[Samba] SSH SSO without keytab file

Rowland Penny rpenny at samba.org
Fri Jan 18 10:29:22 UTC 2019

On Fri, 18 Jan 2019 09:45:05 +0000
Harpoon <harp00n at protonmail.com> wrote:

> > > > ............
> > > >
> > > > > You can, provided you have a user.map in smb.conf
> > > >
> > > > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > > > And DC's dont use the user.mapping.
> > > > Thanks for the correction.
> > >
> > > With regard to tdb ipmap, I set this parameter on domain member.
> > > Domain controller has no such parameter set.
> >
> > Yes, but just setting this isn't a supported method, you need to
> > also set an 'idmap config' block for the domain, this isn't
> > optional. The actual winbind backend you use is up to you, but the
> > two most popular are the 'ad' and the 'rid'. The former requires
> > adding uidNumber & gidNumber attributes to AD, but would give you
> > the same IDs everywhere (plus all the other rfc2307 attributes).
> > The latter doesn't require anything adding to AD, but you will only
> > get the same IDs on Unix domain members, the DCs will have totally
> > different ID numbers and they can (and probably will) be different
> > between DCs, you will also have to use template shell & homedir
> > lines in smb.conf
> I actually spent the entire last day getting 'ad' backend to work.
> Adding 'idmap config SAMDOM : backend = ad' and related lines in the
> client's smb.conf results in `getent passwd` showing only local
> users. When I remove the 'backend = ad' block from smb.conf, the
> `getent passwd` starts showing the AD users as well, and I can also
> su and ssh (with password) using those AD users. On a related note,
> as far as I can remember, I provided the `use-rfc2307` parameter
> samba-tool when I provisioned the domain.

Then you did something wrong or misunderstood something :)

Unless you have 'winbind enum users = yes' in smb.conf, 'getent passwd'
will only show local users, but you should only have the line for
testing purposes. Without the line, you will need to use 'getent
passwd username'
Does Domain Users have a gidNumber attribute and if so, is the number
inside the range you set in smb.conf ?
Do all your normal AD users have a uidNumber containing a unique
number inside the same range ?
Did you use the correct set up for your version of Samba ?
> On the DC, I tried adding multiple groups with different --gid-number
> and also tried adding users with various --uid-number and
> --gid-number. I followed the instructions at [1] to add unix users
> and groups, but still the domain members were unable to enumerate the
> domain users using `getent passwd`. After spending the entire last
> day trying to troubleshoot/resolve the 'backend = ad' issue, I
> settled on removing the 'ad' block from clients. Without the 'ad'
> block, things are looking better, with the only issue being that I am
> unable to ssh using kerberos ticket; hence this mail.

Until you get Samba working correctly, nothing else is going to work
correctly. I can assure you that if everything is set up correctly, the
'ad' backend works.

I think you need to post the smb.conf you tried to get working.


More information about the samba mailing list