[Samba] kerberos + winbind + AD authentication for samba 4 domain member
L.P.H. van Belle
belle at bazuin.nl
Wed Nov 1 13:30:09 UTC 2017
Hai,
Now, i'll start with.. I know (almost) nothing about centos and i compaired you debug with my debug.
Now, i'll give some pointer to check.
Is ssh going through pam, then check if you have things like this.
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
( and remember these configs are from Debian Stretch )
The server in question, does it have delegate rights ( set in ADUC )?
Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
Is missing a \
If you go though your logs, and you see : DOMAIN\\kacper_wirski at AD.MYDOMAIN.COM ( see the putty logs part)
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> > Kerberos database while getting initial credentials
This show that the separator is you problem.
You can try it again with setting the separator to "/" and not "\"
And maybe you should try this one first.
[realms]
SAMDOM.EXAMPLE.COM = {
auth_to_local = RULE:[1:SAMDOM\\$1]
#or auth_to_local = RULE:[1:SAMDOM/$1]
}
ps, / is replace to \ in most config setups, even in windows, but again i dont know about centos.
Thats the best i can say about your setup.
I hope it helps you bit more in the right direction.
I say, check above and try it out and report back.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Kacper Wirski via samba
> Verzonden: woensdag 1 november 2017 13:17
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
> for samba 4 domain member
>
> Also I rushed my response:
>
> Behaviour is not strange, default principal was taken from cache.
>
> So if run:
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kdestroy
>
> Error returns (kinit uses DOMAINkacper_wirski at AD.MYDOMAIN.COM as
> kerberos principal).
>
>
>
> W dniu 2017-11-01 o 13:11, Kacper Wirski pisze:
> >
> > Hello,
> >
> > Thank You for fast response. I'm glad that it's a mistake
> somewhere on
> > my side, it means it will work when I fix it :)
> >
> > Ok, first of all:
> >
> >
> > Everything is on centos 7.4
> >
> > All config files will be below, but to start off: behaviour is
> > stranger than I thought, but there is a pattern:
> >
> > when doing
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> > Kerberos database while getting initial credentials
> >
> >
> > but then when I do:
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: kacper_wirski at AD.MYDOMAIN.COM
> > Password for kacper_wirski at AD.MYDOMAIN.COM:
> > Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> > 01:50:48 PM CET
> > Authenticated to Kerberos v5
> >
> >
> > and after this, user DOMAIN\kacper_wirski can do "kinit", and it
> > correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM":
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using principal: kacper_wirski at AD.MYDOMAIN.COM
> > Password for kacper_wirski at AD.MYDOMAIN.COM:
> >
> >
> > I don't know what gives. After full reboot it still works
> for "this"
> > user. When I log as DOMAIN\someotheruser it behaves exactly
> the same
> > (first adds DOMAIN prefix, then when once ticket is obtained
> > correctly, it seems to work...)
> >
> > kerberos ssh authentication (windows via putty to centos
> with samba 4)
> > works perfectly:
> >
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to
> > DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM
> > (ssh_gssapi_krb5_cmdok)
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]:
> > pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski'
> granted access
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted
> > gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32
> port 55825 ssh
> >
> > All file shares hosted by samba are correctly available to windows
> > clients.
> >
> > First of all:
> >
> > On test box I'm using samba 4.6.9 compiled from source.
