[Samba] Should I be able to access shares w/o authenticating again?

Rowland Penny rpenny at samba.org
Thu Nov 17 20:17:22 UTC 2022



On 17/11/2022 19:49, Rob Campbell via samba wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
> 
> 
> On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at gmail.com>
> wrote:
> 
>> I've logged into the different machines with my AD login.  Shouldn't I be
>> able to just open up shares and not have to provide a password?  I thought
>> my credentials would be passed and I wouldn't have to reauthenticate.
>>
>> gio mount smb://DC01/photos
>> Authentication Required
>> Enter user and password for share “photos” on “dc01”:

You really shouldn't be using a DC as a fileserver.

>> User [HOME+robcampbell]:
>>
>> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls'
>> Password for [HOME\robcampbell]:
>>
> 
>   [HOME\robcampbell at f01 ~]$ kinit
> kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in Kerberos
> database while getting initial credentials
> 
> I guess something isn't set up right?  But I'm not sure what.

You are using autorid, so you cannot remove the NetBIOS domain name, so 
you are going to have to explicitly use it and 'escape' the separator. 
All these problems would go away if you used the 'rid' idmap backend 
along with 'winbind use default domain = yes', or do you plan on using 
trusted domains ?

> 
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = yes
> rdns = false
> ticket_lifetime = 10h
> renew_lifetime = 5d
> [realms]
> home.rob-campbell.lan = {
> kdc = dc01.home.rob-campbell.lan
> admin_server = DC01.home.rob-campbell.lan
> # master_key_type = aes256-cts
> # default_principal_flags = +preauth
> }
> HOME = {
> kdc = dc01.home.rob-campbell.lan
> admin_server = DC01.home.rob-campbell.lan
> # master_key_type = aes256-cts
> # default_principal_flags = +preauth
> }
> 
> [domain_realm]
> .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> [logging]
>         kdc = FILE:/var/log/samba/krb5.log
>         admin_server = FILE:/var/log/samba/mit_kadmin.log

Your /etc/krb5.conf needs only to be this:

[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
HOME.ROB-CAMPBELL.LAN = {
	default_domain = home.rob-campbell.lan
}

[domain_realm]
THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN

> 
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns

The line above is only used on a DC

> security = ADS
> realm = home.rob-campbell.lan
> workgroup = HOME
> 
> idmap config * : range = 10000-9999999
> idmap config * : backend = autorid
> idmap config * : rangesize = 200000
> 
> map acl inherit = Yes
> vfs objects = acl_xattr
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = Yes
> winbind enum groups = Yes
> winbind enum users = Yes

The two lines above can slow things down and should only be used for 
testing.

Rowland



More information about the samba mailing list