[Samba] Authentication with trusted credentials

Yakov Revyakin yrevyakin at gmail.com
Tue Jul 21 14:38:12 UTC 2020


Hi Rowland,
Thank you for effort

My output as you requested:
## Samba DC
d at us-smdc3:~$ wbinfo --online-status
BUILTIN : active connection
SVITLA3 : active connection
APEX : active connection

## Linux Client
d at uc-sm18:~$ wbinfo --online-status
BUILTIN : online
UC-SM18 : online
SVITLA3 : online
APEX : online

# UC-SM18 is a Linux member of SVITLA3.

You decided to demonstrate too difficult case. I only want to prove that I
can ssh to UC-SM18 at SVITLA3.ROOM with trusted account from trusted APEX.CORP
domain using trust capabilities of Samba DC. It is very often case when
someone with account in main organization wants to login on-premise of
another one which is in trusting relationships with main.

One time more:
I interpret that authentication of APEX user to UC-SMB18 works:

# samba log - trusted user

Kerberos: TGS-REQ jake at APEX.CORP from ipv4:10.0.0.12:52437 for
UC-SM18$@SVITLA3.ROOM
Kerberos: Client not found in database: no such entry found in hdb
*Kerberos: cross-realm APEX.CORP -> SVITLA3.ROOM*

Kerberos: TGS-REQ authtime: 2020-07-17T18:07:28 starttime:
2020-07-17T18:07:28 endtime: 2020-07-18T04:07:28 renew till: unset

d at uc-sm18:~$ id APEX\\jake
uid=3000(APEX\jake) gid=3004(APEX\domain users) *groups=3004(APEX\domain
users)*
d at uc-sm18:~$ getent passwd  APEX\\jake
APEX\jake:*:3000:3004:jake:/home/APEX/jake:/bin/bash

"Kerberos: Client not found in database: no such entry found in hdb"
demonstrates that the user wasn't find in Samba db.
After that, as Samaba domain has trust with another domain, there was a try
to get the user from the trusted (apex.corp) domain
"Kerberos: cross-realm APEX.CORP -> SVITLA3.ROOM"
The try was successfully:
"Kerberos: TGS-REQ authtime: 2020-07-17T18:07:28 starttime:
2020-07-17T18:07:28 endtime: 2020-07-18T04:07:28 renew till: unset"

After that I can ssh with trusted account but get IDs according to default
idmap.
*APEX\rock at uc-sm18*:/$ id
uid=3001(APEX\rock) gid=3004(*APEX\domain users*) groups=3004(*APEX\domain
users*)

I provided credentials from trusted domain, know that authentication was
successful with those credentials so that authentication happened in
trusted DC.
This authentication process happened involving Samba DC - samba log proves
this fact.
I can access a file share located on trusted side by authenticated trusted
account.

I don't understand about this default mapping. How does it work in my case?

As I understood mapping configuration in smb.conf it is based on realm
names in krb5.conf. My krb5.conf includes only SVITLA5.ROOM realm. If I add
appropriate mapping for APEX.CORP authentication doesn't work because
krb5.conf doesn't know about APEX.CORP. If I add APEX.CORP to krb5.conf
authentication process happens by different way without involving Samba DC.

Probably I could configure krb5.conf in specific way getting in result
interaction for authentication via Samba DC. But I don't know how. If you
have idea let me know.

Also, could you run
net rpc trustdom list -U administrator
in your configuration?

This command provides output different from what in
https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf
 shown.

d at uc-sm18:~$ net rpc trustdom list -U administrator
Enter administrator's password:
Trusted domains list:
APEX                S-1-5-21-4020559381-3467740180-2426716988
Trusting domains list:
Unable to find a suitable server for domain APEX
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
APEX                couldn't get domain's sid


























On Tue, 21 Jul 2020 at 13:40, Rowland penny via samba <samba at lists.samba.org>
wrote:

> On 20/07/2020 12:09, Yakov Revyakin wrote:
> > OK, trying to define the environment more clearly.
> >
> OK, I 'think' I know what is going on here, haven't got a fix though :-(
>
> Can you run this command on the Linux DC's and a Linux client:
>
> wbinfo --online-status
>
> On DC's, I get this:
>
> BUILTIN : active connection
> EXAMPLE : active connection
> SAMDOM : active connection
>
> But on Linux domain members, I get this:
>
> BUILTIN : active connection
> DEVSTATION : active connection
> SAMDOM : active connection
> EXAMPLE : no active connection
>
> This is in the 'SAMDOM' domain on the computer called devstation, if I
> run it on a client in the 'EXAMPLE' domain, the AD domains are switched,
> 'EXAMPLE' is active and 'SAMDOM' isn't.
>
> If I try to ssh into the 'EXAMPLE' client from a 'SAMDOM' client using a
> 'SAMDOM' user, I get:
>
> Jul 21 11:13:08 linux-client sshd[5506]: pam_krb5(sshd:auth):
> authentication failure; logname=SAMDOM\rowland uid=0 euid=0 tty=ssh
> ruser= rhost=192.168.0.49
> Jul 21 11:13:08 linux-client sshd[5506]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.0.49  user=SAMDOM\rowland
> Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): getting
> password (0x00000388)
> Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): request
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL
> (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon
> servers are currently available to service the logon request.
> Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth):
> internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user =
> 'SAMDOM\rowland')
> Jul 21 11:13:12 linux-client sshd[5506]: Failed password for
> SAMDOM\\rowland from 192.168.0.49 port 51962 ssh2
>
> I can create directories on a client in the 'EXAMPLE' domain and chown
> to user:group from the 'SAMDOM' domain.
>
> I 'think' that the domain that is offline on clients needs to be brought
> online, but I do not know how to do this :-(
>
> I based my testing around a pdf created by Stefan Kania, available here:
>
> www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list