[Samba] Authentication with trusted credentials
Yakov Revyakin
yrevyakin at gmail.com
Thu Jul 16 13:50:46 UTC 2020
In this configuration with a trusted domain I miss something important.
Need your help to understand.
One more time:
- I have a validated trust. Trusted (AD "apex.corp") authentication works
with Windows PC joined to the trusting (Samba - svitla5.room) domain. So, I
have trusted authentication enabled and working properly. For this I set
Samba DNS IP and joined that Windows PC to the Samba domain - nothing more.
Also I added "APEX\\Domain Users" to the appropriate group to enable RDP
for trusted credentials (using GP Management).
- I have a Linux PC (Samba, winbind) joined to the Samba trusting domain
and ssh login works for trusting credentials.
- I have a Linux PC (sssd) joined to the Samba trusting domain and ssh
login works for trusting credentials.
- For both Linux PCs authentication with trusted credentials doesn't work.
Error messages are similar for both winbind and sssd:
d at uc-sssdlbox20:~$ sudo grep 'sshd' /var/log/auth.log
## trusting credentials work
Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1
user=SVITLA5.ROOM\test01
Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: Accepted password for
SVITLA5.ROOM\\test01 from 10.0.0.1 port 62969 ssh2
Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session
opened for user SVITLA5.ROOM\test01 by (uid=0)
Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Received disconnect from 10.0.0.1
port 62969:11: disconnected by user
Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Disconnected from user
SVITLA5.ROOM\\test01 10.0.0.1 port 62969
Jul 16 11:23:51 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session
closed for user SVITLA5.ROOM\test01
## trusted credentials don't work Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]:
Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970
Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): check pass;
user unknown
Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1
Jul 16 11:24:06 uc-sssdlbox20 sshd[2157]: Failed password for invalid user
APEX.CORP\\jake from 10.0.0.1 port 62970 ssh2
Jul 16 11:24:09 uc-sssdlbox20 sshd[2157]: Connection closed by invalid user
APEX.CORP\\\\jake 10.0.0.1 port 62970 [preauth]
- kinit works for users from both realms from Linux PCs sides.
What doesn't work after creating trust as described in the guide is:
d at us-smdc5:~$ sudo /usr/local/samba/bin/net rpc trustdom list -U
SVITLA5\\administrator
[sudo] password for d:
Enter SVITLA5\administrator's password:
Trusted domains list:
APEX S-1-5-21-4020559381-3467740180-2426716988
Trusting domains list:
Unable to find a suitable server for domain APEX
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
APEX couldn't get domain's sid
But as I said I can login to Windows PC without any problems.
I didn't change resolv.conf and krb5.conf after making trust on Samba DC
and clients sides. So that clients still know only about the trusting
domain. I think they also know about the trusted domain all what they need
by indirect communication via Samba DC and its DNS forwarder pointing to
the trusted domain.
## /etc/resolv.conf
nameserver 10.0.0.10
search svitla5.room
## /etc/krb5.conf
[libdefaults]
default_realm = SVITLA5.ROOM
dns_lookup_realm = false
dns_lookup_kdc = true
What can I diagnose to make the next step? Please, help!
On Tue, 14 Jul 2020 at 10:12, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hai,
>
> Sorry for the late(r) reply but we all need to sleep also sometimes. ;-)
> note, i saw its fixed, but i'll do comment a bit through your replies.
>
>
> mainly because of this part
>
> this part. (Sended: monday 13 juli 2020 18:51)
> > net ads join -U administrator at SVITLA3.ROOM
>
> > Enter administrator at SVITLA3.ROOM's password:
>
> > Using short domain name -- SVITLA3
>
> > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
>
> > No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.
>
> > DNS update failed: NT_STATUS_INVALID_PARAMETER
>
>
>
>
> ## After that I added A and PTR records manually for
> uc-smlbox20.svitla3.room Linux box
>
> ## nslookup recognises the computer in forward and reverse lookups
>
>
>
> this often points to a incorrect resolving setup.
> i advice to lookup and verify /etc/hosts and /etc/resolv.conf.
>
>
>
> Make sure the first resolver in resolv.conf is pointing to the AD-DC.
>
> The other check's you did look good, but do verify it.
