[Samba] Authentication with trusted credentials
L.P.H. van Belle
belle at bazuin.nl
Thu Jul 16 15:11:07 UTC 2020
Hai,
I dont use trusts myself, this is what i see.
Lets take small steps here.
First of all, why does the DOMAIN contains/shows a dot in it.
( i think its a wrong setting in sssd, but i dont know sssd )
I know this is one of your REALMs and not the domain.
I refer to :
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
Goto : NetBIOS domain names and I quote :
Names can contain a period, but names cannot start with a period.
However, periods should not be used in Active Directory domains.
If you are upgrading a domain whose NetBIOS name contains a period, change the name
by migrating the domain to a new domain structure.
Do not use periods in new NetBIOS domain names.
but again, i dont know sssd that "might" be normal.
Per example, my kerberized output of auth.log
Jul 16 15:57:24 member1 sshd[110373]: Authorized to username, krb5 principal username at MY.REALM.TLD (krb5_kuserok)
Jul 16 15:57:24 member1 sshd[110373]: Accepted gssapi-with-mic for username from 192.168.0.1 port 53254 ssh2: username at MY.REALM.TLD
Jul 16 15:57:24 member1 sshd[110373]: pam_unix(sshd:session): session opened for user username by (uid=0)
Jul 16 15:57:24 member1 systemd-logind[726]: New session 3450 of user username.
And im in my automounted homedir over NFSv4 kerberized.
Whats used here, samba winbind libnss-pam libpam-winbind krb5-user (for the packages) thats all you need.
Now your lines :
Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01
Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970
And i noticed this :
OK: sshd[2048]: pam_sss(sshd:auth)
Wrong: sshd[2157]: pam_unix(sshd:auth)
I would gamble on these..
/etc sssd ? Somewhere, i really dont know, never used it.
/etc/nsswitch.conf
/etc/idmapd.conf (if exists)
Also /etc/krb5.conf
I "think" you need to add the trusted domains here also and point to the DC's
(enough examples in that file how)
Might help, but "should" in my optinion not be needed.
But this is good : kinit works for users from both realms from Linux PCs sides.
Is this that, you cross checked if both users and both authenticate with kinit on server on both sides?
If yes, so my advice, drop sssd, or ask the sssd mailing list.
Install/setup winbind and setup as it should.
The key here is, dont touch anything in pam
Use : pam-auth-update
Test again.
So, what did you change in /etc/pam.d/ any files?
Thats best i can come up with for now.
This is what i use to setup a Domain Member:
( its a part of the new setup im writing )
! And beware if you copy past, i sended with outlook that might have change a letter into CAPS in the front of a line.
apt-get install -y samba winbind krb5-user libnss-winbind libpam-winbind ldb-tools bind9utils acl attr
# disable NMBD, i dont like netbios browsing and i use in smb.conf proxy dns = yes
# now you can use \\servername or \\servername.fqdn without seeing the computers.
systemctl stop nmbd
systemctl mask nmbd
systemctl disable nmbd
systemctl stop smbd winbind
# the base folder i use for my new samba data.
SAMBA_BASE_PATH=/srv/samba
VAR_HOSTNAME_DEFAULT="$(hostname -s)"
VAR_HOSTNAME_LOWCASE="${VAR_HOSTNAME_DEFAULT,,}"
VAR_HOSTNAME_UPCASE="${VAR_HOSTNAME_DEFAULT^^}"
VAR_DOMAINNAME_DEFAULT="$(hostname -d)"
VAR_DOMAINNAME_LOWCASE="${VAR_DOMAINNAME_DEFAULT,,}"
VAR_DOMAINNAME_UPCASE="${VAR_DOMAINNAME_DEFAULT^^}"
VAR_REALM_DEFAULT="$(grep default_realm /etc/krb5.conf |awk '{ print $NF }')"
VAR_REALM_LOWCASE="${VAR_REALM_DEFAULT,,}"
VAR_REALM_UPCASE="${VAR_REALM_DEFAULT^^}"
if [ "${VAR_REALM_DEFAULT}" != "${VAR_REALM_UPCASE}" ]
then
sed -i "s/$VAR_REALM_DEFAULT/$VAR_REALM_UPCASE/g" /etc/krb5.conf
echo "Adjusted /etc/krb5.conf its default REALM to UPPERCASE"
else
echo "Detected UPPERCASE REALM, how we like and want it."
