[Samba] Samba & Active Directory w/ Kerberos Trust
jrafferty at tamu.edu
Mon Nov 5 12:58:51 MST 2012
Hi Andrew, thanks for the reply.
Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
On Nov 4, 2012, at 9:39 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2012-11-01 at 15:00 +0000, Rafferty, Joseph wrote:
>> I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason:
>> "Samba always ignores PAM for authentication in the case of encrypt passwords = yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
>> Setting "encrypt passwords = no" results in the following testparm error:
>> ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'.
>> Anyone successfully authenticating this way?
>> Thanks for the help!
>> log file = /var/log/samba/log.%m
>> log level = auth:3
>> max log size = 50
>> security = ads
>> netbios name = SERVERNAME
>> realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
>> password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
>> workgroup = AD
>> idmap uid = 10000-5000000
>> idmap gid = 10000-5000000
>> winbind separator = +
>> winbind enum users = no
>> winbind enum groups = no
>> winbind use default domain = yes
>> obey pam restrictions = yes
> What error do you get when you use *just* what you have above?
> You should run winbind, and accept kerberos logins from your clients.
> We need to be joined to the AD domain.
> As long as the tickets contain a PAC, we really don't mind where they
> came from.
> Don't try and involve PAM or turn off encrypted passwords, because we
> never get a plaintext password from modern clients anyway.
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
More information about the samba