>
> change, /etc/nsswitch.conf to ( optional switch order winbind systemd )
>
> passwd: compat winbind systemd
> group: compat winbind systemd
>
>
>
> why i say you can switch the oder here, it depends on how you use the
> server,
>
> just test this, time running processes and see what fits your needs the
> best.
>
>
>
> Sended: tuedayy 14 juli 2020 1:16
> > but users from trusted domain were able to authenticate only after I
> changed it from the default value (IIRC 'secrets') to 'secrets and keytab'.
>
> Yes, for the ssh login, how does SSHD know the UPN/SPN when its in
> secrets.tdb
> im not a kerberos expert, i leave that to one of the samba devs, but as
> far i know, if you have any service that uses upn/spns we need
> /etc/krb5.keytab
>
> I hope explains it a bit, of not, maybe Rowland knows more here, or we can
> ask it @Alexander if you want.
>
>
> Greetz,
>
> Louis
>
>
>
>
> Van: Yakov Revyakin [mailto:yrevyakin at gmail.com]
> Verzonden: maandag 13 juli 2020 18:51
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication with trusted credentials
>
>
>
> Some more details. Below is what I have during joining Linux (Ubuntu
> 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is
> trusted.
> SVITLA3 has administrator and test01 users, APEX has administrator and
> jake users.
>
> test01 - 20000:20000 (uidNumber:gidNumber)
> jake - 10000:10000
>
>
> You can see some delay in some places - I marked them bold. It looks like
> DNS timeouts.
> The svitla3.room smb config includes DNS Forwarder pointing on apex.corp
> DNS.
> apex.corp DNS has conditional forwarding to svitla3.room domain
>
>
> d at uc-smlbox20:~$ host -t A apex.corp
>
> apex.corp has address 10.0.1.2
>
> d at uc-smlbox20:~$ host -t A svitla3.room
>
> svitla3.room has address 10.0.0.6
>
> d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room.
>
>
> _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room.
>
> d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room.
>
> _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room.
>
> d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp.
>
> _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp.
>
> d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp.
>
> _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp.
>
>
>
>
>
>
>
> d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM
>
>
> Enter administrator at SVITLA3.ROOM's password:
>
> Using short domain name -- SVITLA3
>
> Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
>
> No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.
>
> DNS update failed: NT_STATUS_INVALID_PARAMETER
>
>
>
>
> ## After that I added A and PTR records manually for
> uc-smlbox20.svitla3.room Linux box
>
> ## nslookup recognises the computer in forward and reverse lookups
>
>
>
>
> d at uc-smlbox20:~$ sudo net ads testjoin
> Join is OK
>
> d at uc-smlbox20:~$ wbinfo --online-status
> BUILTIN : active connection
> UC-SMLBOX20 : active connection
> SVITLA3 : active connection
> APEX : no active connection
>
>
>
> d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM
>
>
> -- For first time there is delay about 10s
>
> Enter administrator at SVITLA3.ROOM's password:
>
> Trusted domains list:
>
>
>
>
> APEX S-1-5-21-4020559381-3467740180-2426716988
>
>
>
>
> Trusting domains list:
>
>
>
>
> none
>
>
> d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM
> Password for administrator at SVITLA3.ROOM:
> Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50
> AM UTC
> d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM
> Password for test01 at SVITLA3.ROOM:
> d at uc-smlbox20:~$ kinit administrator at APEX.CORP
> Password for administrator at APEX.CORP:
> d at uc-smlbox20:~$ kinit jake at APEX.CORP
> Password for jake at APEX.CORP:
>
>
> d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator
> Enter SVITLA3\administrator's password:
> plaintext password authentication succeeded
> Enter SVITLA3\administrator's password:
> challenge/response password authentication succeeded
> d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01
> Enter SVITLA3\test01's password:
> plaintext password authentication succeeded
> Enter SVITLA3\test01's password:
> challenge/response password authentication succeeded
> d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator
> Enter APEX\administrator's password:
> plaintext password authentication succeeded
> Enter APEX\administrator's password:
> challenge/response password authentication succeeded
> d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake
> Enter APEX\jake's password:
> plaintext password authentication succeeded
> Enter APEX\jake's password:
> challenge/response password authentication succeeded
>
>
> d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator
> S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1)
> d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01
> S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1)
> d at uc-smlbox20:~$ wbinfo -n APEX\\administrator
> S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1)
> d at uc-smlbox20:~$ wbinfo -n APEX\\jake
> S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1)
>
>
> d at uc-smlbox20:~$ getent passwd SVITLA3\\test01
> test01:*:20000:20000:test01:/home/test01:/bin/bash
> d at uc-smlbox20:~$ getent passwd APEX\\jake
> -- DELAY about 10s, No result
> d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users"
> domain users:x:20000:
> d at uc-smlbox20:~$ getent group "APEX\\Domain Users"
> -- DELAY about 10s, No result
>
>
> d at uc-smlbox20:~$ cat /etc/nsswitch.conf
> # passwd: files systemd
> # group: files systemd
> shadow: files
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> passwd: compat winbind
> group: compat winbind
>
>
>
>
> #passwd: files winbind
> #group: files winbind
>
>
>
>
>
>
>
>
> If I use default sshd_config
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
>
>
> I have:
>
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
>
>
> d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
>
> APEX\jake at uc-smlbox20.svitla3.room's password:
>
> Permission denied, please try again.
