[Samba] SSH SSO without keytab file

L.P.H. van Belle belle at bazuin.nl
Fri Jan 18 08:44:27 UTC 2019 

Hai, 

> -----Oorspronkelijk bericht-----
> Van: Harpoon [mailto:harp00n at protonmail.com] 
> Verzonden: vrijdag 18 januari 2019 9:24
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] SSH SSO without keytab file
> 
> Thanks for the prompt reply!
Your welkom. 

> 
> > I did see that you are using Administrator, and thats the problem.
> 
> > Administrator is mapped to root ( most of the time ),
> > if you assigned Administrator UID = 0 then you have a 
> problem, because only root = uid 0.
> >
> > Never ever give Administrator a UID/GID

> I am using tdb backend. It mapped administrator account to 12000:10000.
No no no.. as said, never ever assign administrator a UID/GID. 
Now your administrator != root anymore and you cannt manage the server correctly anymore as user Administrator.
You cant use the TDB backend for a domain member only, you MUST choose to set AD or RID backend.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba 
See: Choose backend for id mapping in winbindd

> 
> > So try again with a normal user, that does have a UID/GID.
> 
> I tried testing with normal users too whose UID/GID was 
> mapped by tdb in ~10000 range. It produced the same problem.
> 
> > If that does not work, please share these, because this 
> should work fine.
> > /etc/samba/smb.conf
> > /etc/krb5.conf
> > /etc/ssh/sshd_config
> 
> Please find these conf files here:
> 
> -----------------------------
> DC's /etc/samba/smb.conf
> -----------------------------
> [global]
>         netbios name = DC1
>         realm = SAMDOM.EXAMPLE.COM
>         workgroup = SAMDOM
>         dns forwarder = 10.0.5.200
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         template shell = /bin/bash
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samdom.example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
Looks good, except, you dont need : 
winbind enum users = yes
winbind enum groups = yes

For testing fine, but when done testing set these 2 to no. 
These only slowdown you server. 


> --------------------------------
> Client's /etc/samba/smb.conf
> --------------------------------
> [global]
>         netbios name = client1
>         realm = SAMDOM.EXAMPLE.COM
>         workgroup = SAMDOM
>         security = ADS
>         kerberos method = secrets and keytab
>         winbind trusted domains only = no
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind nss info = rfc2307
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 10000-200000

This config is incomplete. 
( and same for the winbind enum set these to no. ) 

My suggested change 


	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab

	# Renew the kerberos tickets
	winbind refresh tickets = yes

	# Enable offline logins
	winbind offline logon = yes


	# With default domain set to yes, wbinfo -u shows username only, not SAMBADOM\username.
	winbind use default domain = yes

      idmap config * : backend = tdb
      idmap config * : range =  3000-7999

	# https://wiki.samba.org/index.php/Idmap_config_ad 
	# ( based on >         winbind nss info = rfc2307 in you config. ) 
	idmap config SAMDOM : backend = ad
	idmap config SAMDOM : range = 10000-200000

	# Optional, use these, but since you set AD backend you can set this from cli. 
	# Template settings for login shell and home directory
	#	template shell = /bin/bash
	#	template homedir = /home/%U
	# mk_homedir might be needed, this depends on you needs/setup. 

> 
> -------------------------------
> /etc/ssh/sshd_config (Running on DC)
> -------------------------------
> PubkeyAuthentication no
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> X11Forwarding yes
> PrintMotd no
> AcceptEnv LANG LC_*
> Subsystem       sftp    /usr/lib/openssh/sftp-server
> KerberosAuthentication yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UseDNS yes
> PermitRootLogin yes
> UsePAM no
> 
Looks fine. 

> -------------------------------
> /etc/ssh/ssh_config (Client SSH config)
> -------------------------------
> 
> Host *
>     SendEnv LANG LC_*
>     HashKnownHosts yes
>     GSSAPIAuthentication yes
>     GSSAPIDelegateCredentials yes

Looks fine. 

> 
> --------------------------------------
> /etc/krb5.conf (Same of DC and clients)
> --------------------------------------
> 
> [libdefaults]
>         default_realm = SAMDOM.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
Looks fine.  



> Thanks for your help!

Greetz, 

Louis

More information about the samba mailing list