fi
if [ "${VAR_REALM}" != "${VAR_DOMAINNAME}" ]
then
echo "Warning, realm and primary search domain are not the same"
echo "This can work but this setup does not cover that part."
echo
else
echo "Detected same REALM and DNS Domain, this is great"
echo
fi
# Here we assume the domainname is same as the FIRST part of primay search domain.
# per example. office.domain.tld OFFICE will be the WORKGROUP name in smb.conf
# Change this when your WORKGROUP name is different or you want to use different.
# then use values as set in AD-DC servers.
VAR_SMB_WORKGROUP="$(echo "${VAR_DOMAINNAME_UPCASE}" | cut -d. -f1)"
VAR_SMB_NETBIOSNAME="${VAR_HOSTNAME_UPCASE}"
VAR_SMB_REALM="${VAR_REALM_UPCASE}"
echo "Samba Workgroupname = $VAR_SMB_WORKGROUP"
echo "Samba Netbiosname = $VAR_SMB_NETBIOSNAME"
echo "Samba defined REALM = $VAR_SMB_REALM"
echo "Samba ip = $VAR_IP"
echo "Detected IP's = $VAR_IP_MULTIPLE"
echo
echo "Writing new smb.conf, please verify it."
echo "The ranges set in this AD-BACKEND mode, need to be adjusted to your ranges."
echo "[global]
log level = 0 auth_audit:1
workgroup = ${VAR_SMB_WORKGROUP}
security = ADS
realm = ${VAR_SMB_REALM}
netbios name = ${VAR_SMB_NETBIOSNAME}
preferred master = no
domain master = no
host msdfs = no
#interfaces = 127.0.0.1 $VAR_IP
#bind interfaces only = yes
# Add and Update TLS Key
tls enabled = yes
## Map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-7999
## Mapped ids from the domain SAMDOM and (*) the range may not overlap !
idmap config ${VAR_SMB_WORKGROUP} : backend = ad
idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307
idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999
# Only samba 4.6+ ( get primary group from AD )
idmap config ${VAR_SMB_WORKGROUP} : unix_nss_info = yes
# Only samba 4.6+ ( get primary group from unix primary group )
idmap config ${VAR_SMB_WORKGROUP} : unix_primary_group = yes
# How you can use kerberos (man smb.conf search : kerberos method )
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# Renew the kerberos ticket or you member its \"computer password\" will expire.