>
>
> If I modify sshd_config
>
> # GSSAPI options
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
> AllowGroups "SVITLA3\\Domain Users"
>
>
> I even can’t login with trusting credentials:
>
>
> d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
>
> SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
>
> Permission denied, please try again.
>
>
>
>
>
>
>
>
>
> On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>
> What you need is to add the windows group in ssh to allowedgroups
> And give that windows group a GID.
>
> You "cant" add a linux user into the windows group, but you can add a
> windows user (if it has UID/GID) Into the linux group.
> I separeted that, to there is always ssh access available.
>
> I use the following :
> AllowGroups lin-allow-ssh win-allow-ssh
>
> Windows users in win-allow-ssh
> Linux users lin-allow-ssh ( in my case only Linux admins )
>
> The windows group every windows user want to give access to the server.
>
> And did you enable kerberos auth in sshd.
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPIKeyExchange yes
>
> Should be sufficent.
> Now, if you followed Stephans guide, and if i would make a guess.
>
> Is nsswitch configured? /etc/nsswitch.conf ?
>
> Im also assuming your using ubuntu or debian, if so,
> Running this give us all we need.
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Anonimize where needed.
> Dont set the attachments to the list, that will be stripped off.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Yakov Revyakin via samba
> > Verzonden: maandag 13 juli 2020 16:04
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Authentication with trusted credentials
> >
> > Hi friends,
> > I have a one way outgoing trust between SAMBA trusting domain and AD
> > trusted domain.
> > SSH Authentication of a user belonging to the SAMBA domain
> > works properly
> > on a Linux computer which is a member of SAMBA domain.
> > I would like to authenticate a trusted user from the AD
> > domain on the same
> > Linux computer with SSH. Currently it doesn't work.
> > I am able to authenticate trusted accounts with wbinfo and kinit. I
> > followed guides:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
> > tutorial.pdf
> > What I missed? What additional diagnostic can I make? How to
> > make a step
> > forward?
> >
> > Samba 4.11
> >
> > DC:
> > d@*us-smdc3*:~$ cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > dns forwarder = 10.0.1.2 # trusted ad dc
> > netbios name = US-SMDC3
> > realm = SVITLA3.ROOM
> > server role = active directory domain controller
> > workgroup = SVITLA3
> > idmap_ldb:use rfc2307 = yes
> > log level = 1
> > ldap server require strong auth = no
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/svitla3.room/scripts
> > read only = No
> >
> > Member:
> > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
> > [global]
> > workgroup = SVITLA3
> > security = ADS
> > realm = SVITLA3.ROOM
> >
> > winbind refresh tickets = Yes
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > winbind use default domain = yes
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > log file = /var/log/samba/%m.log
> > log level = 3
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> >
> > idmap config SVITLA3:backend = ad
> > idmap config SVITLA3:schema_mode = rfc2307
> > idmap config SVITLA3:range = 20000-29999
> > idmap config SVITLA3:unix_nss_info = yes
> >
> > idmap config APEX:backend = ad
> > idmap config APEX:schema_mode = rfc2307
> > idmap config APEX:range = 10000-19999
> > idmap config APEX:unix_nss_info = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> >
> > Thanks,
> > Jake R
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list