[Samba] Authentication with trusted credentials

L.P.H. van Belle belle at bazuin.nl
Mon Jul 20 07:35:00 UTC 2020 

Point #1: is not correct. 

Why is Jake getting an ID from * Range and not APEX range. ?
That need to be found first


Run: net cache flush

Restart samba. : systemctl restart smbd winbind nmbd (and/or sssd is you use that) 

wbinfo --all-domains -ug

id jake 
getent passwd jake

Any improvement? 

> if you have set: APEX:backend = ad 
Yes, and did you assign an UID/GID after you changed RID to AD backend? 



Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Yakov Revyakin via samba
> Verzonden: vrijdag 17 juli 2020 20:38
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Authentication with trusted credentials
> 
> So,
> Point #1:
> Samba DC before trust. Linux member joined domain. SSH 
> authentication works
> for a domain user. Checked with ad and rid backends. getent / 
> id returns
> correct UID:GID.
> 
> Point #2:
> Samba DC after making trust with external AD. With the same 
> Linux PC SSH
> authentication and session still works with the trusting 
> domain user in the
> same right manner.
> Trusted authentication works but it is routed according to the default
> backend. SSH session is created.
> 
> # trusting user - authentication successful
> 
> Kerberos: TGS-REQ test01 at SVITLA3.ROOM from ipv4:10.0.0.12:50510 for
> UC-SM18$@SVITLA3.ROOM
> Kerberos: TGS-REQ authtime: 2020-07-17T16:47:35 starttime:
> 2020-07-17T16:47:35 endtime: 2020-07-18T02:47:35 renew till: unset
> 
> # trusted user - cross-realm authentication successful
> 
> Kerberos: TGS-REQ jake at APEX.CORP from ipv4:10.0.0.12:52437 for
> UC-SM18$@SVITLA3.ROOM
> Kerberos: Client not found in database: no such entry found in hdb
> Kerberos: cross-realm APEX.CORP -> SVITLA3.ROOM
> 
> Kerberos: TGS-REQ authtime: 2020-07-17T18:07:28 starttime:
> 2020-07-17T18:07:28 endtime: 2020-07-18T04:07:28 renew till: unset
> 
> 
> # uid|gid according with backend range
> d at uc-sm18:~$ id test01 at SVITLA3
> uid=20000(SVITLA3\test01) gid=20000(SVITLA3\domain users)
> groups=20000(SVITLA3\domain users),3001(BUILTIN\users)
> d at uc-sm18:~$ getent passwd test01 at SVITLA3.ROOM
> SVITLA3\test01:*:20000:20000:test01:/home/SVITLA3/test01:/bin/bash
> 
> # uid|gid according to the default backend!!!
> d at uc-sm18:~$ id APEX\\jake
> uid=3000(APEX\jake) gid=3004(APEX\domain users) 
> groups=3004(APEX\domain
> users)
> d at uc-sm18:~$ getent passwd  APEX\\jake
> APEX\jake:*:3000:3004:jake:/home/APEX/jake:/bin/bash
> 
> # Linux client - smb.conf extraction
>   idmap config * : backend = tdb
>   idmap config * : range = 3000-7999
> 
>    idmap config SVITLA3:backend = rid
>   idmap config SVITLA3:range = 20000-29999
> 
>    idmap config APEX:backend = rid
>   idmap config APEX:range = 10000-19999
> 
>   template shell = /bin/bash
> 
> If I set APEX:backend = ad I get ssh authentication failed 
> with Permission
> Denied error. Probably authentication process can't extract 
> uid|gid and
> failed. In case of rid there are no such strong restrictions I think.
> 
> By the way, enabling/disabling of GSSAPI and UseDNS properties in
> sshd_config don't influence behaviour.
> 
> What do you think about the correctness of trusted 
> authentication setup? It
> would be nice if there is a way to control uid|gid for 
> trusted accounts. We
> can see that we can exclude backend definition for trusted 
> accounts and it
> will still work. It looks like what I am looking for but what about
> incorrect uid|gid?
> 
> Could you advise me what is the simplest way to check access to a file
> share under trusted domain control with this Linux and 
> trusted credentials?
> 
> 
> On Fri, 17 Jul 2020 at 07:56, Yakov Revyakin 
> <yrevyakin at gmail.com> wrote:
> 
> > Rowland,
> > I only tried sssd looking for the cause of the problem.
> > I use samba, winbind.
> >
> >
> >
> >
> > On Fri, 17 Jul 2020 at 00:19, Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On 16/07/2020 22:13, Yakov Revyakin wrote:
> >> > Thank you! I have food for tomorrow. Now I only want to 
> voice some of
> >> > my considerations.
> >> >
> >> > Imagine that a domain had no trusts. At this time a PC 
> became a member
> >> > of this domain.
> >> > After some time DC made trust with another domain. In this case
> >> > existing members don't consider any extra configuration 
> like adding
> >> > knowledge about new realm, DNS, etc. Existing 
> configuration already
> >> > provides means of login and session for a user of a 
> trusted domain.
> >> >
> >> > In my case Linux PC was informed about trusting DNS 
> before joining
> >> > the domain. After setting DNS but before joining the 
> domain I could
> >> > authenticate users from both trusting and trusted 
> domains with kinit
> >> > without any modifications in krb5.conf. And it is what I 
> was waiting
> >> for.
> >> >
> >> > So, the PC already has a means to authenticate users from both
> >> > domains.  How to enable that means?
> >> >
> >> Are you using sssd ?
> >>
> >> If you are, then ask on the sssd-users mailing list, 
> because it is sssd
> >> that will be doing the authentication, not Samba. We do not produce
> >> sssd, so know little about it.
> >>
> >> If you are not using sssd, then we can look into your problem.
> >>
> >> Rowland
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list