[Samba] Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs

vincent at cojot.name vincent at cojot.name
Sun Jun 6 14:41:18 UTC 2021 

On Sun, 6 Jun 2021, Andrew Bartlett wrote:

> If you are using a name that 'floats' around the multiple severs,
> either avoid using Kerberos/SSH to contact those servers by those
> names, or create a shared account and distribute the keytab entries to
> all servers.
>
> The shared account would have the SPN for the shared name.
>
> Otherwise, you can only put the SPN on one of the target servers, it
> won't work if the floating name floats to the other server.
>
> This is why CTDB manages one 'join' to the domain for an entire file
> server cluster, as an example.

Hi Andrew,

Yes, I was talking about names that 'float' between servers. It seems I 
need to read up on CTDB, thank you for correcting me.

With respectful regards,

Vincent

> Andrew Bartlett
>
> On Sat, 2021-06-05 at 21:27 -0400, Vincent S. Cojot via samba wrote:
>> I think I figured it out and in fact the solution was on the samba AD DC.
>>
>> Here's my setup:
>> - dc00/dc01 (two small VMs running RHEL7.9 + samba AD/DC custom rpms)
>> - hypervisor1/2/3 : machines running RHEL8.4 with the RH-provided samba rpms
>> - a few Win10 endpoints (laptops), a few Fedora endpoints (laptops) and no
>> Macs. One Win10 VM for the purpose of running some things, including RSAT.
>>
>> My son was trying to PuTTY/ssh from his Win10 machine to one of the VIPs
>> carried by one of the hypervisors. It worked when connecting to
>> <machine1.lasthome.solace.krynn> but not for
>> '<floating.lasthome.solace.krynn>'.
>>
>> Here's what I did:
>>
>> 1) went into 'Active Directory Users and Computes' from my Win10 VM (I
>> used it to edit Policies for the Win10 endpoints in our domain).
>>
>> 2) View -> Advanced features - Select host (one of the hypervisors)
>>
>> 3) Attribute Editor -> edit servicePrincipalName
>> There, I added these records:
>> host/FLOATING
>> host/floating.lasthome.solace.krynn
>> host/floating.ad.lasthome.solace.krynn
>>
>> 4) restarted sshd on machine1
>>
>> After that, things started to work and it was now possible for him to
>> PuTTY ssh directly to the VIP by using the floating IP name (this is
>> required because all 3 hypervisors form a cluster and VIPs fail over from
>> one machine to the other) e.g: floating.lasthome.solace.krynn could be
>> carried by any of the 3 hypervisors.
>>
>> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
>> Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
>> Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
>> Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
>> http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name
>>
>> They cannot scare me with their empty spaces
>> Between stars - on stars where no human race is
>> I have it in me so much nearer home
>> To scare myself with my own desert places.       - Robert Frost
>>
>>
>>
>> On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote:
>>
>>>
>>> Also,
>>>
>>> I just tested this and it's entirely similar:
>>>
>>> I can PuTTY without a password prompt to <hostname1.lasthome.solace.krynn>
>>> or <hostname1.ad.lasthome.solace.krynn>
>>>
>>> If I try to PuTTY to <floating1.lasthome.solace.krynn>, or
>>> <floating1.ad.lasthome.solace.krynn> it prompts for a password.
>>>
>>> The servers are running RHEL8.4.
>>>
>>> I probably need to run 'net ads keytab <something>' so I'll be trying to
>>> figure out the 'something' part.. :)
>>>
>>> Sorry again for the noise,
>>>
>>> Vincent
>>>
>>>
>>> On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote:
>>>
>>>>
>>>>  Hi Rowland,
>>>>
>>>>  You are 100% right and perhaps what I am seeing in only sssd stuff. I've
>>>>  been able to locate a BZ (#1) talking about something similar so perhaps I
>>>>  only need to 'net ads keytab add' on the Linux hosts.
>>>>
>>>>  Sorry for the noise,
>>>>
>>>>  #1: https://bugzilla.redhat.com/show_bug.cgi?id=1529301
>>>>
>>>>  Vincent
>>>>
>>>>  On Sat, 5 Jun 2021, Rowland penny via samba wrote:
>>>>
>>>>>   On 05/06/2021 20:56, Vincent S. Cojot via samba wrote:
>>>>>>
>>>>>>    Hi All,
>>>>>>
>>>>>>    I've observed some strange thing and I know too little about Windows
>>>>>>    to
>>>>>>    figure out what's going on so I would love it if someone could shed
>>>>>>    some
>>>>>>    light..
>>>>>>
>>>>>>    Here's the thing:
>>>>>>
>>>>>>    From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the
>>>>>>    remote server's hostname but if I use a VIP hosted on the same server,
>>>>>>    my
>>>>>>    user gets prompted for a UNIX password (I'm not using SSH keys in this
>>>>>>    environment, only plain AD with bind).
>>>>>>
>>>>>>    In more detail:
>>>>>>    my RHEL servers are joined to the domain using this:
>>>>>>
>>>>>>    # realm list
>>>>>>    ad.lasthome.solace.krynn
>>>>>>     type: kerberos
>>>>>>     realm-name: AD.LASTHOME.SOLACE.KRYNN
>>>>>>     domain-name: ad.lasthome.solace.krynn
>>>>>>     configured: kerberos-member
>>>>>>     server-software: active-directory
>>>>>>     client-software: sssd
>>>>>>     required-package: oddjob
>>>>>>     required-package: oddjob-mkhomedir
>>>>>>     required-package: sssd
>>>>>>     required-package: adcli
>>>>>>     required-package: samba-common-tools
>>>>>>     login-formats: %U
>>>>>>     login-policy: allow-realm-logins
>>>>>>
>>>>>>    From any Windows10 desktop in the home, I can PuTTY without a password
>>>>>>    prompt to <hostname1.lasthome.solace.krynn>.
>>>>>>
>>>>>>    If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets
>>>>>>    prompted for its password.
>>>>>>
>>>>>>    Any ideas? I'm just stumped.. (I don't use Win10 but some of my
>>>>>>    children
>>>>>>    do and one has a need to ssh from it to a Linux box).
>>>>>>
>>>>>>    Thank you,
>>>>>>
>>>>>>    Vincent
>>>>>>
>>>>>
>>>>>   you appear to be trying to connect to 'floating1.lasthome.solace.krynn'
>>>>>   but your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of
>>>>>   course you are going to get asked for a password.
>>>>>
>>>>>   Can I ask where Samba comes into this ? If there are shares involved and
>>>>>   the Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but
>>>>>   if you just want authentication, then you don't need Samba, you can just
>>>>>   use sssd.
>>>>>
>>>>>   Rowland
>>>>>
>>>>>
>>>>>
>>>>>   --
>>>>>   To unsubscribe from this list go to the following URL and read the
>>>>>   instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>  --
>>>>  To unsubscribe from this list go to the following URL and read the
>>>>  instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> -- 
> Andrew Bartlett (he/him)        https://samba.org/~abartlet/
> Samba Team Member (since 2001)  https://samba.org
> Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba
>
>
>

More information about the samba mailing list