[Samba] Should I be able to access shares w/o authenticating again?

Sat Nov 19 19:22:39 UTC 2022

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.

On Thu, Nov 17, 2022 at 3:18 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
>
> On 17/11/2022 19:49, Rob Campbell via samba wrote:
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > In all things, Be Intentional.
> >
> >
> > On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at gmail.com
> >
> > wrote:
> >
> >> I've logged into the different machines with my AD login.  Shouldn't I
> be
> >> able to just open up shares and not have to provide a password?  I
> thought
> >> my credentials would be passed and I wouldn't have to reauthenticate.
> >>
> >> gio mount smb://DC01/photos
> >> Authentication Required
> >> Enter user and password for share “photos” on “dc01”:
>
> You really shouldn't be using a DC as a fileserver.
>
> >> User [HOME+robcampbell]:
> >>
> >> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls'
> >> Password for [HOME\robcampbell]:
> >>
> >
> >   [HOME\robcampbell at f01 ~]$ kinit
> > kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in
> Kerberos
> > database while getting initial credentials
> >
> > I guess something isn't set up right?  But I'm not sure what.
>
> You are using autorid, so you cannot remove the NetBIOS domain name, so
> you are going to have to explicitly use it and 'escape' the separator.
> All these problems would go away if you used the 'rid' idmap backend
> along with 'winbind use default domain = yes', or do you plan on using
> trusted domains ?
>
> I did this and now I am able to log in using domain credentials w/o having
to do 'user at domain' or 'domain\user' but that seems to have disabled the
ability to log in using a local user (on the dc only)

Nov 19 14:15:12 DC01 kernel: audit: type=1400 audit(1668885312.805:1770):
apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss"
name="/proc/4712/cmdline" pid=4110 comm="sssd_nss" requested_mask="r">
Nov 19 14:15:12 DC01 postfix/qmgr[2938]: C42B63E08A4: from=<
root at rob-campbell.com>, size=2349, nrcpt=1 (queue active)
Nov 19 14:15:12 DC01 postfix/local[4713]: C42B63E08A4: to=<
rwcampbell at rob-campbell.com>, orig_to=<root>, relay=local, delay=0.05,
delays=0.04/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Nov 19 14:15:12 DC01 postfix/qmgr[2938]: C42B63E08A4: removed
Nov 19 14:15:15 DC01 gdm-password][4697]: pam_krb5(gdm-password:auth):
authentication failure; logname=rwcampbell uid=0 euid=0 tty=/dev/tty1
ruser= rhost=
Nov 19 14:15:15 DC01 gdm-password][4697]: gkr-pam: unable to locate daemon
control file
Nov 19 14:15:15 DC01 gdm-password][4697]: gkr-pam: stashed password to try
later in open session
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to
dlopen(/lib/security/pam_securetty.so): /lib/security/pam_securetty.so:
cannot open shared object file: No such file or directory
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module:
/lib/security/pam_securetty.so
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to
dlopen(/lib/security/pam_nologin.so): /lib/security/pam_nologin.so: cannot
open shared object file: No such file or directory
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module:
/lib/security/pam_nologin.so
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to
dlopen(/lib/security/pam_winbind.so): /lib/security/pam_winbind.so: cannot
open shared object file: No such file or directory
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module:
/lib/security/pam_winbind.so
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to
dlopen(/lib/security/pam_unix.so): /lib/security/pam_unix.so: cannot open
shared object file: No such file or directory
Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module:
/lib/security/pam_unix.so

Is there a package that's missing and that's why these files are missing?

>
> > cat /etc/krb5.conf
> > [libdefaults]
> > default_realm = HOME.ROB-CAMPBELL.LAN
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > forwardable = yes
> > rdns = false
> > ticket_lifetime = 10h
> > renew_lifetime = 5d
> > [realms]
> > home.rob-campbell.lan = {
> > kdc = dc01.home.rob-campbell.lan
> > admin_server = DC01.home.rob-campbell.lan
> > # master_key_type = aes256-cts
> > # default_principal_flags = +preauth
> > }
> > HOME = {
> > kdc = dc01.home.rob-campbell.lan
> > admin_server = DC01.home.rob-campbell.lan
> > # master_key_type = aes256-cts
> > # default_principal_flags = +preauth
> > }
> >
> > [domain_realm]
> > .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> > home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> > [logging]
> >         kdc = FILE:/var/log/samba/krb5.log
> >         admin_server = FILE:/var/log/samba/mit_kadmin.log
>
> Your /etc/krb5.conf needs only to be this:
>
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> HOME.ROB-CAMPBELL.LAN = {
>         default_domain = home.rob-campbell.lan
> }
>
> [domain_realm]
> THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN
>
> Updated but still, although I log in with domain name, I am not able to
access shares w/o authenticating again.

> >
> > cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns
>
> The line above is only used on a DC
>
> > security = ADS
> > realm = home.rob-campbell.lan
> > workgroup = HOME
> >
> > idmap config * : range = 10000-9999999
> > idmap config * : backend = autorid
> > idmap config * : rangesize = 200000
> >
> > map acl inherit = Yes
> > vfs objects = acl_xattr
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = Yes
> > winbind enum groups = Yes
> > winbind enum users = Yes
>
> The two lines above can slow things down and should only be used for
> testing.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>