[Samba] SSH SSO without keytab file
rpenny at samba.org
Fri Jan 18 10:29:22 UTC 2019
On Fri, 18 Jan 2019 09:45:05 +0000
Harpoon <harp00n at protonmail.com> wrote:
> > > > ............
> > > >
> > > > > You can, provided you have a user.map in smb.conf
> > > >
> > > > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > > > And DC's dont use the user.mapping.
> > > > Thanks for the correction.
> > >
> > > With regard to tdb ipmap, I set this parameter on domain member.
> > > Domain controller has no such parameter set.
> > Yes, but just setting this isn't a supported method, you need to
> > also set an 'idmap config' block for the domain, this isn't
> > optional. The actual winbind backend you use is up to you, but the
> > two most popular are the 'ad' and the 'rid'. The former requires
> > adding uidNumber & gidNumber attributes to AD, but would give you
> > the same IDs everywhere (plus all the other rfc2307 attributes).
> > The latter doesn't require anything adding to AD, but you will only
> > get the same IDs on Unix domain members, the DCs will have totally
> > different ID numbers and they can (and probably will) be different
> > between DCs, you will also have to use template shell & homedir
> > lines in smb.conf
> I actually spent the entire last day getting 'ad' backend to work.
> Adding 'idmap config SAMDOM : backend = ad' and related lines in the
> client's smb.conf results in `getent passwd` showing only local
> users. When I remove the 'backend = ad' block from smb.conf, the
> `getent passwd` starts showing the AD users as well, and I can also
> su and ssh (with password) using those AD users. On a related note,
> as far as I can remember, I provided the `use-rfc2307` parameter
> samba-tool when I provisioned the domain.
Then you did something wrong or misunderstood something :)
Unless you have 'winbind enum users = yes' in smb.conf, 'getent passwd'
will only show local users, but you should only have the line for
testing purposes. Without the line, you will need to use 'getent
Does Domain Users have a gidNumber attribute and if so, is the number
inside the range you set in smb.conf ?
Do all your normal AD users have a uidNumber containing a unique
number inside the same range ?
Did you use the correct set up for your version of Samba ?
> On the DC, I tried adding multiple groups with different --gid-number
> and also tried adding users with various --uid-number and
> --gid-number. I followed the instructions at  to add unix users
> and groups, but still the domain members were unable to enumerate the
> domain users using `getent passwd`. After spending the entire last
> day trying to troubleshoot/resolve the 'backend = ad' issue, I
> settled on removing the 'ad' block from clients. Without the 'ad'
> block, things are looking better, with the only issue being that I am
> unable to ssh using kerberos ticket; hence this mail.
Until you get Samba working correctly, nothing else is going to work
correctly. I can assure you that if everything is set up correctly, the
'ad' backend works.
I think you need to post the smb.conf you tried to get working.
More information about the samba