[Samba] Authentication with trusted credentials

L.P.H. van Belle belle at bazuin.nl
Tue Jul 14 07:11:33 UTC 2020 

Hai, 
 
Sorry for the late(r) reply but we all need to sleep also sometimes.  ;-) 
note, i saw its fixed, but i'll do comment a bit through your replies. 
 
 
mainly because of this part
 
this part.  (Sended: monday 13 juli 2020 18:51) 
> net ads join -U administrator at SVITLA3.ROOM

> Enter administrator at SVITLA3.ROOM's password:

> Using short domain name -- SVITLA3

> Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'

> No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.

> DNS update failed: NT_STATUS_INVALID_PARAMETER




## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box

## nslookup recognises the computer in forward and reverse lookups

 

this often points to a incorrect resolving setup. 
i advice to lookup and verify /etc/hosts and /etc/resolv.conf. 

 

Make sure the first resolver in resolv.conf is pointing to the AD-DC. 

The other check's you did look good, but do verify it. 

change, /etc/nsswitch.conf to ( optional switch order winbind systemd ) 

passwd: compat winbind systemd
group:  compat winbind systemd 

 

why i say you can switch the oder here, it depends on how you use the server, 

just test this, time running processes and see what fits your needs the best. 

 

Sended: tuedayy 14 juli 2020 1:16
> but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'. 

Yes, for the ssh login, how does SSHD know the UPN/SPN when its in secrets.tdb 
im not a kerberos expert, i leave that to one of the samba devs, but as far i know, if  you have any service that uses upn/spns we need /etc/krb5.keytab 

I hope explains it a bit, of not, maybe Rowland knows more here, or we can ask it @Alexander if you want. 


Greetz, 

Louis

 


Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] 
Verzonden: maandag 13 juli 2020 18:51
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Authentication with trusted credentials



Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted. 
SVITLA3 has administrator and test01 users, APEX has administrator and jake users.

test01 - 20000:20000 (uidNumber:gidNumber)
jake - 10000:10000


You can see some delay in some places - I marked them bold. It looks like DNS timeouts. 
The svitla3.room smb config includes DNS Forwarder pointing on apex.corp DNS. 
apex.corp DNS has conditional forwarding to svitla3.room domain


d at uc-smlbox20:~$ host -t A apex.corp

apex.corp has address 10.0.1.2

d at uc-smlbox20:~$ host -t A svitla3.room

svitla3.room has address 10.0.0.6

d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room.


_ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room.

d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room.

_kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room.

d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp.

_ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp.

d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp.

_kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp.







d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM


Enter administrator at SVITLA3.ROOM's password:

Using short domain name -- SVITLA3

Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'

No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.

DNS update failed: NT_STATUS_INVALID_PARAMETER




## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box

## nslookup recognises the computer in forward and reverse lookups




d at uc-smlbox20:~$ sudo net ads testjoin
Join is OK

d at uc-smlbox20:~$ wbinfo --online-status
BUILTIN : active connection
UC-SMLBOX20 : active connection
SVITLA3 : active connection
APEX : no active connection



d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM


-- For first time there is delay about 10s

Enter administrator at SVITLA3.ROOM's password:

Trusted domains list:




APEX                S-1-5-21-4020559381-3467740180-2426716988




Trusting domains list:




none


d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM
Password for administrator at SVITLA3.ROOM:
Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC
d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM
Password for test01 at SVITLA3.ROOM:
d at uc-smlbox20:~$ kinit administrator at APEX.CORP
Password for administrator at APEX.CORP:
d at uc-smlbox20:~$ kinit jake at APEX.CORP
Password for jake at APEX.CORP:


d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator
Enter SVITLA3\administrator's password:
plaintext password authentication succeeded
Enter SVITLA3\administrator's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01
Enter SVITLA3\test01's password:
plaintext password authentication succeeded
Enter SVITLA3\test01's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator
Enter APEX\administrator's password:
plaintext password authentication succeeded
Enter APEX\administrator's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake
Enter APEX\jake's password:
plaintext password authentication succeeded
Enter APEX\jake's password:
challenge/response password authentication succeeded


