[Samba] Cache auth credentials on Samba domain member

Gionatan Danti g.danti at assyoma.it
Wed Jun 7 05:40:58 UTC 2017


Il 06-06-2017 19:34 Uri Simchoni ha scritto:
> I can confirm that latest (master) smbd cannot, in the general case,
> authenticate users based on the Kerberos ticket, something which *can*
> be done in principle, at least for some id-mapping backends.
> 
> The architecture of AD is such that if a Windows client has a ticket to
> a Windows server cifs service, then the server should generally be able
> to authenticate the client without being connected to a domain
> controller, all based on the information in the ticket.
> 
> The challenges Samba is facing are:
> 1. being a UNIX program, it also must be able to translate the Windows
> security identifier (SID) to a UNIX uid or gid when not connected to 
> AD.
> The feasibility of this depends on the idmap backend (for example, the
> rid backend does this, as it is purely algorithmic and does not require
> any info from AD. OTOH ldap backends need to make a query to a server).
> 2. it has to construct the user UNIX profile (uid/gid/shell/home dir)
> even when not connected to AD. The feasibility of this depends on
> whether or not the account templates contains the primary group name 
> (%G
> or %g appearing in "homedir template" or "shell template"), as this 
> info
> is not conveyed in the Kerberos ticket.
> 3. If share access lists in smb.conf reference names of AD users and
> groups, smbd has to convert those to Windows SIDs in order to check
> access. The workaround is not to do it (use registry-based shares, or
> nested groups, or put the SIDs of the AD users/groups in smb.conf).
> 
> Even if the configuration adheres to all those guidelines, Samba still
> fails because of the way it does things. This can be fixed, but 
> requires
> code fixes.
> 
> Jeremy, here's a recent rebase of the patch set I made to work around
> some issues:
> 
> https://github.com/urisimchoni/samba/commits/offline
> 
> - The first three are small fixes, I think they can be applied.
> - The rest is an effort to avoid having to lookup the sid as part of
> sid->unix id mapping. Volker suggested other ways of doing this (partly
> a matter of taste and partly a matter of legitimate concern about a 
> race
> condition that exists in the case of multiple trusted domains), and I
> had no time to drive this home.
> 
> So that's the update....
> 
> Thanks,
> Uri.

Very detailed explanation.
Thank you Uri.

-- 
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti at assyoma.it - info at assyoma.it
GPG public key ID: FF5F32A8



More information about the samba mailing list