> >
> > configure was run with simple --with-systemd --without-ad-dc
> >
> > //etc/resolv.conf:/
> >
> > //
> >
> > /# Generated by NetworkManager//
> > //search ad.mydomain.com//
> > //nameserver 192.168.1.5//
> > //nameserver 192.168.1.6//
> > //nameserver 192.168.1.7/
> >
> > all three IP's are DC's with DNS all work correctly
> >
> > //etc/hostname//
> > //vs-files.ad.mydomain.com/
> >
> > //etc/hosts//
> > //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> > //127.0.0.1 localhost localhost.localdomain localhost4
> > localhost4.localdomain4//
> > //::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6/
> >
> > //etc/krb5.conf//
> > //[libdefaults]//
> > // default_realm = AD.MYDOMAIN.COM//
> > // dns_lookup_realm = true//
> > // dns_lookup_kdc = true//
> > ////
> > //[realms]//
> > // AD.MYDOMAIN.COM = {//
> > // auth_to_local = RULE:[1:MYDOMAIN\$1]//
> > // }/
> >
> > The above rule is taken directly from the linked samba wiki
> guide, and
> > it really works (without it I won't login with kerberos
> ticket, unless
> > I drop "DOMAIN\" part using "winbind use default domain = yes".
> >
> > samba also auto-created it's own krb5.conf.DOMAIN file
> during net ads
> > join (in /usr/local/samba/var/lock/smb_krb5/
> > /[libdefaults]//
> > // default_realm = AD.MYDOMAIN.COM//
> > // default_etypes = aes256-cts-hmac-sha1-96
> > aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> > // dns_lookup_realm = false//
> > //
> > //[realms]//
> > // AD.MYDOMAIN.COM = {//
> > // kdc = 192.168.1.5//
> > // kdc = 192.168.1.6//
> > // kdc = 192.168.1.7//
> > // }/
> >
> >
> > /etc/nsswitch.conf
> > /passwd: files winbind//
> > //shadow: files//
> > //group: files winbind/
> >
> > And last but not least:
> >
> > /usr/local/samba/etc/smb.conf (i compiled from source, so all samba
> > files reside in /usr/local/samba/...)
> > [global]
> > / security = ADS//
> > // netbios name = VS-FILES//
> > // workgroup = DOMAIN//
> > // realm = AD.MYDOMAIN.COM//
> > // log file = /var/log/samba/%m.log//
> > // log level = 5//
> > //
> > // idmap config *:backend = tdb//
> > // idmap config * : range = 1000-2000//
> > // idmap config DOMAIN:backend = rid//
> > // idmap config DOMAIN:range = 100000-110000//
> > //
> > // vfs objects = acl_xattr//
> > // map acl inherit = yes//
> > // store dos attributes = yes//
> > // template homedir = /home/%U@%D//
> > // template shell = /bin/bash//
> > // winbind enum groups = no//
> > // winbind enum users = no//
> > // kerberos method = secrets and keytab//
> > // winbind refresh tickets = yes//
> > // winbind use default domain = no//
> > // winbind offline logon = yes/
> >
> > Example output, when being logged as DOMAIN\kacper_wirski
> (login was
> > using kerberos, as shown in log, no password was required):
> > [DOMAIN\kacper_wirski at vs-files ~]$ whoami
> > DOMAIN\kacper_wirski
> > [DOMAIN\kacper_wirski at vs-files ~]$ id
> > uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users)
> > groups=100513(DOMAIN\domain users)... and some other groups
> from domain
> >
> > but then:
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> > Kerberos database while getting initial credentials
> >
> > if do:
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: kacper_wirski at AD.MYDOMAIN.COM
> > Password for kacper_wirski at AD.MYDOMAIN.COM:
> > Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> > 01:50:48 PM CET
> > Authenticated to Kerberos v5
> >
> > then:
> > [DOMAIN\kacper_wirski at vs-files ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_101003
> > Default principal: kacper_wirski at AD.MYDOMAIN.COM
> >
> > Valid starting Expires Service principal
> > 11/01/2017 12:32:36 11/01/2017 22:32:36
> > krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM
> > renew until 11/02/2017 12:32:31
> >
> > commands like:
> > wbinfo -u etc. everything works, except for the "default principal"
> > used when doing kinit.
> >
> >
> >
> >
> > Please help me understand, where else to look?
> >
> > Could the RULE in krb5.conf be causing all this? I removed it,
> > restarted whole machine, but it didn't change much.
