[Samba] Samba & Active Directory w/ Kerberos Trust

Rafferty, Joseph jrafferty at tamu.edu
Mon Nov 5 14:39:42 MST 2012


For the user "continuum\jrafferty" (continuum is the AD realm):

	http://pastebin.com/DJ3xShTr

Using the user principal name, "jrafferty at TAMU.EDU"

	http://pastebin.com/34VXJuAc

Using just "jrafferty"

	http://pastebin.com/ZF7EE2n7

Interestingly, I emailed our AD admins on the status of that AD trust, and was told that it is in place and in production (realm is AUTH). If I try a different user, "auth\jrafferty":

	http://pastebin.com/aZX6zxGY


---------------


So, it seems now I just need to research how to modify smb.conf to make AUTH my primary domain, since it seems 'winbind use default domain' isn't working correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples).

-Joseph

On Nov 5, 2012, at 2:09 PM, Andrew Bartlett <abartlet at samba.org>
 wrote:

> On Mon, 2012-11-05 at 19:58 +0000, Rafferty, Joseph wrote:
>> Hi Andrew, thanks for the reply.
>> 
>> Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
>> 
>> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
>> 
>> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
> 
> I *think* the idea with this kind of trust/mapping thing is that 'AD'
> servers (like Samba) get a ticket that includes the PAC, even if the
> initial user came from MIT. 
> 
> That's pretty much the only way we can work, if we are to get the
> windows groups etc.  You will need to dig in further into why we return
> LOGON_FAILURE with a higher log level and our debug logs.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 



More information about the samba mailing list