[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Rowland Penny
rpenny at samba.org
Wed Nov 1 20:21:31 UTC 2017
On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 1 Nov 2017 20:28:05 +0100
> Kacper Wirski <kacper.wirski at gmail.com> wrote:
>
> > I'm going to start with clean centos install, so I might as well use
> > some additional guidelines, thank You.
> >
> > When You run kinit, does Your user have ticket already? What I
> > noticed is that when user has a ticket already, kinit works fine,
> > uses as default principal the one from ticket.
> > Can you do kdestroy - then kinit?
> >
> > Also, on Fedora, did You install samba from source or from repo's
> > RPM?
> >
> > And last question - for PAM did You manually edit system-auth, or
> > with authconfig?
> > After I do some tests later on, I will update with whatever I manage
> > to find/debug.
> >
>
> I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> set 'winbind use default domain = no' then logged in and ran
> 'kinit', I finally get your problem!!!
>
> Let me get back to you
>
> Rowland
>
OK, I am back ;-)
I understand it now, sigh
This is what I think is happening;
When you kinit as the user, it uses whatever is returned by nsswitch,
but, as a single '\' is treated as an escape character and is
removed, you get DOMAINusername. If you use something else as the
winbind separator e.g. ':' you will get DOMAIN:username, but this
still will not not get you anywhere. You will get this:
kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
Kerberos database while getting initial credentials
It was this that pointed me in the right direction.
If you check the users object in AD, you will find the
userPrincipalName attribute, this will contain something like:
rowland at samdom.example.com
This is what kinit is looking for and if you run 'kinit rowland', this
will work and if you run 'klist' you will find that the 'Default
principal' is rowland at SAMDOM.EXAMPLE.COM
Net result, you will have to use 'winbind use default domain = yes'
Rowland
More information about the samba
mailing list