winbind refresh tickets = yes
# We strip the domain NTDOM\\username to username
# ! Normaly not adviced, but i like it.
# winbind use default domain = yes
# Dont enable this if you use domain trusts
# Use: `getent passwd username` to check if users/groups resolve (wbinfo -u -g)
# But enabled (yes) slows down your samba! default = no
winbind enum users = no
winbind enum groups = no
# Enable offline logins
winbind offline logon = yes
# Check the depth of nested groups, to much slows down your samba
#winbind expand groups = 3
# User Administrator workaround, without it you are unable to set privileges/rights
# A must for samba Domain members
# Format in the file : !root = ${VAR_SMB_WORKGROUP}\Administrator ${VAR_SMB_WORKGROUP}\administrator
username map = /etc/samba/samba_usermapping
# disable the ability of user that can create shares and save your from errors in your logs.
usershare path =
# Disable printing completely, and save errors in your logs.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For ACL support on member servers with shares are oblicated. ( these are the defaults )
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally, i hide the following for windows users
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/lost+found/
hide unreadable = yes
######## SHARE DEFINITIONS ################
[samba\$]
path = ${SAMBA_BASE_PATH}
browseable = yes
read only = no
" > /etc/samba/smb.conf.new
echo "NOTE !!! The ranges set in this AD-BACKEND mode, need to be adjusted to your ranges.!! "
mkdir $SAMBA_BASE_PATH
chmod 4775 $SAMBA_BASE_PATH
echo "!root = ${VAR_SMB_WORKGROUP}\Administrator ${VAR_SMB_WORKGROUP}\administrator" > /etc/samba/samba_usermapping
# Cleanup before we start samba with the new smb.conf
rm /var/lib/samba/*.tdb
rm /var/lib/samba/private/*
# Fix : fix-double-color-in-spool
# see commit a17cb9ee09419f3ae8e0541aee83df55c4777bd0
if [ -d /var/lib/samba/printers/COLOR ]
then
if [ ! -d /var/lib/samba/printers/color ]
then
mv /var/lib/samba/printers/COLOR /var/lib/samba/printers/color
else
cp -r /var/lib/samba/printers/COLOR/* /var/lib/samba/printers/color/
rm -rf /var/lib/samba/printers/COLOR
fi
fi
# backup old config.
mv /etc/samba/smb.conf{,.original}
mv /etc/samba/smb.conf.new /etc/samba/smb.conf
# just an empty file since i dont like unneeded messages in the logs.
touch /etc/samba/lmhosts
# Time to join..
kinit Administrator
net ads join -k
# (tip: example adding nfs to keytab: net ads keytab add_update_ads nfs/$(hostname -f))
# Adjusting nsswitch.
sed -i 's/passwd: files systemd/passwd: files systemd winbind/g' /etc/nsswitch.conf
sed -i 's/group: files systemd/group: files systemd winbind/g' /etc/nsswitch.conf
pam-auth-update
### And i enabled this part in sshd, not automated yet, do this manualy.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes # If your version supports this/
GSSAPIStoreCredentialsOnRekey yes # If your version supports this/
# Remember with UseDNS no, you cant use kerberos auth
UseDNS yes
reboot
And done, i can login with putty, with kerberos SSO from a windows pc.
(after setting putty correctly offcourse).
See if above helps you, at least i think it will and i hope so.
So far,
Greetz,
Louis
________________________________
Van: Yakov Revyakin [mailto:yrevyakin at gmail.com]
Verzonden: donderdag 16 juli 2020 15:51
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Authentication with trusted credentials
In this configuration with a trusted domain I miss something important. Need your help to understand.
One more time:
- I have a validated trust. Trusted (AD "apex.corp") authentication works with Windows PC joined to the trusting (Samba - svitla5.room) domain. So, I have trusted authentication enabled and working properly. For this I set Samba DNS IP and joined that Windows PC to the Samba domain - nothing more. Also I added "APEX\\Domain Users" to the appropriate group to enable RDP for trusted credentials (using GP Management).
- I have a Linux PC (Samba, winbind) joined to the Samba trusting domain and ssh login works for trusting credentials.
- I have a Linux PC (sssd) joined to the Samba trusting domain and ssh login works for trusting credentials.
- For both Linux PCs authentication with trusted credentials doesn't work. Error messages are similar for both winbind and sssd:
d at uc-sssdlbox20:~$ sudo grep 'sshd' /var/log/auth.log
## trusting credentials work
Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01
Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: Accepted password for SVITLA5.ROOM\\test01 from 10.0.0.1 port 62969 ssh2
Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session opened for user SVITLA5.ROOM\test01 by (uid=0)
Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Received disconnect from 10.0.0.1 port 62969:11: disconnected by user
Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Disconnected from user SVITLA5.ROOM\\test01 10.0.0.1 port 62969
Jul 16 11:23:51 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session closed for user SVITLA5.ROOM\test01
## trusted credentials don't work Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970
Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): check pass; user unknown
Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1
Jul 16 11:24:06 uc-sssdlbox20 sshd[2157]: Failed password for invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 ssh2
Jul 16 11:24:09 uc-sssdlbox20 sshd[2157]: Connection closed by invalid user APEX.CORP\\\\jake 10.0.0.1 port 62970 [preauth]
- kinit works for users from both realms from Linux PCs sides.
What doesn't work after creating trust as described in the guide is:
d at us-smdc5:~$ sudo /usr/local/samba/bin/net rpc trustdom list -U SVITLA5\\administrator
[sudo] password for d:
Enter SVITLA5\administrator's password:
Trusted domains list:
APEX S-1-5-21-4020559381-3467740180-2426716988
Trusting domains list:
Unable to find a suitable server for domain APEX
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
APEX couldn't get domain's sid
But as I said I can login to Windows PC without any problems.
