[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Rowland Penny
rpenny at samba.org
Tue Oct 31 22:20:14 UTC 2017
On Tue, 31 Oct 2017 22:46:53 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I'm setting up AD user logins for centos 7.4 box. I've almost managed
> to do everything the way I want and the way I think it should be, but
> I'm missing last piece:
>
> For ssh access I read parts of the
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>
> Most docs recommend using setting in smb.conf:
> winbind use default domain = no
>
> that means that all domain users have DOMAIN\ prefix attached. As per
> the aforementioned wiki documet I made the workaround for
> authentication to krb5.conf, and it works OK.
>
> What isn't working is "kinit" as-is for logged in AD user. To be more
> precise: it works if I specify explicitly username
> kinit myusername
> or
> kinit mysusername at MY.DOMAIN.COM
> It works as expected (asks for password and grants ticket)
>
> otherwise plain "kinit" uses by default posix username, which in
> this case is DOMAIN\myusername, so it looks for:
> DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in
> database (and rightly so), because obviously it should use
> myusername at MY.DOMAIN.COM.
>
> I know it's not strictly samba related, and I could simply change
> winbind use default domain = yes
> as a workaround, this way everything works as expected, except that
> in all docs it's described as not recommended setup, because of
> possible confusion which user is from DOMAIN and which is local, and
> of course when multiple domains come into play.
>
> So maybe someone knows of a valid workaorund, how to force kinit to
> automatically remove/strip DOMAIN prefix from e.g.
> DOMAINmyusername at MY.DOMAIN.COM and change it into
> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf
> "auth_to_local" works the other way around, so it takes valid
> principal, and rewrites it so that it matches posix user and won't
> work in this case,as it's the other way round (posix user has to be
> translated into valid principal).
>
> My environment is:
> centos 7.4 OS
> samba 4.5.x is the AD DC
> samba 4.6.9 is domain member server and all tests are done on this
> machine.
>
> As i said, kerberos overall works fine, and it's not strictly samba
> issue, but the issue is because of samba configuration and added
> DOMAIN prefix.
>
> Any help/input/comments are appreciated.
>
> Regards, Kacper
>
>
You have something set up incorrectly, if I log into a Unix domain
member and run 'kinit', it works:
rowland at devstation:~$ whoami
SAMDOM\rowland
rowland at devstation:~$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM:
rowland at devstation:~$
It also works on a DC.
Can you post the following files:
/etc/resolv.conf
/etc/hosts
/etc/hostname
/etc/krb5.conf
/etc/samba/smb.conf
Rowland
More information about the samba
mailing list