samba - Feb 2022 - Failing authentication when PAC present in kerberos service ticket

Hello,

  We have been running samba in standalone mode (security = user) with
kerberos authentication. The hosts themselves are registered to a freeIPA
domain. There is a kerberos trust set up between freeIPA and our AD. NSS is
perfectly capable of looking up both AD and freeIPA users and groups on the
hosts.

  We also have a special DNS zone for services. So samba service can be
accessed by navigating to "\\host.hostdomain" or
"\\name.servicedomain".
The domain for services uses AD kerberos realm for authentication. So our
keytab contains entries for:
cifs\host.hostdomain at HOSTDOMAIN
cifs\namd.servicedomain at ADDOMAIN

  This all worked fine for years but in November it was decided that if
running in standalone mode  and if kerberos service ticket has a PAC
attached, authentication should fail.
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC
in standalone mode (2609e429) ? Commits ? The Samba Team / Samba ? GitLab
<https://gitlab.com/samba-team/samba/-/commit/2609e4297e04c93ca5bd1466617c4536faf5be32>

  Now this configuration would no longer work for AD users as they will
have the PAC in the service ticket. For now I wrote a patch for our samba
with a configuration parameter that allows to ignore the PAC for all
connections and this allows this previous configuration to work again.

  As a long term solution I am also looking into setting up samba as a
freeIPA domain member based on this:
Support Samba file server as a domain member on IPA client ? FreeIPA
4.9-dev documentation
<https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html>

  But it does not seem like a trivial task. It involves modifying tdb files
etc... Also it will need to run winbind.

  So I was wondering. What benefits will I actually get from running
winbind instead of  having NSS on the hosts resolve users and groups?

  Or am ai going about this a wrong way? Is there a better way to
authenticate AD users to a non-ad joined host?

On Thu, 2022-02-03 at 14:55 +0200, Ahti Seier via samba
wrote:
> Hello,
> 
>   We have been running samba in standalone mode (security = user)
> with
> kerberos authentication. 
>   So I was wondering. What benefits will I actually get from running
> winbind instead of  having NSS on the hosts resolve users and groups?
> 
>   Or am ai going about this a wrong way? Is there a better way to
> authenticate AD users to a non-ad joined host?
I do not understand why you are running Freeipa and AD, they both do
basically the same thing, I also do not understand why you are using
standalone servers in an AD/freeipa domain.

The benefits you will get from turning your standalone servers into
Unix domain members are, ACL support and NTLM fallback.

I think we need a bit more info, why do you need to run standalone
servers ?

Rowland