I didn't change resolv.conf and krb5.conf after making trust on Samba DC and clients sides. So that clients still know only about the trusting domain. I think they also know about the trusted domain all what they need by indirect communication via Samba DC and its DNS forwarder pointing to the trusted domain.
## /etc/resolv.conf
nameserver 10.0.0.10
search svitla5.room
## /etc/krb5.conf
[libdefaults]
default_realm = SVITLA5.ROOM
dns_lookup_realm = false
dns_lookup_kdc = true
What can I diagnose to make the next step? Please, help!
On Tue, 14 Jul 2020 at 10:12, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:
Hai,
Sorry for the late(r) reply but we all need to sleep also sometimes. ;-)
note, i saw its fixed, but i'll do comment a bit through your replies.
mainly because of this part
this part. (Sended: monday 13 juli 2020 18:51)
> net ads join -U administrator at SVITLA3.ROOM
> Enter administrator at SVITLA3.ROOM's password:
> Using short domain name -- SVITLA3
> Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
> No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.
> DNS update failed: NT_STATUS_INVALID_PARAMETER
## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box
## nslookup recognises the computer in forward and reverse lookups
this often points to a incorrect resolving setup.
i advice to lookup and verify /etc/hosts and /etc/resolv.conf.
Make sure the first resolver in resolv.conf is pointing to the AD-DC.
The other check's you did look good, but do verify it.
change, /etc/nsswitch.conf to ( optional switch order winbind systemd )
passwd: compat winbind systemd
group: compat winbind systemd
why i say you can switch the oder here, it depends on how you use the server,
just test this, time running processes and see what fits your needs the best.
Sended: tuedayy 14 juli 2020 1:16
> but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'.
Yes, for the ssh login, how does SSHD know the UPN/SPN when its in secrets.tdb
im not a kerberos expert, i leave that to one of the samba devs, but as far i know, if you have any service that uses upn/spns we need /etc/krb5.keytab
I hope explains it a bit, of not, maybe Rowland knows more here, or we can ask it @Alexander if you want.
Greetz,
Louis
Van: Yakov Revyakin [mailto:yrevyakin at gmail.com]
Verzonden: maandag 13 juli 2020 18:51
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Authentication with trusted credentials
Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted.
SVITLA3 has administrator and test01 users, APEX has administrator and jake users.
test01 - 20000:20000 (uidNumber:gidNumber)
jake - 10000:10000
You can see some delay in some places - I marked them bold. It looks like DNS timeouts.
The svitla3.room smb config includes DNS Forwarder pointing on apex.corp DNS.
apex.corp DNS has conditional forwarding to svitla3.room domain
d at uc-smlbox20:~$ host -t A apex.corp
apex.corp has address 10.0.1.2
d at uc-smlbox20:~$ host -t A svitla3.room
svitla3.room has address 10.0.0.6
d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room.
_ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room.
d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room.
_kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room.
d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp.
_ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp.
d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp.
_kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp.
