[Samba] Authentication with trusted credentials
Alexey A Nikitin
nikitin at amazon.com
Mon Jul 13 23:15:51 UTC 2020
When I was trying to get the users from trusted domains to authenticate on the host I had to change kerberos method in smb.conf. I don't fully understand why, but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'.
On Monday, 13 July 2020 12:01:59 PDT Yakov Revyakin via samba wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>
>
>
> Louis, could you take a look on my case again?
> I am not sure that the problem is in incorrect groups.
> Only trusted credentials don't work. Have you any idea what the reason is?
>
> On Mon, 13 Jul 2020 at 19:50, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
> > Some more details. Below is what I have during joining Linux (Ubuntu
> > 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is
> > trusted.
> > SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and
> > *jake *users.
> > test01 - 20000:20000 (uidNumber:gidNumber)
> > jake - 10000:10000
> >
> > You can see some delay in some places - I marked them bold. It looks like
> > DNS timeouts.
> > The svitla3.room smb config includes DNS Forwarder pointing on apex.corp
> > DNS.
> > apex.corp DNS has conditional forwarding to svitla3.room domain
> >
> > d at uc-smlbox20:~$ host -t A apex.corp
> >
> > apex.corp has address 10.0.1.2
> >
> > d at uc-smlbox20:~$ host -t A svitla3.room
> >
> > svitla3.room has address 10.0.0.6
> >
> > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room.
> >
> > _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room.
> >
> > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room.
> >
> > _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room.
> >
> > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp.
> >
> > _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp.
> >
> > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp.
> >
> > _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp.
> >
> >
> >
> > d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM
> >
> > Enter administrator at SVITLA3.ROOM's password:
> >
> > Using short domain name -- SVITLA3
> >
> > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
> >
> > *No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.*
> >
> > *DNS update failed: NT_STATUS_INVALID_PARAMETER*
> >
> >
> > *## After that I added A and PTR records manually for
> > uc-smlbox20.svitla3.room **Linux box*
> >
> > *## nslookup recognises the computer in forward and reverse lookups*
> >
> >
> > d at uc-smlbox20:~$ sudo net ads testjoin
> > Join is OK
> >
> > d at uc-smlbox20:~$ wbinfo --online-status
> > BUILTIN : active connection
> > UC-SMLBOX20 : active connection
> > SVITLA3 : active connection
> > *APEX : no active connection*
> >
> > d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM
> >
> > *-- For first time there is delay about 10s*
> >
> > Enter administrator at SVITLA3.ROOM's password:
> >
> > Trusted domains list:
> >
> >
> > APEX S-1-5-21-4020559381-3467740180-2426716988
> >
> >
> > Trusting domains list:
> >
> >
> > *none*
> >
> >
> > d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM
> > Password for administrator at SVITLA3.ROOM:
> > Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50
> > AM UTC
> > d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM
> > Password for test01 at SVITLA3.ROOM:
> > d at uc-smlbox20:~$ kinit administrator at APEX.CORP
> > Password for administrator at APEX.CORP:
> > d at uc-smlbox20:~$ kinit jake at APEX.CORP
> > Password for jake at APEX.CORP:
> >
> >
> > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator
> > Enter SVITLA3\administrator's password:
> > plaintext password authentication succeeded
> > Enter SVITLA3\administrator's password:
> > challenge/response password authentication succeeded
> > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01
> > Enter SVITLA3\test01's password:
> > plaintext password authentication succeeded
> > Enter SVITLA3\test01's password:
> > challenge/response password authentication succeeded
> > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator
> > Enter APEX\administrator's password:
> > plaintext password authentication succeeded
> > Enter APEX\administrator's password:
> > challenge/response password authentication succeeded
> > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake
> > Enter APEX\jake's password:
> > plaintext password authentication succeeded
> > Enter APEX\jake's password:
> > challenge/response password authentication succeeded
> >
> >
> > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator
> > S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1)
> > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01
> > S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1)
> > d at uc-smlbox20:~$ wbinfo -n APEX\\administrator
> > S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1)
> > d at uc-smlbox20:~$ wbinfo -n APEX\\jake
> > S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1)
> >
> >
> > d at uc-smlbox20:~$ getent passwd SVITLA3\\test01
> > test01:*:20000:20000:test01:/home/test01:/bin/bash
> > d at uc-smlbox20:~$ getent passwd APEX\\jake
> > *-- DELAY about 10s, No result*
> > d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users"
> > domain users:x:20000:
> > d at uc-smlbox20:~$ getent group "APEX\\Domain Users"
> > *-- DELAY about 10s, No result*
> >
> >
> > d at uc-smlbox20:~$ cat /etc/nsswitch.conf
> > # passwd: files systemd
> > # group: files systemd
> > shadow: files
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> >
> > *passwd: compat winbindgroup: compat winbind*
> >
> >
> >
> > *#passwd: files winbind#group: files winbind*
> >
> >
> > If I use default sshd_config
> >
> > # GSSAPI options
> > #GSSAPIAuthentication no
> > #GSSAPICleanupCredentials yes
> > #GSSAPIStrictAcceptorCheck yes
> > #GSSAPIKeyExchange no
> >
> > I have:
> >
> > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
> >
> > SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
> >
> > Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
> >
> > d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
> >
> > APEX\jake at uc-smlbox20.svitla3.room's password:
> >
> > Permission denied, please try again.
