[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Wed Nov 1 21:00:59 UTC 2017

Ok, at least I know that it's not the fault of my configuration.

I was hoping that there may be some kerberos/kinit option to modify
systemwide default principal pattern, or maybe something could be done with
how winbind presents AD users to local OS while still.. Can't have
everything it seems.

In this case there are is my follow-up question:
- how will this work on DC's? I konw that winbind is integrated into main
"samba" process. I don't have test-dc right now and I can't test it, but is
at all possible to set "use defaultl domain = yes" on samba DC and not
impair anything? On the DC's it's not as important to me, as only few
actual domain users will ever actually log there (only admins), but still
I'd rather have as much consistency across all systems, as possible\

Regards,
Kacper

2017-11-01 21:21 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Wed, 1 Nov 2017 19:49:32 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On Wed, 1 Nov 2017 20:28:05 +0100
> > Kacper Wirski <kacper.wirski at gmail.com> wrote:
> >
> > > I'm going to start with clean centos install, so I might as well use
> > > some additional guidelines, thank You.
> > >
> > > When You run kinit, does Your user have ticket already? What I
> > > noticed is that when user has a ticket already, kinit works fine,
> > > uses as default principal the one from ticket.
> > > Can you do kdestroy - then kinit?
> > >
> > > Also, on Fedora, did You install samba from source or from repo's
> > > RPM?
> > >
> > > And last question - for PAM did You manually edit system-auth, or
> > > with authconfig?
> > > After I do some tests later on, I will update with whatever I manage
> > > to find/debug.
> > >
> >
> > I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> > set 'winbind use default domain = no' then logged in and ran
> > 'kinit', I finally get your problem!!!
> >
> > Let me get back to you
> >
> > Rowland
> >
>
> OK, I am back ;-)
>
> I understand it now, sigh
> This is what I think is happening;
> When you kinit as the user, it uses whatever is returned by nsswitch,
> but, as a single '\' is treated as an escape character and is
> removed, you get DOMAINusername. If you use something else as the
> winbind separator e.g. ':' you will get DOMAIN:username, but this
> still will not not get you anywhere. You will get this:
>
> kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
> Kerberos database while getting initial credentials
>
> It was this that pointed me in the right direction.
> If you check the users object in AD, you will find the
> userPrincipalName attribute, this will contain something like:
>
> rowland at samdom.example.com
>
> This is what kinit is looking for and if you run 'kinit rowland', this
> will work and if you run 'klist' you will find that the 'Default
> principal' is rowland at SAMDOM.EXAMPLE.COM
>
> Net result, you will have to use 'winbind use default domain = yes'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>