[Samba] Should I be able to access shares w/o authenticating again?
Rowland Penny
rpenny at samba.org
Thu Nov 17 20:17:22 UTC 2022
On 17/11/2022 19:49, Rob Campbell via samba wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at gmail.com>
> wrote:
>
>> I've logged into the different machines with my AD login. Shouldn't I be
>> able to just open up shares and not have to provide a password? I thought
>> my credentials would be passed and I wouldn't have to reauthenticate.
>>
>> gio mount smb://DC01/photos
>> Authentication Required
>> Enter user and password for share “photos” on “dc01”:
You really shouldn't be using a DC as a fileserver.
>> User [HOME+robcampbell]:
>>
>> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls'
>> Password for [HOME\robcampbell]:
>>
>
> [HOME\robcampbell at f01 ~]$ kinit
> kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in Kerberos
> database while getting initial credentials
>
> I guess something isn't set up right? But I'm not sure what.
You are using autorid, so you cannot remove the NetBIOS domain name, so
you are going to have to explicitly use it and 'escape' the separator.
All these problems would go away if you used the 'rid' idmap backend
along with 'winbind use default domain = yes', or do you plan on using
trusted domains ?
>
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = yes
> rdns = false
> ticket_lifetime = 10h
> renew_lifetime = 5d
> [realms]
> home.rob-campbell.lan = {
> kdc = dc01.home.rob-campbell.lan
> admin_server = DC01.home.rob-campbell.lan
> # master_key_type = aes256-cts
> # default_principal_flags = +preauth
> }
> HOME = {
> kdc = dc01.home.rob-campbell.lan
> admin_server = DC01.home.rob-campbell.lan
> # master_key_type = aes256-cts
> # default_principal_flags = +preauth
> }
>
> [domain_realm]
> .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> [logging]
> kdc = FILE:/var/log/samba/krb5.log
> admin_server = FILE:/var/log/samba/mit_kadmin.log
Your /etc/krb5.conf needs only to be this:
[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
HOME.ROB-CAMPBELL.LAN = {
default_domain = home.rob-campbell.lan
}
[domain_realm]
THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN
>
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns
The line above is only used on a DC
> security = ADS
> realm = home.rob-campbell.lan
> workgroup = HOME
>
> idmap config * : range = 10000-9999999
> idmap config * : backend = autorid
> idmap config * : rangesize = 200000
>
> map acl inherit = Yes
> vfs objects = acl_xattr
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
The two lines above can slow things down and should only be used for
testing.
Rowland
More information about the samba
mailing list