[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Kacper Wirski kacper.wirski at gmail.com
Thu Nov 2 08:37:54 UTC 2017


I'm using this rule, it works, but it's used the other way round. It 
means that principal "kacper_wirski at MYDOMAIN.COM" will match local user 
DOMAIN\kacper_wirski at MYDOMAIN.COM BUT it doesn't work the other way 
round, so local user DOMAIN\kacper_wirski at MYDOMAN.COM will not match 
"kacper_wirski at MYDOMAIN.COM

I know that SSSD has a setting that allows matching kerberos principals 
to local users via pattern, and it works both ways - maybe one day 
winbind will have similar option:)

I am actually thinking of trying SSSD instead of winbind auth, as both 
methods are equally supported on rhel/centos, except that it might cause 
issues on the DC, since it's best to use either/or. Does anyone have 
experience and might shed some light, is running SSSD for user domain 
authorization on samba 4 DC problematic?

Also after some thought, I realized that there is a workaround to have 
"everything" working with "winbind use default domain = no", and short 
answer is "use credential delegation"

scenario:
in smb.conf i set "winbind use default domain = no"

kinit by default uses:
a) principal from cached ticket (if there  is one)
b) unix username (if there is no ticket)

So, if I turn on credential delegation:

WHen i log into windows machine, I automatically get my ticket, then i 
SSH with putty to the centos machine as DOMAIN\kacper_wirski
I log in passwordless (kerberos is used) THEN, because of credential 
delegation, I have my ticket simply forwarded, and kinit works 
perfectly, because it will use by default principal from cache, rather 
then posix username. Once I run "kdestroy", to obtain new ticket on the 
centos box I will still have type my full username, rather than just "kinit"

Without delegation, there is no ticket in cache (nothing was forwarded), 
and centos can't obtain one automatically, because of the issue already 
explained before.

So there's that at least


W dniu 2017-11-01 o 23:24, L.P.H. van Belle via samba pisze:
> Maybe try something like this, dont know it its right, i cant test it atm, and i never used its so..
> But in krb5.conf try to match the failty one with a rule.
>
> auth_to_local = RULE:[1:SAMDOM:$1]
> Maybe it works maybe not, but imo, try-able ;-) , just an idee..
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Kacper Wirski via samba
>> Verzonden: woensdag 1 november 2017 22:01
>> Aan: Rowland Penny
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
>> for samba 4 domain member
>>
>> Ok, at least I know that it's not the fault of my configuration.
>>
>> I was hoping that there may be some kerberos/kinit option to modify
>> systemwide default principal pattern, or maybe something
>> could be done with
>> how winbind presents AD users to local OS while still.. Can't have
>> everything it seems.
>>
>> In this case there are is my follow-up question:
>> - how will this work on DC's? I konw that winbind is
>> integrated into main
>> "samba" process. I don't have test-dc right now and I can't
>> test it, but is
>> at all possible to set "use defaultl domain = yes" on samba DC and not
>> impair anything? On the DC's it's not as important to me, as only few
>> actual domain users will ever actually log there (only
>> admins), but still
>> I'd rather have as much consistency across all systems, as possible\
>>
>> Regards,
>> Kacper
>>
>> 2017-11-01 21:21 GMT+01:00 Rowland Penny via samba
>> <samba at lists.samba.org>:
>>
>>> On Wed, 1 Nov 2017 19:49:32 +0000
>>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>>
>>>> On Wed, 1 Nov 2017 20:28:05 +0100
>>>> Kacper Wirski <kacper.wirski at gmail.com> wrote:
>>>>
>>>>> I'm going to start with clean centos install, so I
>> might as well use
>>>>> some additional guidelines, thank You.
>>>>>
>>>>> When You run kinit, does Your user have ticket already? What I
>>>>> noticed is that when user has a ticket already, kinit
>> works fine,
>>>>> uses as default principal the one from ticket.
>>>>> Can you do kdestroy - then kinit?
>>>>>
>>>>> Also, on Fedora, did You install samba from source or
>> from repo's
>>>>> RPM?
>>>>>
>>>>> And last question - for PAM did You manually edit
>> system-auth, or
>>>>> with authconfig?
>>>>> After I do some tests later on, I will update with
>> whatever I manage
>>>>> to find/debug.
>>>>>
>>>> I realised I had a Centos 7 VM, so I started this,
>> updated it to 7.4
>>>> set 'winbind use default domain = no' then logged in and ran
>>>> 'kinit', I finally get your problem!!!
>>>>
>>>> Let me get back to you
>>>>
>>>> Rowland
>>>>
>>> OK, I am back ;-)
>>>
>>> I understand it now, sigh
>>> This is what I think is happening;
>>> When you kinit as the user, it uses whatever is returned by
>> nsswitch,
>>> but, as a single '\' is treated as an escape character and is
>>> removed, you get DOMAINusername. If you use something else as the
>>> winbind separator e.g. ':' you will get DOMAIN:username, but this
>>> still will not not get you anywhere. You will get this:
>>>
>>> kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
>>> Kerberos database while getting initial credentials
>>>
>>> It was this that pointed me in the right direction.
>>> If you check the users object in AD, you will find the
>>> userPrincipalName attribute, this will contain something like:
>>>
>>> rowland at samdom.example.com
>>>
>>> This is what kinit is looking for and if you run 'kinit
>> rowland', this
>>> will work and if you run 'klist' you will find that the 'Default
>>> principal' is rowland at SAMDOM.EXAMPLE.COM
>>>
>>> Net result, you will have to use 'winbind use default domain = yes'
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus




More information about the samba mailing list