[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Kacper Wirski kacper.wirski at gmail.com
Tue Oct 31 21:46:53 UTC 2017 

Hello,

I'm setting up AD user logins for centos 7.4 box. I've almost managed to 
do everything the way I want and the way I think it should be, but I'm 
missing last piece:

   For ssh access I read parts of the 
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on

Most docs recommend using setting in smb.conf:
winbind use default domain = no

that means that all domain users have DOMAIN\ prefix attached. As per 
the aforementioned wiki documet I made the workaround for authentication 
to krb5.conf, and it works OK.

What isn't working is "kinit" as-is for logged in AD user. To be more 
precise: it works if I specify explicitly username
kinit myusername
or
kinit mysusername at MY.DOMAIN.COM
It works as expected (asks for password and grants ticket)

  otherwise plain "kinit" uses by default posix username, which in this 
case is DOMAIN\myusername, so it looks for:
DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in 
database (and rightly so), because obviously it should use 
myusername at MY.DOMAIN.COM.

I know it's not strictly samba related, and I could simply change
winbind use default domain = yes
as a workaround, this way everything works as expected, except that in 
all docs it's described as not recommended setup, because of possible 
confusion which user is from DOMAIN and which is local, and of course 
when multiple domains come into play.

So maybe someone knows of a valid workaorund, how to force kinit to 
automatically remove/strip DOMAIN prefix from e.g. 
DOMAINmyusername at MY.DOMAIN.COM and change it into 
myusername at MY.DOMAIN.COM? My understanding is that krb5.conf 
"auth_to_local" works the other way around, so it takes valid principal, 
and rewrites it so that it matches posix user and won't work in this 
case,as it's the other way round (posix user has to be translated into 
valid principal).

My environment is:
centos 7.4 OS
samba 4.5.x is the AD DC
samba 4.6.9 is domain member server and all tests are done on this machine.

As i said, kerberos overall works fine, and it's not strictly samba 
issue, but the issue is because of samba configuration and added DOMAIN 
prefix.

Any help/input/comments are appreciated.

Regards, Kacper


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

More information about the samba mailing list