[Samba] Authentication with trusted credentials

Yakov Revyakin yrevyakin at gmail.com
Mon Jul 13 19:01:59 UTC 2020 

Louis, could you take a look on my case again?
I am not sure that the problem is in incorrect groups.
Only trusted credentials don't work. Have you any idea what the reason is?

On Mon, 13 Jul 2020 at 19:50, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> Some more details. Below is what I have during joining Linux (Ubuntu
> 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is
> trusted.
> SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and
> *jake *users.
> test01 - 20000:20000 (uidNumber:gidNumber)
> jake - 10000:10000
>
> You can see some delay in some places - I marked them bold. It looks like
> DNS timeouts.
> The svitla3.room smb config includes DNS Forwarder pointing on apex.corp
> DNS.
> apex.corp DNS has conditional forwarding to svitla3.room domain
>
> d at uc-smlbox20:~$ host -t A apex.corp
>
> apex.corp has address 10.0.1.2
>
> d at uc-smlbox20:~$ host -t A svitla3.room
>
> svitla3.room has address 10.0.0.6
>
> d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room.
>
> _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room.
>
> d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room.
>
> _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room.
>
> d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp.
>
> _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp.
>
> d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp.
>
> _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp.
>
>
>
> d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM
>
> Enter administrator at SVITLA3.ROOM's password:
>
> Using short domain name -- SVITLA3
>
> Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
>
> *No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.*
>
> *DNS update failed: NT_STATUS_INVALID_PARAMETER*
>
>
> *## After that I added A and PTR records manually for
> uc-smlbox20.svitla3.room **Linux box*
>
> *## nslookup recognises the computer in forward and reverse lookups*
>
>
> d at uc-smlbox20:~$ sudo net ads testjoin
> Join is OK
>
> d at uc-smlbox20:~$ wbinfo --online-status
> BUILTIN : active connection
> UC-SMLBOX20 : active connection
> SVITLA3 : active connection
> *APEX : no active connection*
>
> d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM
>
> *-- For first time there is delay about 10s*
>
> Enter administrator at SVITLA3.ROOM's password:
>
> Trusted domains list:
>
>
> APEX                S-1-5-21-4020559381-3467740180-2426716988
>
>
> Trusting domains list:
>
>
> *none*
>
>
> d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM
> Password for administrator at SVITLA3.ROOM:
> Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50
> AM UTC
> d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM
> Password for test01 at SVITLA3.ROOM:
> d at uc-smlbox20:~$ kinit administrator at APEX.CORP
> Password for administrator at APEX.CORP:
> d at uc-smlbox20:~$ kinit jake at APEX.CORP
> Password for jake at APEX.CORP:
>
>
> d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator
> Enter SVITLA3\administrator's password:
> plaintext password authentication succeeded
> Enter SVITLA3\administrator's password:
> challenge/response password authentication succeeded
> d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01
> Enter SVITLA3\test01's password:
> plaintext password authentication succeeded
> Enter SVITLA3\test01's password:
> challenge/response password authentication succeeded
> d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator
> Enter APEX\administrator's password:
> plaintext password authentication succeeded
> Enter APEX\administrator's password:
> challenge/response password authentication succeeded
> d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake
> Enter APEX\jake's password:
> plaintext password authentication succeeded
> Enter APEX\jake's password:
> challenge/response password authentication succeeded
>
>
> d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator
> S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1)
> d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01
> S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1)
> d at uc-smlbox20:~$ wbinfo -n APEX\\administrator
> S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1)
> d at uc-smlbox20:~$ wbinfo -n APEX\\jake
> S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1)
>
>
> d at uc-smlbox20:~$ getent passwd SVITLA3\\test01
> test01:*:20000:20000:test01:/home/test01:/bin/bash
> d at uc-smlbox20:~$ getent passwd APEX\\jake
> *-- DELAY about 10s, No result*
> d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users"
> domain users:x:20000:
> d at uc-smlbox20:~$ getent group "APEX\\Domain Users"
> *-- DELAY about 10s, No result*
>
>
> d at uc-smlbox20:~$ cat /etc/nsswitch.conf
> # passwd:         files systemd
