Hi!
I found this old message (see below) in the Samba mailing list
archives. I understand why it is not a good idea for the krb5.keytab
file to be world readable (machine credentials should not be world
readable), but I would appreciate if someone could explain why it
needs to *group* readable?
Thanks,
J.
________________________________
Question:
Should the system keytab need to be world readable to be able to
authenticate via winbind as a remote kerberos user?
I don't seem to remember this being required in Samba 3.3 or earlier
(but I could be wrong about that). And I didn't think it was a
recommended configuration.
Is this likely to be distro specific?
Background info:
I've recently had problems logging into an Active Directory domain
(SBS 2003 with SFU 3.5 schema extensions) on a new Ubuntu 10.04 which
uses winbind 3.4.7.
I successfully joined the domain, and created a keytab using the
following commands:
net ads join -U domainadministrator createupn
createcomputer="MyBusiness/Computers/UnixComputers"
net ads testjoin
net ads keytab create -U domainadministrator
I added winbind to nssswitch.conf and ran pam-auth-update to use the
winbind profile to configure /etc/pam.d/common*. pam_winbind had the
krb5_auth and krb5_ccache_type=FILE options set (by pam-auth-update).
With sudo and a dummy local account I could successfully kinit with
both my domain user principle and the system keytab service principals
and the computers UPN.
I could successfully run wbinfo -u and wbinfo -g and well as getent
passwd and getent group.
The first sign of trouble was that I needed sudo to successfully run
wbinfo -K to authenticate my domain account
I could not log in with pam_winbind either.
It turned out that my domain user account needed read access to the
system keytab (/etc/krb5.keytab). By default the system keytab was
owned by root:root and had 0600 permissions - which I seem to recall
is the recommended permissions for that file, and I vaguely remember
working in earlier Samba versions.
Once the keytab was world readable, domain accounts could successfully log in.
/etc/samba/smb.conf (if relevant)
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
preferred master = no
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind nss info = sfu
winbind offline logon = true
winbind refresh tickets = true
idmap backend = tdb
idmap uid = 50000 - 50999
idmap gid = 50000 - 50999
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:readonly = yes
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:schema_mode = sfu
idmap config EXAMPLE:range = 10000 - 19999
template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab
Thanks for any insight :)
--
Cheers
Anton
---
Johan Ramm-Ericson