[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Rowland Penny
rpenny at samba.org
Wed Nov 1 13:52:04 UTC 2017
As luck would have it, I installed a Samba Unix domain member on Fedora
26 yesterday, so I started it again and it works on that as well, so
it should work on Centos.
See comments below:
On Wed, 1 Nov 2017 13:11:29 +0100
Kacper Wirski <kacper.wirski at gmail.com> wrote:
> Hello,
>
> Thank You for fast response. I'm glad that it's a mistake somewhere
> on my side, it means it will work when I fix it :)
>
> Ok, first of all:
>
>
> Everything is on centos 7.4
>
> All config files will be below, but to start off: behaviour is
> stranger than I thought, but there is a pattern:
>
> when doing
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> Kerberos database while getting initial credentials
>
>
> but then when I do:
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017
> 01:50:48 PM CET
> Authenticated to Kerberos v5
>
>
> and after this, user DOMAIN\kacper_wirski can do "kinit", and it
> correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM":
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
>
>
> I don't know what gives. After full reboot it still works for "this"
> user. When I log as DOMAIN\someotheruser it behaves exactly the same
> (first adds DOMAIN prefix, then when once ticket is obtained
> correctly, it seems to work...)
No idea why this is happening, all I can say is, it doesn't work like
that on Devuan, it just works ;-)
> //etc/hostname//
> //vs-files.ad.mydomain.com/
The FQDN is not the hostname, why does red-hat do this ?
I would change this to:
vs-files
>
> //etc/hosts//
> //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> //127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4//
> //::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6/
There is no such thing as 'localdomain', I would change this to:
127.0.0.1 localhost
::1 localhost
192.168.1.13 vs-files.ad.mydomain.com vs-files
>
> //etc/krb5.conf//
> //[libdefaults]//
> // default_realm = AD.MYDOMAIN.COM//
> // dns_lookup_realm = true//
> // dns_lookup_kdc = true//
> ////
> //[realms]//
> // AD.MYDOMAIN.COM = {//
> // auth_to_local = RULE:[1:MYDOMAIN\$1]//
> // }/
>
> The above rule is taken directly from the linked samba wiki guide,
> and it really works (without it I won't login with kerberos ticket,
> unless I drop "DOMAIN\" part using "winbind use default domain = yes".
It should be 'dns_lookup_realm = false'
>
> samba also auto-created it's own krb5.conf.DOMAIN file during net ads
> join (in /usr/local/samba/var/lock/smb_krb5/
> /[libdefaults]//
> // default_realm = AD.MYDOMAIN.COM//
> // default_etypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> // dns_lookup_realm = false//
> //
> //[realms]//
> // AD.MYDOMAIN.COM = {//
> // kdc = 192.168.1.5//
> // kdc = 192.168.1.6//
> // kdc = 192.168.1.7//
> // }/
>
I have never seen a Samba created krb5.conf like that
>
> /usr/local/samba/etc/smb.conf (i compiled from source, so all samba
> files reside in /usr/local/samba/...)
> [global]
> / security = ADS//
> // netbios name = VS-FILES//
> // workgroup = DOMAIN//
> // realm = AD.MYDOMAIN.COM//
> // log file = /var/log/samba/%m.log//
> // log level = 5//
> //
> // idmap config *:backend = tdb//
> // idmap config * : range = 1000-2000//
> // idmap config DOMAIN:backend = rid//
> // idmap config DOMAIN:range = 100000-110000//
> ////
> // vfs objects = acl_xattr//
> // map acl inherit = yes//
> // store dos attributes = yes//
> // template homedir = /home/%U@%D//
I would have used '/home/%D/%U'
I changed the files on my Fedora 26 machine to match the Samba wikipage
you referred to and it still works, I can login as a domain user and
run 'kinit' and it works:
[SAMDOM\rowland at f26 ~]$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM:
[SAMDOM\rowland at f26 ~]$
Rowland
More information about the samba
mailing list