> >
> > If I modify sshd_config
> >
> > # GSSAPI options
> > GSSAPIAuthentication yes
> > #GSSAPICleanupCredentials yes
> > #GSSAPIStrictAcceptorCheck yes
> > GSSAPIKeyExchange yes
> > AllowGroups "SVITLA3\\Domain Users"
> >
> > I even can’t login with trusting credentials:
> >
> > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
> >
> > SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
> >
> > Permission denied, please try again.
> >
> >
> >
> >
> > On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <
> > samba at lists.samba.org> wrote:
> >
> >>
> >> What you need is to add the windows group in ssh to allowedgroups
> >> And give that windows group a GID.
> >>
> >> You "cant" add a linux user into the windows group, but you can add a
> >> windows user (if it has UID/GID) Into the linux group.
> >> I separeted that, to there is always ssh access available.
> >>
> >> I use the following :
> >> AllowGroups lin-allow-ssh win-allow-ssh
> >>
> >> Windows users in win-allow-ssh
> >> Linux users lin-allow-ssh ( in my case only Linux admins )
> >>
> >> The windows group every windows user want to give access to the server.
> >>
> >> And did you enable kerberos auth in sshd.
> >> # GSSAPI options
> >> GSSAPIAuthentication yes
> >> GSSAPIKeyExchange yes
> >>
> >> Should be sufficent.
> >> Now, if you followed Stephans guide, and if i would make a guess.
> >>
> >> Is nsswitch configured? /etc/nsswitch.conf ?
> >>
> >> Im also assuming your using ubuntu or debian, if so,
> >> Running this give us all we need.
> >>
> >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> >>
> >> Anonimize where needed.
> >> Dont set the attachments to the list, that will be stripped off.
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >> > -----Oorspronkelijk bericht-----
> >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> > Yakov Revyakin via samba
> >> > Verzonden: maandag 13 juli 2020 16:04
> >> > Aan: samba at lists.samba.org
> >> > Onderwerp: [Samba] Authentication with trusted credentials
> >> >
> >> > Hi friends,
> >> > I have a one way outgoing trust between SAMBA trusting domain and AD
> >> > trusted domain.
> >> > SSH Authentication of a user belonging to the SAMBA domain
> >> > works properly
> >> > on a Linux computer which is a member of SAMBA domain.
> >> > I would like to authenticate a trusted user from the AD
> >> > domain on the same
> >> > Linux computer with SSH. Currently it doesn't work.
> >> > I am able to authenticate trusted accounts with wbinfo and kinit. I
> >> > followed guides:
> >> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> > https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
> >> > tutorial.pdf
> >> > What I missed? What additional diagnostic can I make? How to
> >> > make a step
> >> > forward?
> >> >
> >> > Samba 4.11
> >> >
> >> > DC:
> >> > d@*us-smdc3*:~$ cat /etc/samba/smb.conf
> >> > # Global parameters
> >> > [global]
> >> > dns forwarder = 10.0.1.2 # trusted ad dc
> >> > netbios name = US-SMDC3
> >> > realm = SVITLA3.ROOM
> >> > server role = active directory domain controller
> >> > workgroup = SVITLA3
> >> > idmap_ldb:use rfc2307 = yes
> >> > log level = 1
> >> > ldap server require strong auth = no
> >> >
> >> > [sysvol]
> >> > path = /var/lib/samba/sysvol
> >> > read only = No
> >> >
> >> > [netlogon]
> >> > path = /var/lib/samba/sysvol/svitla3.room/scripts
> >> > read only = No
> >> >
> >> > Member:
> >> > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
> >> > [global]
> >> > workgroup = SVITLA3
> >> > security = ADS
> >> > realm = SVITLA3.ROOM
> >> >
> >> > winbind refresh tickets = Yes
> >> > vfs objects = acl_xattr
> >> > map acl inherit = Yes
> >> > store dos attributes = Yes
> >> >
> >> > dedicated keytab file = /etc/krb5.keytab
> >> > kerberos method = secrets and keytab
> >> >
> >> > winbind use default domain = yes
> >> >
> >> > winbind enum users = yes
> >> > winbind enum groups = yes
> >> >
> >> > load printers = no
> >> > printing = bsd
> >> > printcap name = /dev/null
> >> > disable spoolss = yes
> >> >
> >> > log file = /var/log/samba/%m.log
> >> > log level = 3
> >> >
> >> > idmap config * : backend = tdb
> >> > idmap config * : range = 3000-7999
> >> >
> >> > idmap config SVITLA3:backend = ad
> >> > idmap config SVITLA3:schema_mode = rfc2307
> >> > idmap config SVITLA3:range = 20000-29999
> >> > idmap config SVITLA3:unix_nss_info = yes
> >> >
> >> > idmap config APEX:backend = ad
> >> > idmap config APEX:schema_mode = rfc2307
> >> > idmap config APEX:range = 10000-19999
> >> > idmap config APEX:unix_nss_info = yes
> >> >
> >> > vfs objects = acl_xattr
> >> > map acl inherit = yes
> >> >
> >> > Thanks,
> >> > Jake R
> >> > --
> >> > To unsubscribe from this list go to the following URL and read the
> >> > instructions: https://lists.samba.org/mailman/options/samba
> >> >
> >> >
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20200713/31593fce/signature.sig>
More information about the samba
mailing list