d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM
Enter administrator at SVITLA3.ROOM's password:
Using short domain name -- SVITLA3
Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'
No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box
## nslookup recognises the computer in forward and reverse lookups
d at uc-smlbox20:~$ sudo net ads testjoin
Join is OK
d at uc-smlbox20:~$ wbinfo --online-status
BUILTIN : active connection
UC-SMLBOX20 : active connection
SVITLA3 : active connection
APEX : no active connection
d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM
-- For first time there is delay about 10s
Enter administrator at SVITLA3.ROOM's password:
Trusted domains list:
APEX S-1-5-21-4020559381-3467740180-2426716988
Trusting domains list:
none
d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM
Password for administrator at SVITLA3.ROOM:
Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC
d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM
Password for test01 at SVITLA3.ROOM:
d at uc-smlbox20:~$ kinit administrator at APEX.CORP
Password for administrator at APEX.CORP:
d at uc-smlbox20:~$ kinit jake at APEX.CORP
Password for jake at APEX.CORP:
d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator
Enter SVITLA3\administrator's password:
plaintext password authentication succeeded
Enter SVITLA3\administrator's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01
Enter SVITLA3\test01's password:
plaintext password authentication succeeded
Enter SVITLA3\test01's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator
Enter APEX\administrator's password:
plaintext password authentication succeeded
Enter APEX\administrator's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake
Enter APEX\jake's password:
plaintext password authentication succeeded
Enter APEX\jake's password:
challenge/response password authentication succeeded
d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator
S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01
S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n APEX\\administrator
S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1)
d at uc-smlbox20:~$ wbinfo -n APEX\\jake
S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1)
d at uc-smlbox20:~$ getent passwd SVITLA3\\test01
test01:*:20000:20000:test01:/home/test01:/bin/bash
d at uc-smlbox20:~$ getent passwd APEX\\jake
-- DELAY about 10s, No result
d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users"
domain users:x:20000:
d at uc-smlbox20:~$ getent group "APEX\\Domain Users"
-- DELAY about 10s, No result
d at uc-smlbox20:~$ cat /etc/nsswitch.conf
# passwd: files systemd
# group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
passwd: compat winbind
group: compat winbind
#passwd: files winbind
#group: files winbind
If I use default sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
I have:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room
APEX\jake at uc-smlbox20.svitla3.room's password:
Permission denied, please try again.
If I modify sshd_config
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
AllowGroups "SVITLA3\\Domain Users"
I even can’t login with trusting credentials:
d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room
SVITLA3\test01 at uc-smlbox20.svitla3.room's password:
Permission denied, please try again.
On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:
What you need is to add the windows group in ssh to allowedgroups
And give that windows group a GID.
You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group.
I separeted that, to there is always ssh access available.
I use the following :
AllowGroups lin-allow-ssh win-allow-ssh
Windows users in win-allow-ssh
Linux users lin-allow-ssh ( in my case only Linux admins )
The windows group every windows user want to give access to the server.
And did you enable kerberos auth in sshd.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
Should be sufficent.
Now, if you followed Stephans guide, and if i would make a guess.
Is nsswitch configured? /etc/nsswitch.conf ?
Im also assuming your using ubuntu or debian, if so,
Running this give us all we need.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Anonimize where needed.
Dont set the attachments to the list, that will be stripped off.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Yakov Revyakin via samba
> Verzonden: maandag 13 juli 2020 16:04
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Authentication with trusted credentials
>
> Hi friends,
> I have a one way outgoing trust between SAMBA trusting domain and AD
> trusted domain.
> SSH Authentication of a user belonging to the SAMBA domain
> works properly
> on a Linux computer which is a member of SAMBA domain.
> I would like to authenticate a trusted user from the AD
> domain on the same
> Linux computer with SSH. Currently it doesn't work.
> I am able to authenticate trusted accounts with wbinfo and kinit. I
> followed guides:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> https://www.kania-online.de/wp-content/uploads/2019/06/trusts-
> tutorial.pdf
> What I missed? What additional diagnostic can I make? How to
> make a step
> forward?
>
> Samba 4.11
>
> DC:
> d@*us-smdc3*:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> dns forwarder = 10.0.1.2 # trusted ad dc
> netbios name = US-SMDC3
> realm = SVITLA3.ROOM
> server role = active directory domain controller
> workgroup = SVITLA3
> idmap_ldb:use rfc2307 = yes
> log level = 1
> ldap server require strong auth = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/svitla3.room/scripts
> read only = No
>
> Member:
> d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
> [global]
> workgroup = SVITLA3
> security = ADS
> realm = SVITLA3.ROOM
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log file = /var/log/samba/%m.log
> log level = 3
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config SVITLA3:backend = ad
> idmap config SVITLA3:schema_mode = rfc2307
> idmap config SVITLA3:range = 20000-29999
> idmap config SVITLA3:unix_nss_info = yes
>
> idmap config APEX:backend = ad
> idmap config APEX:schema_mode = rfc2307
> idmap config APEX:range = 10000-19999
> idmap config APEX:unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
> Thanks,
> Jake R
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list