[Samba] Authentication with trusted credentials
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 13 14:22:51 UTC 2020
What you need is to add the windows group in ssh to allowedgroups
And give that windows group a GID.
You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group.
I separeted that, to there is always ssh access available.
I use the following :
AllowGroups lin-allow-ssh win-allow-ssh
Windows users in win-allow-ssh
Linux users lin-allow-ssh ( in my case only Linux admins )
The windows group every windows user want to give access to the server.
And did you enable kerberos auth in sshd.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
Should be sufficent.
Now, if you followed Stephans guide, and if i would make a guess.
Is nsswitch configured? /etc/nsswitch.conf ?
Im also assuming your using ubuntu or debian, if so,
Running this give us all we need.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Anonimize where needed.
Dont set the attachments to the list, that will be stripped off.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Yakov Revyakin via samba
> Verzonden: maandag 13 juli 2020 16:04
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Authentication with trusted credentials
>
> Hi friends,
> I have a one way outgoing trust between SAMBA trusting domain and AD
> trusted domain.
> SSH Authentication of a user belonging to the SAMBA domain
> works properly
> on a Linux computer which is a member of SAMBA domain.
> I would like to authenticate a trusted user from the AD
> domain on the same
> Linux computer with SSH. Currently it doesn't work.
> I am able to authenticate trusted accounts with wbinfo and kinit. I
> followed guides:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
> tutorial.pdf
> What I missed? What additional diagnostic can I make? How to
> make a step
> forward?
>
> Samba 4.11
>
> DC:
> d@*us-smdc3*:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> dns forwarder = 10.0.1.2 # trusted ad dc
> netbios name = US-SMDC3
> realm = SVITLA3.ROOM
> server role = active directory domain controller
> workgroup = SVITLA3
> idmap_ldb:use rfc2307 = yes
> log level = 1
> ldap server require strong auth = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/svitla3.room/scripts
> read only = No
>
> Member:
> d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
> [global]
> workgroup = SVITLA3
> security = ADS
> realm = SVITLA3.ROOM
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log file = /var/log/samba/%m.log
> log level = 3
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config SVITLA3:backend = ad
> idmap config SVITLA3:schema_mode = rfc2307
> idmap config SVITLA3:range = 20000-29999
> idmap config SVITLA3:unix_nss_info = yes
>
> idmap config APEX:backend = ad
> idmap config APEX:schema_mode = rfc2307
> idmap config APEX:range = 10000-19999
> idmap config APEX:unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
> Thanks,
> Jake R
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list