> # group:          files systemd
> shadow:         files
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> *passwd: compat winbindgroup:  compat winbind*
>
>
>
> *#passwd: files winbind#group:  files winbind*
>
>
> If I use default sshd_config
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> I have:
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
>
> d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
>
> APEX\jake at uc-smlbox20.svitla3.room's password:
>
> Permission denied, please try again.
>
> If I modify sshd_config
>
> # GSSAPI options
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
> AllowGroups "SVITLA3\\Domain Users"
>
> I even can’t login with trusting credentials:
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Permission denied, please try again.
>
>
>
>
> On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>>
>> What you need is to add the windows group in ssh to allowedgroups
>> And give that windows group a GID.
>>
>> You "cant" add a linux user into the windows group, but you can add a
>> windows user (if it has UID/GID) Into the linux group.
>> I separeted that, to there is always ssh access available.
>>
>> I use the following :
>> AllowGroups lin-allow-ssh win-allow-ssh
>>
>> Windows users in win-allow-ssh
>> Linux users lin-allow-ssh ( in my case only Linux admins )
>>
>> The windows group every windows user want to give access to the server.
>>
>> And did you enable kerberos auth in sshd.
>> # GSSAPI options
>> GSSAPIAuthentication yes
>> GSSAPIKeyExchange yes
>>
>> Should be sufficent.
>> Now, if you followed Stephans guide, and if i would make a guess.
>>
>> Is nsswitch configured? /etc/nsswitch.conf ?
>>
>> Im also assuming your using ubuntu or debian, if so,
>> Running this give us all we need.
>>
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>>
>> Anonimize where needed.
>> Dont set the attachments to the list, that will be stripped off.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Yakov Revyakin via samba
>> > Verzonden: maandag 13 juli 2020 16:04
>> > Aan: samba at lists.samba.org
>> > Onderwerp: [Samba] Authentication with trusted credentials
>> >
>> > Hi friends,
>> > I have a one way outgoing trust between SAMBA trusting domain and AD
>> > trusted domain.
>> > SSH Authentication of a user belonging to the SAMBA domain
>> > works properly
>> > on a Linux computer which is a member of SAMBA domain.
>> > I would like to authenticate a trusted user from the AD
>> > domain on the same
>> > Linux computer with SSH. Currently it doesn't work.
>> > I am able to authenticate trusted accounts with wbinfo and kinit. I
>> > followed guides:
>> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> > https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
>> > tutorial.pdf
>> > What I missed? What additional diagnostic can I make? How to
>> > make a step
>> > forward?
>> >
>> > Samba 4.11
>> >
>> > DC:
>> > d@*us-smdc3*:~$ cat /etc/samba/smb.conf
>> > # Global parameters
>> > [global]
>> >         dns forwarder = 10.0.1.2 # trusted ad dc
>> >         netbios name = US-SMDC3
>> >         realm = SVITLA3.ROOM
>> >         server role = active directory domain controller
>> >         workgroup = SVITLA3
>> >         idmap_ldb:use rfc2307 = yes
>> >         log level = 1
>> >         ldap server require strong auth = no
>> >
>> > [sysvol]
>> >         path = /var/lib/samba/sysvol
>> >         read only = No
>> >
>> > [netlogon]
>> >         path = /var/lib/samba/sysvol/svitla3.room/scripts
>> >         read only = No
>> >
>> > Member:
>> > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
>> > [global]
>> >    workgroup = SVITLA3
>> >    security = ADS
>> >    realm = SVITLA3.ROOM
>> >
>> >    winbind refresh tickets = Yes
>> >    vfs objects = acl_xattr
>> >    map acl inherit = Yes
>> >    store dos attributes = Yes
>> >
>> >    dedicated keytab file = /etc/krb5.keytab
>> >    kerberos method = secrets and keytab
>> >
>> >    winbind use default domain = yes
>> >
>> >    winbind enum users = yes
>> >    winbind enum groups = yes
>> >
>> >    load printers = no
>> >    printing = bsd
>> >    printcap name = /dev/null
>> >    disable spoolss = yes
>> >
>> >    log file = /var/log/samba/%m.log
>> >    log level = 3
>> >
>> >    idmap config * : backend = tdb
>> >    idmap config * : range = 3000-7999
>> >
>> >    idmap config SVITLA3:backend = ad
>> >    idmap config SVITLA3:schema_mode = rfc2307
>> >    idmap config SVITLA3:range = 20000-29999
>> >    idmap config SVITLA3:unix_nss_info = yes
>> >
>> >    idmap config APEX:backend = ad
>> >    idmap config APEX:schema_mode = rfc2307
>> >    idmap config APEX:range = 10000-19999
>> >    idmap config APEX:unix_nss_info = yes
>> >
>> >    vfs objects = acl_xattr
>> >    map acl inherit = yes
>> >
>> > Thanks,
>> > Jake R
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list