[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Rowland Penny rpenny at samba.org
Wed Nov 1 13:52:04 UTC 2017 


As luck would have it, I installed a Samba Unix domain member on Fedora
26 yesterday, so I started it again and it works on that as well, so
it should work on Centos.

See comments below:

On Wed, 1 Nov 2017 13:11:29 +0100
Kacper Wirski <kacper.wirski at gmail.com> wrote:

> Hello,
> 
> Thank You for fast response. I'm glad that it's a mistake somewhere
> on my side, it means it will work when I fix it :)
> 
> Ok, first of all:
> 
> 
> Everything is on centos 7.4
> 
> All config files will be below, but to start off: behaviour is
> stranger than I thought, but there is a pattern:
> 
> when doing
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in 
> Kerberos database while getting initial credentials
> 
> 
> but then when I do:
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
> 01:50:48 PM CET
> Authenticated to Kerberos v5
> 
> 
> and after this, user DOMAIN\kacper_wirski can do "kinit", and it 
> correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM":
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> 
> 
> I don't know what gives. After full reboot it still works for "this" 
> user. When I log as DOMAIN\someotheruser it behaves exactly the same 
> (first adds DOMAIN prefix, then when once ticket is obtained
> correctly, it seems to work...)

No idea why this is happening, all I can say is, it doesn't work like
that on Devuan, it just works ;-)

> //etc/hostname//
> //vs-files.ad.mydomain.com/

The FQDN is not the hostname, why does red-hat do this ?
I would change this to:

vs-files

> 
> //etc/hosts//
> //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> //127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4//
> //::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6/

There is no such thing as 'localdomain', I would change this to:

127.0.0.1 localhost
::1 localhost
192.168.1.13 vs-files.ad.mydomain.com vs-files

> 
> //etc/krb5.conf//
> //[libdefaults]//
> //    default_realm = AD.MYDOMAIN.COM//
> //    dns_lookup_realm = true//
> //    dns_lookup_kdc = true//
> ////
> //[realms]//
> //    AD.MYDOMAIN.COM = {//
> //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> //        }/
> 
> The above rule is taken directly from the linked samba wiki guide,
> and it really works (without it I won't login with kerberos ticket,
> unless I drop "DOMAIN\" part using "winbind use default domain = yes".

It should be 'dns_lookup_realm = false'

> 
> samba also auto-created it's own krb5.conf.DOMAIN file during net ads 
> join (in /usr/local/samba/var/lock/smb_krb5/
> /[libdefaults]//
> //        default_realm = AD.MYDOMAIN.COM//
> //        default_etypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> //        dns_lookup_realm = false//
> //
> //[realms]//
> //        AD.MYDOMAIN.COM = {//
> //                kdc = 192.168.1.5//
> //                kdc = 192.168.1.6//
> //                kdc = 192.168.1.7//
> //        }/
> 

I have never seen a Samba created krb5.conf like that

> 
> /usr/local/samba/etc/smb.conf (i compiled from source, so all samba 
> files reside in /usr/local/samba/...)
> [global]
> /        security = ADS//
> //        netbios name = VS-FILES//
> //        workgroup = DOMAIN//
> //        realm = AD.MYDOMAIN.COM//
> //        log file = /var/log/samba/%m.log//
> //        log level = 5//
> //
> //   idmap config *:backend = tdb//
> //   idmap config * : range = 1000-2000//
> //   idmap config DOMAIN:backend = rid//
> //   idmap config DOMAIN:range = 100000-110000//
> ////
> //        vfs objects = acl_xattr//
> //        map acl inherit = yes//
> //        store dos attributes = yes//
> //        template homedir = /home/%U@%D//

I would have used '/home/%D/%U'

I changed the files on my Fedora 26 machine to match the Samba wikipage
you referred to and it still works, I can login as a domain user and
run 'kinit' and it works:

[SAMDOM\rowland at f26 ~]$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM:
[SAMDOM\rowland at f26 ~]$

Rowland

More information about the samba mailing list