with-systemd --with-pam
> > >
> > > After tweaking a few config files here and there, I've now reached the
> > same
> > > state as when I was running winbind from Ubuntu packages.
> > > I'm now able to ssh/su as the domain user to this system.
> > >
> > > However, I do not see the cred-cache populated.
> > > localadmin at lxsmb-canvm13:~/samba$ sudo klist
> > > klist: No ticket file: /tmp/krb5cc_0
> > > localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb*
> > > ls: cannot access '/tmp/krb*': No such file or directory
> > >
> > > After a bit of code reading of cifs.upcall, it looks to me like the
> > > expectation is that cred-cache would be populated for the domain user.
> > > If in case the cred-cache is missing, then it creates a new cred-cache
> > from
> > > the keytab at /etc/krb5.keytab
> > >
> > > So clearly, the expectation is that atleast the keytab is already
> > > populated.
> > >
> > > The kerberos method that I've chosen in smb.conf is "secrets and keytab".
> > > So I expect either the secrets.tdb or the krb5.keytab to have an entry
> > for
> > > the domain user lxsmbadmin.
> > > However, I do not see those entries in either of them:
> > >
> > > localadmin at lxsmb-canvm13:~$ sudo tdbdump
> > > /var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin
> > > localadmin at lxsmb-canvm13:~$
> > >
> > > localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin
> > > localadmin at lxsmb-canvm13:~$
> > >
> > > With the domain user already logged in through ssh, I expected that the
> > > kerberos TGT would already have been retrieved and stored locally.
> > > Where would I find that?
> > >
> > > Do note that if I populate the cred-cache manually with the kinit utility
> > > like so:
> > > localadmin at lxsmb-canvm13:~$ sudo kinit lxsmbadmin at aaddomain.example.com
> > > lxsmbadmin at aaddomain.example.com's Password:
> > > localadmin at lxsmb-canvm13:~$
> > >
> > > The cred-cache does get populated and I'm then able to mount the file
> > share
> > > successfully.
> > >
> > > With the log level set to 10 in smb.conf, the logging in /var/log/samba/
> > is
> > > pretty verbose. I can share those if needed for further debugging.
> > >
> > > =======================================================
> >
> > --
> > / Alexander Bokovoy
> >
>
>
> --
> -Shyam
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list