[Samba] Samba & Active Directory w/ Kerberos Trust
Rafferty, Joseph
jrafferty at tamu.edu
Mon Nov 5 14:39:42 MST 2012
For the user "continuum\jrafferty" (continuum is the AD realm):
http://pastebin.com/DJ3xShTr
Using the user principal name, "jrafferty at TAMU.EDU"
http://pastebin.com/34VXJuAc
Using just "jrafferty"
http://pastebin.com/ZF7EE2n7
Interestingly, I emailed our AD admins on the status of that AD trust, and was told that it is in place and in production (realm is AUTH). If I try a different user, "auth\jrafferty":
http://pastebin.com/aZX6zxGY
---------------
So, it seems now I just need to research how to modify smb.conf to make AUTH my primary domain, since it seems 'winbind use default domain' isn't working correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples).
-Joseph
On Nov 5, 2012, at 2:09 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Mon, 2012-11-05 at 19:58 +0000, Rafferty, Joseph wrote:
>> Hi Andrew, thanks for the reply.
>>
>> Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
>>
>> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
>>
>> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
>
> I *think* the idea with this kind of trust/mapping thing is that 'AD'
> servers (like Samba) get a ticket that includes the PAC, even if the
> initial user came from MIT.
>
> That's pretty much the only way we can work, if we are to get the
> windows groups etc. You will need to dig in further into why we return
> LOGON_FAILURE with a higher log level and our debug logs.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
More information about the samba
mailing list