[Samba] Missing domain user tickets with winbind
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 1 11:20:39 UTC 2020
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Shyam Prasad N via samba
> Verzonden: woensdag 1 april 2020 13:10
> Aan: samba-technical at lists.samba.org; samba at lists.samba.org
> CC: sribhat.msa at outlook.com
> Onderwerp: [Samba] Missing domain user tickets with winbind
>
> Hi,
>
> My name is Shyam Prasad. I work at Microsoft in the Azure Files team.
> For the past few days, I've been working on getting the Azure
> Linux VMs to
> join the AD domain in Azure, login as domain users, and mount
> Azure file
> shares over SMB3.
>
> Most things work fine. Except that I need perform a few
> Kerberos related
> tasks manually, for the SMB3 mount to work with domain user
> credentials.
For that to work, you need to add the CIFS/hostname.fqdn at REALM to the host your logging in.
The COMPUTER$ should hold it.
Allow the computer to delegate the cifs service. ( or all )
Try that.
> I did some debugging of the issue, and looks like cifs.upcall (the
> userspace helper program for cifs.ko) is unable to find the
> krb5 TGT for
> the domain user in the cred-cache. If the cred-cache is
> missing, it looks
> for it in the system krb5.keytab.
>
> Since winbind is configured with kerberos method "secrets and
> keytab", I
> would expect either the secrets.tdb or the krb5.keytab to
> have an entry for
> the domain user lxsmbadmin. Even with the domain user already
> logged in
> through ssh, I'm unable to get those in both those places.
> cred-cache file
> is not created in the first place.
>
> With the domain user already logged in through ssh, I
> expected that the
> kerberos TGT would already have been retrieved and stored locally.
> Where does winbind store its Kerberos tickets, so that I can point
> cifs.upcall to look there for tickets instead?
>
> The mount only works when I use kinit to populate the
> cred-cache with the
> domain user.
>
> Any help in troubleshooting this issue is appreciated.
>
> Also, I'm interested to know, how can I enable the debug logs in the
> libkrb5 shared libraries that are built from the samba source
> code? I don't
> see the debug logs in that code being logged, even if log
> level is set to
> maximum in smb.conf.
>
> Regards,
> Shyam
>
> =======================================================
> Details of my setup:
> I'm using an Ubuntu 19.10 server VM.
> I'm mounting as the local root user, however, I'm using a domain user
> credentials for mounting the using sec=krb5.
> Below are my mount options:
> vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credential
s,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='doma> in
> users'
>
> The VM is already joined to the AD domain aaddomain.example.com using
> winbind.
> This is what my smb.conf looks like for winbind:
> localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf
> [global]
> workgroup = AADDOMAIN
> security = ADS
> realm = AADDOMAIN.EXAMPLE.COM
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = Yes
>
> load printers = No
> printing = bsd
> printcap name = /dev/null
> disable spoolss = Yes
>
> log file = /var/log/samba/log.%m
> log level = 10
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config AADDOMAIN : backend = rid
> idmap config AADDOMAIN : range = 10000-999999
>
> template shell = /bin/bash
> template homedir = /home/%U
>
> localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf
> [libdefaults]
> default_realm = AADDOMAIN.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Initially, I tried to use the ubuntu apt packages to install
> winbind and
> related packages.
> After going through a bit of code, I wanted to be able to
> print the debug
> logs.
> So I decided to install winbind from the latest source:
> master branch on git://git.samba.org/samba.git
>
> Here is the configure I used to build it:
> ./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin
> --libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba
> --localstatedir=/run/samba --includedir=/usr/include/
> --datadir=/usr/share/samba --mandir /usr/share/man --enable-debug
> --enable-developer --systemd-install-services
> --with-systemddir=/usr/lib/systemd/system
> --with-privatedir=/var/lib/samba/private --with-systemd --with-pam
>
> After tweaking a few config files here and there, I've now
> reached the same
> state as when I was running winbind from Ubuntu packages.
> I'm now able to ssh/su as the domain user to this system.
>
> However, I do not see the cred-cache populated.
> localadmin at lxsmb-canvm13:~/samba$ sudo klist
> klist: No ticket file: /tmp/krb5cc_0
> localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb*
> ls: cannot access '/tmp/krb*': No such file or directory
>
> After a bit of code reading of cifs.upcall, it looks to me like the
> expectation is that cred-cache would be populated for the domain user.
> If in case the cred-cache is missing, then it creates a new
> cred-cache from
> the keytab at /etc/krb5.keytab
>
> So clearly, the expectation is that atleast the keytab is already
> populated.
>
> The kerberos method that I've chosen in smb.conf is "secrets
> and keytab".
> So I expect either the secrets.tdb or the krb5.keytab to have
> an entry for
> the domain user lxsmbadmin.
> However, I do not see those entries in either of them:
>
> localadmin at lxsmb-canvm13:~$ sudo tdbdump
> /var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin
> localadmin at lxsmb-canvm13:~$
>
> localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin
> localadmin at lxsmb-canvm13:~$
>
> With the domain user already logged in through ssh, I
> expected that the
> kerberos TGT would already have been retrieved and stored locally.
> Where would I find that?
>
> Do note that if I populate the cred-cache manually with the
> kinit utility
> like so:
> localadmin at lxsmb-canvm13:~$ sudo kinit
> lxsmbadmin at aaddomain.example.com
> lxsmbadmin at aaddomain.example.com's Password:
> localadmin at lxsmb-canvm13:~$
>
> The cred-cache does get populated and I'm then able to mount
> the file share
> successfully.
>
> With the log level set to 10 in smb.conf, the logging in
> /var/log/samba/ is
> pretty verbose. I can share those if needed for further debugging.
>
> =======================================================
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list