[Samba] SSH SSO without keytab file

Harpoon harp00n at protonmail.com
Fri Jan 18 09:45:05 UTC 2019

> > > ............
> > >
> > > > You can, provided you have a user.map in smb.conf
> > >
> > > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > > And DC's dont use the user.mapping.
> > > Thanks for the correction.
> >
> > With regard to tdb ipmap, I set this parameter on domain member.
> > Domain controller has no such parameter set.
> Yes, but just setting this isn't a supported method, you need to also
> set an 'idmap config' block for the domain, this isn't optional.
> The actual winbind backend you use is up to you, but the two most
> popular are the 'ad' and the 'rid'. The former requires adding
> uidNumber & gidNumber attributes to AD, but would give you the same IDs
> everywhere (plus all the other rfc2307 attributes). The latter doesn't
> require anything adding to AD, but you will only get the same IDs on
> Unix domain members, the DCs will have totally different ID numbers and
> they can (and probably will) be different between DCs, you will also
> have to use template shell & homedir lines in smb.conf

I actually spent the entire last day getting 'ad' backend to work. Adding 'idmap config SAMDOM : backend = ad' and related lines in the client's smb.conf results in `getent passwd` showing only local users. When I remove the 'backend = ad' block from smb.conf, the `getent passwd` starts showing the AD users as well, and I can also su and ssh (with password) using those AD users. On a related note, as far as I can remember, I provided the `use-rfc2307` parameter samba-tool when I provisioned the domain.

On the DC, I tried adding multiple groups with different --gid-number and also tried adding users with various --uid-number and --gid-number. I followed the instructions at [1] to add unix users and groups, but still the domain members were unable to enumerate the domain users using `getent passwd`. After spending the entire last day trying to troubleshoot/resolve the 'backend = ad' issue, I settled on removing the 'ad' block from clients. Without the 'ad' block, things are looking better, with the only issue being that I am unable to ssh using kerberos ticket; hence this mail.

[1] https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Creating_a_Unix_user_with_samba-tool

> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list