[Samba] Winbind messes up Kerberos tickets when renewing them

L. van Belle belle at samba.org
Wed Dec 22 08:41:23 UTC 2021 

Good morning Edwin, 

I personaly dont seen anything wrong here. 

Read this one. Bit older but does explain it sufficently. 
https://adsecurity.org/?p=483 

So i wonder why cant you use SSO. The default is still the user at REALM. 
Anything in the SSH (auth) logs? 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Edwin Mackenzie-Owen via samba
> Verzonden: dinsdag 21 december 2021 21:19
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Winbind messes up Kerberos tickets when 
> renewing them
> 
> Hi,
> 
> Winbind often messes up my Kerberos ticket when renewing it.
> This is the valid ticket:
> 
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_1234567
> Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 12/20/21 21:40:12  12/21/21 07:40:12 
> krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
>         renew until 12/21/21 21:40:07
> 
> Winbind then creates a ticket with a weird principal that I can't use
> for SSO (sorry, I have only saved it in German):
> 
> $ klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567
> Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM
> 
> Valid starting       Expires              Service principal
> 17.12.2021 20:05:24  18.12.2021 06:05:24  
> krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
>         für Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis
> 24.12.2021 15:05:24
> 
> My krb5.conf (auth_to_local is for SSH SSO):
> 
> [libdefaults]
>         default_realm = SAMDOM.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         default_ccache_name = FILE:/tmp/krb5cc_%{uid}
>         forwardable = true
> [realms]
>         SAMDOM.EXAMPLE.COM = {
>                 auth_to_local = RULE:[1:SAMDOM\$1]
>                 auth_to_local = DEFAULT
>         }
> [domain_realm]
>         .samdom.example.com = SAMDOM.EXAMPLE.COM
> 
> 
> smb.conf:
> 
> [global]
> apply group policies = yes
> client use kerberos = required
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> netbios name = DHYANA
> realm = SAMDOM.EXAMPLE.COM
> security = ADS
> server role = member server
> template homedir = /home/%D/%U
> template shell = /usr/bin/zsh
> usershare allow guests = Yes
> usershare max shares = 100
> usershare owner only = Yes
> usershare path = /var/lib/samba/usershares
> winbind enum groups = yes
> winbind enum users = yes
> winbind expand groups = 20
> winbind nss info = rfc2307
> winbind offline logon = yes
> winbind refresh tickets = yes
> workgroup = SAMDOM
> idmap config * : backend = autorid
> idmap config * : range = 1000000-1999999
> map acl inherit = yes
> store dos attributes = yes
> vfs objects = acl_xattr
> winbind use default domain = no
> 
> Distribution and Samba version (both workstation and DC): Arch Linux /
> Arch Linux / Arch Linux ARM; Samba 4.15.3.
> 
> Best regards,
> Edwin Mackenzie-Owen
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list