Daniel Carrasco
2017-Sep-27 13:46 UTC
[Samba] Users and groups on member server without ssh
Hello,
I've a member server that is working fine as shared folder server (all
shares works and it permissions). My problem is that when I add the
nsswitch winbind entries then the server uses the DC to authenticate even
when I use ssh, so if Samba DC server fails I have problems to login into
the member server.
My nsswitch:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
And my smb.conf:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
server role = member server
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
Is there any way to avoid that authentication method and use only the local
one? (I use tools like setfacl to change permissions so I need access to
domain users/groups).
Thanks and greetings!!
--
_________________________________________
Daniel Carrasco Marín
Ingeniería para la Innovación i2TIC, S.L.
Tlf: +34 911 12 32 84 Ext: 223
www.i2tic.com
_________________________________________
On Wed, 27 Sep 2017 15:46:42 +0200 Daniel Carrasco via samba <samba at lists.samba.org> wrote:> Hello, > > I've a member server that is working fine as shared folder server (all > shares works and it permissions). My problem is that when I add the > nsswitch winbind entries then the server uses the DC to authenticate > even when I use ssh, so if Samba DC server fails I have problems to > login into the member server. > > My nsswitch: > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > And my smb.conf: > [global] > workgroup = DOMAIN > security = ADS > realm = DOMAIN.COM > server role = member server > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config DOMAIN:backend = rid > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > winbind nss info = rfc2307 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > Is there any way to avoid that authentication method and use only the > local one? (I use tools like setfacl to change permissions so I need > access to domain users/groups). > > Thanks and greetings!! >Try adding 'winbind offline logon = yes', this will allow authentication even when the DC cannot be reached. I would also remove the 'winbind enum' lines, you do not need them, they only really allow the printing of all the users and groups. Rowland
L.P.H. van Belle
2017-Sep-27 14:25 UTC
[Samba] Users and groups on member server without ssh
Its all what you want.. You have a ton of options todo this.
But every server as a "first" user and by default unix accounts are
allowed through pam.
The first user also as sudo rights, so let call him linuxadmin.
In debian install ssh-krb5 , that enables kerberos authorisation. ( ssh is
reloaded automaticly )
And install : libpam-krb5 to make it all work, if not installed.
I've added this to my sshd_config.
# Allow groups ( linux and windows groups )
AllowGroups sshgroup servers-ssh
Now 2 groups.
Sshgroup is a full linux group.
addgroup sshgroup
adduser linuxadmin sshgroup
The servers-ssh is a windows group use on all servers.
That allows my windows (group member) users to login.
Any member of one of these groups is allowed.
If all DC's are down, i login with the linuxadmin. ( but i have 2 DC's
and if you can setup also a second. )
And if as Rowland suggested, you added :
'winbind offline logon = yes
You can also use the winbind Pam.
Which looks like this.
cat /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok
try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
If you add the above to the location its comming from.
Now if you run : pam-auth-update
Just select what you want to enable. ( keep all on is adviced )
What you see here results in the following.
1) try SSO auth kerberos
2) if fail, try winbind
3) if fail, use linuxadmin
Now you can always login.
Except... When you down you server ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Daniel Carrasco via samba
> Verzonden: woensdag 27 september 2017 15:47
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Users and groups on member server without ssh
>
> Hello,
>
> I've a member server that is working fine as shared folder
> server (all shares works and it permissions). My problem is
> that when I add the nsswitch winbind entries then the server
> uses the DC to authenticate even when I use ssh, so if Samba
> DC server fails I have problems to login into the member server.
>
> My nsswitch:
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> And my smb.conf:
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab kerberos method =
> secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307 idmap config
> DOMAIN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> Is there any way to avoid that authentication method and use
> only the local one? (I use tools like setfacl to change
> permissions so I need access to domain users/groups).
>
> Thanks and greetings!!
>
> --
> _________________________________________
>
> Daniel Carrasco Marín
> Ingeniería para la Innovación i2TIC, S.L.
> Tlf: +34 911 12 32 84 Ext: 223
> www.i2tic.com
> _________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>