d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator
S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01
S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n APEX\\administrator
S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n APEX\\jake
S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1)


d at uc-smlbox20:~$ getent passwd SVITLA3\\test01
test01:*:20000:20000:test01:/home/test01:/bin/bash
d at uc-smlbox20:~$ getent passwd APEX\\jake
-- DELAY about 10s, No result
d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users"
domain users:x:20000:
d at uc-smlbox20:~$ getent group "APEX\\Domain Users"
-- DELAY about 10s, No result


d at uc-smlbox20:~$ cat /etc/nsswitch.conf
# passwd:         files systemd
# group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

passwd: compat winbind
group:  compat winbind




#passwd: files winbind
#group:  files winbind








If I use default sshd_config

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no



I have:


d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room

SVITLA3\test01 at uc-smlbox20.svitla3.room's password:

Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)


d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room

APEX\jake at uc-smlbox20.svitla3.room's password:

Permission denied, please try again.


If I modify sshd_config

# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
AllowGroups "SVITLA3\\Domain Users"


I even can’t login with trusting credentials:


d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room

SVITLA3\test01 at uc-smlbox20.svitla3.room's password:

Permission denied, please try again.









On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:


What you need is to add the windows group in ssh to allowedgroups
And give that windows group a GID.

You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group. 
I separeted that, to there is always ssh access available. 

I use the following :
AllowGroups lin-allow-ssh win-allow-ssh 

Windows users in win-allow-ssh 
Linux users lin-allow-ssh ( in my case only Linux admins ) 

The windows group every windows user want to give access to the server. 

And did you enable kerberos auth in sshd. 
# GSSAPI options
GSSAPIAuthentication yes
GSSAPIKeyExchange yes

Should be sufficent. 
Now, if you followed Stephans guide, and if i would make a guess.

Is nsswitch configured? /etc/nsswitch.conf ? 

Im also assuming your using ubuntu or debian, if so, 
Running this give us all we need.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh

Anonimize where needed. 
Dont set the attachments to the list, that will be stripped off. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Yakov Revyakin via samba
> Verzonden: maandag 13 juli 2020 16:04
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Authentication with trusted credentials
> 
> Hi friends,
> I have a one way outgoing trust between SAMBA trusting domain and AD
> trusted domain.
> SSH Authentication of a user belonging to the SAMBA domain 
> works properly
> on a Linux computer which is a member of SAMBA domain.
> I would like to authenticate a trusted user from the AD 
> domain on the same
> Linux computer with SSH. Currently it doesn't work.
> I am able to authenticate trusted accounts with wbinfo and kinit. I
> followed guides:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
> tutorial.pdf
> What I missed? What additional diagnostic can I make? How to 
> make a step
> forward?
> 
> Samba 4.11
> 
> DC:
> d@*us-smdc3*:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
>         dns forwarder = 10.0.1.2 # trusted ad dc
>         netbios name = US-SMDC3
>         realm = SVITLA3.ROOM
>         server role = active directory domain controller
>         workgroup = SVITLA3
>         idmap_ldb:use rfc2307 = yes
>         log level = 1
>         ldap server require strong auth = no
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/svitla3.room/scripts
>         read only = No
> 
> Member:
> d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
> [global]
>    workgroup = SVITLA3
>    security = ADS
>    realm = SVITLA3.ROOM
> 
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    winbind use default domain = yes
> 
>    winbind enum users = yes
>    winbind enum groups = yes
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 
>    log file = /var/log/samba/%m.log
>    log level = 3
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
> 
>    idmap config SVITLA3:backend = ad
>    idmap config SVITLA3:schema_mode = rfc2307
>    idmap config SVITLA3:range = 20000-29999
>    idmap config SVITLA3:unix_nss_info = yes
> 
>    idmap config APEX:backend = ad
>    idmap config APEX:schema_mode = rfc2307
>    idmap config APEX:range = 10000-19999
>    idmap config APEX:unix_nss_info = yes
> 
>    vfs objects = acl_xattr
>    map acl inherit = yes
> 
> Thanks,
> Jake R
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list