> >
> > W dniu 2017-10-31 o 23:20, Rowland Penny pisze:
> >> On Tue, 31 Oct 2017 22:46:53 +0100
> >> Kacper Wirski via samba<samba at lists.samba.org> wrote:
> >>
> >>> Hello,
> >>>
> >>> I'm setting up AD user logins for centos 7.4 box. I've
> almost managed
> >>> to do everything the way I want and the way I think it
> should be, but
> >>> I'm missing last piece:
> >>>
> >>> For ssh access I read parts of the
> >>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> >>>
> >>> Most docs recommend using setting in smb.conf:
> >>> winbind use default domain = no
> >>>
> >>> that means that all domain users have DOMAIN\ prefix
> attached. As per
> >>> the aforementioned wiki documet I made the workaround for
> >>> authentication to krb5.conf, and it works OK.
> >>>
> >>> What isn't working is "kinit" as-is for logged in AD
> user. To be more
> >>> precise: it works if I specify explicitly username
> >>> kinit myusername
> >>> or
> >>> kinitmysusername at MY.DOMAIN.COM
> >>> It works as expected (asks for password and grants ticket)
> >>>
> >>> otherwise plain "kinit" uses by default posix
> username, which in
> >>> this case is DOMAIN\myusername, so it looks for:
> >>> DOMAINmyusername at MY.DOMAIN.COM and fails with no
> principle found in
> >>> database (and rightly so), because obviously it should use
> >>> myusername at MY.DOMAIN.COM.
> >>>
> >>> I know it's not strictly samba related, and I could simply change
> >>> winbind use default domain = yes
> >>> as a workaround, this way everything works as expected,
> except that
> >>> in all docs it's described as not recommended setup, because of
> >>> possible confusion which user is from DOMAIN and which is
> local, and
> >>> of course when multiple domains come into play.
> >>>
> >>> So maybe someone knows of a valid workaorund, how to
> force kinit to
> >>> automatically remove/strip DOMAIN prefix from e.g.
> >>> DOMAINmyusername at MY.DOMAIN.COM and change it into
> >>> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf
> >>> "auth_to_local" works the other way around, so it takes valid
> >>> principal, and rewrites it so that it matches posix user and won't
> >>> work in this case,as it's the other way round (posix user
> has to be
> >>> translated into valid principal).
> >>>
> >>> My environment is:
> >>> centos 7.4 OS
> >>> samba 4.5.x is the AD DC
> >>> samba 4.6.9 is domain member server and all tests are done on this
> >>> machine.
> >>>
> >>> As i said, kerberos overall works fine, and it's not
> strictly samba
> >>> issue, but the issue is because of samba configuration and added
> >>> DOMAIN prefix.
> >>>
> >>> Any help/input/comments are appreciated.
> >>>
> >>> Regards, Kacper
> >>>
> >>>
> >> You have something set up incorrectly, if I log into a Unix domain
> >> member and run 'kinit', it works:
> >>
> >> rowland at devstation:~$ whoami
> >> SAMDOM\rowland
> >> rowland at devstation:~$ kinit
> >> Password forrowland at SAMDOM.EXAMPLE.COM:
> >> rowland at devstation:~$
> >>
> >> It also works on a DC.
> >>
> >> Can you post the following files:
> >> /etc/resolv.conf
> >> /etc/hosts
> >> /etc/hostname
> >> /etc/krb5.conf
> >> /etc/samba/smb.conf
> >>
> >> Rowland
> >>
> >
> >
> >
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=l
ink&utm_campaign=sig-email&utm_content=emailclient>
> > Wolny od wirusów. www.avast.com
> >
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=l
ink&utm_campaign=sig-email&utm_content=emailclient>
> >
> >
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
>
>
> ---
> Ta wiadomo???? zosta??a sprawdzona na obecno???? wirusów
> przez oprogramowanie antywirusowe Avast.
> https://www.avast.com/antivirus
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list