[Samba] Authentication with trusted credentials
Yakov Revyakin
yrevyakin at gmail.com
Mon Jul 13 16:50:48 UTC 2020
Some more details. Below is what I have during joining Linux (Ubuntu 20.04)
to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted.
SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and
*jake *users.
test01 - 20000:20000 (uidNumber:gidNumber)
jake - 10000:10000
You can see some delay in some places - I marked them bold. It looks like
DNS timeouts.
The svitla3.room smb config includes DNS Forwarder pointing on apex.corp
DNS.
apex.corp DNS has conditional forwarding to svitla3.room domain
d at uc-smlbox20:~$ host -t A apex.corp
apex.corp has address 10.0.1.2
d at uc-smlbox20:~$ host -t A svitla3.room
svitla3.room has address 10.0.0.6
d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room.
_ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room.
d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room.
_kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room.
d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp.
_ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp.
d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp.
_kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp.
d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM
Enter administrator at SVITLA3.ROOM's password:
Using short domain name -- SVITLA3
Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
*No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.*
*DNS update failed: NT_STATUS_INVALID_PARAMETER*
*## After that I added A and PTR records manually for
uc-smlbox20.svitla3.room **Linux box*
*## nslookup recognises the computer in forward and reverse lookups*
d at uc-smlbox20:~$ sudo net ads testjoin
Join is OK
d at uc-smlbox20:~$ wbinfo --online-status
BUILTIN : active connection
UC-SMLBOX20 : active connection
SVITLA3 : active connection
*APEX : no active connection*
d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM
*-- For first time there is delay about 10s*
Enter administrator at SVITLA3.ROOM's password:
Trusted domains list:
APEX S-1-5-21-4020559381-3467740180-2426716988
Trusting domains list:
*none*
d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM
Password for administrator at SVITLA3.ROOM:
Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50
AM UTC
d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM
Password for test01 at SVITLA3.ROOM:
d at uc-smlbox20:~$ kinit administrator at APEX.CORP
Password for administrator at APEX.CORP:
d at uc-smlbox20:~$ kinit jake at APEX.CORP
Password for jake at APEX.CORP:
d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator
Enter SVITLA3\administrator's password:
plaintext password authentication succeeded
Enter SVITLA3\administrator's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01
Enter SVITLA3\test01's password:
plaintext password authentication succeeded
Enter SVITLA3\test01's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator
Enter APEX\administrator's password:
plaintext password authentication succeeded
Enter APEX\administrator's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake
Enter APEX\jake's password:
plaintext password authentication succeeded
Enter APEX\jake's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator
S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01
S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n APEX\\administrator
S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n APEX\\jake
S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1)
d at uc-smlbox20:~$ getent passwd SVITLA3\\test01
test01:*:20000:20000:test01:/home/test01:/bin/bash
d at uc-smlbox20:~$ getent passwd APEX\\jake
*-- DELAY about 10s, No result*
d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users"
domain users:x:20000:
d at uc-smlbox20:~$ getent group "APEX\\Domain Users"
*-- DELAY about 10s, No result*
d at uc-smlbox20:~$ cat /etc/nsswitch.conf
# passwd: files systemd
# group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
*passwd: compat winbindgroup: compat winbind*
*#passwd: files winbind#group: files winbind*
If I use default sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
I have:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
APEX\jake at uc-smlbox20.svitla3.room's password:
Permission denied, please try again.
If I modify sshd_config
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
AllowGroups "SVITLA3\\Domain Users"
I even can’t login with trusting credentials:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Permission denied, please try again.
On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
>
> What you need is to add the windows group in ssh to allowedgroups
> And give that windows group a GID.
>
> You "cant" add a linux user into the windows group, but you can add a
> windows user (if it has UID/GID) Into the linux group.
> I separeted that, to there is always ssh access available.
>
> I use the following :
> AllowGroups lin-allow-ssh win-allow-ssh
>
> Windows users in win-allow-ssh
> Linux users lin-allow-ssh ( in my case only Linux admins )
>
> The windows group every windows user want to give access to the server.
>
> And did you enable kerberos auth in sshd.
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPIKeyExchange yes
>
> Should be sufficent.
> Now, if you followed Stephans guide, and if i would make a guess.
>
> Is nsswitch configured? /etc/nsswitch.conf ?
>
> Im also assuming your using ubuntu or debian, if so,
> Running this give us all we need.
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Anonimize where needed.
> Dont set the attachments to the list, that will be stripped off.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Yakov Revyakin via samba
> > Verzonden: maandag 13 juli 2020 16:04
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Authentication with trusted credentials
> >
> > Hi friends,
> > I have a one way outgoing trust between SAMBA trusting domain and AD
> > trusted domain.
> > SSH Authentication of a user belonging to the SAMBA domain
> > works properly
> > on a Linux computer which is a member of SAMBA domain.
> > I would like to authenticate a trusted user from the AD
> > domain on the same
> > Linux computer with SSH. Currently it doesn't work.
> > I am able to authenticate trusted accounts with wbinfo and kinit. I
> > followed guides:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
> > tutorial.pdf
> > What I missed? What additional diagnostic can I make? How to
> > make a step
> > forward?
> >
> > Samba 4.11
> >
> > DC:
> > d@*us-smdc3*:~$ cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > dns forwarder = 10.0.1.2 # trusted ad dc
> > netbios name = US-SMDC3
> > realm = SVITLA3.ROOM
> > server role = active directory domain controller
> > workgroup = SVITLA3
> > idmap_ldb:use rfc2307 = yes
> > log level = 1
> > ldap server require strong auth = no
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/svitla3.room/scripts
> > read only = No
> >
> > Member:
> > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
> > [global]
> > workgroup = SVITLA3
> > security = ADS
> > realm = SVITLA3.ROOM
> >
> > winbind refresh tickets = Yes
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > winbind use default domain = yes
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > log file = /var/log/samba/%m.log
> > log level = 3
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> >
> > idmap config SVITLA3:backend = ad
> > idmap config SVITLA3:schema_mode = rfc2307
> > idmap config SVITLA3:range = 20000-29999
> > idmap config SVITLA3:unix_nss_info = yes
> >
> > idmap config APEX:backend = ad
> > idmap config APEX:schema_mode = rfc2307
> > idmap config APEX:range = 10000-19999
> > idmap config APEX:unix_nss_info = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> >
> > Thanks,
> > Jake R
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list