[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Kacper Wirski
kacper.wirski at gmail.com
Tue Oct 31 21:46:53 UTC 2017
Hello,
I'm setting up AD user logins for centos 7.4 box. I've almost managed to
do everything the way I want and the way I think it should be, but I'm
missing last piece:
For ssh access I read parts of the
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
Most docs recommend using setting in smb.conf:
winbind use default domain = no
that means that all domain users have DOMAIN\ prefix attached. As per
the aforementioned wiki documet I made the workaround for authentication
to krb5.conf, and it works OK.
What isn't working is "kinit" as-is for logged in AD user. To be more
precise: it works if I specify explicitly username
kinit myusername
or
kinit mysusername at MY.DOMAIN.COM
It works as expected (asks for password and grants ticket)
otherwise plain "kinit" uses by default posix username, which in this
case is DOMAIN\myusername, so it looks for:
DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in
database (and rightly so), because obviously it should use
myusername at MY.DOMAIN.COM.
I know it's not strictly samba related, and I could simply change
winbind use default domain = yes
as a workaround, this way everything works as expected, except that in
all docs it's described as not recommended setup, because of possible
confusion which user is from DOMAIN and which is local, and of course
when multiple domains come into play.
So maybe someone knows of a valid workaorund, how to force kinit to
automatically remove/strip DOMAIN prefix from e.g.
DOMAINmyusername at MY.DOMAIN.COM and change it into
myusername at MY.DOMAIN.COM? My understanding is that krb5.conf
"auth_to_local" works the other way around, so it takes valid principal,
and rewrites it so that it matches posix user and won't work in this
case,as it's the other way round (posix user has to be translated into
valid principal).
My environment is:
centos 7.4 OS
samba 4.5.x is the AD DC
samba 4.6.9 is domain member server and all tests are done on this machine.
As i said, kerberos overall works fine, and it's not strictly samba
issue, but the issue is because of samba configuration and added DOMAIN
prefix.
Any help/input/comments are appreciated.
Regards, Kacper
---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
More information about the samba
mailing list