samba - Nov 2022 - Should I be able to access shares w/o authenticating again?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at
gmail.com>
wrote:
> I've logged into the different machines with my AD login. 
Shouldn't I be
> able to just open up shares and not have to provide a password?  I thought
> my credentials would be passed and I wouldn't have to reauthenticate.
>
> gio mount smb://DC01/photos
> Authentication Required
> Enter user and password for share ?photos? on ?dc01?:
> User [HOME+robcampbell]:
>
> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls'
> Password for [HOME\robcampbell]:
>
 [HOME\robcampbell at f01 ~]$ kinit
kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in
Kerberos
database while getting initial credentials

I guess something isn't set up right?  But I'm not sure what.

cat /etc/krb5.conf
[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = yes
rdns = false
ticket_lifetime = 10h
renew_lifetime = 5d
[realms]
home.rob-campbell.lan = {
kdc = dc01.home.rob-campbell.lan
admin_server = DC01.home.rob-campbell.lan
# master_key_type = aes256-cts
# default_principal_flags = +preauth
}
HOME = {
kdc = dc01.home.rob-campbell.lan
admin_server = DC01.home.rob-campbell.lan
# master_key_type = aes256-cts
# default_principal_flags = +preauth
}

[domain_realm]
.home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
[logging]
       kdc = FILE:/var/log/samba/krb5.log
       admin_server = FILE:/var/log/samba/mit_kadmin.log

cat /etc/samba/smb.conf
# Global parameters
[global]
server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns
security = ADS
realm = home.rob-campbell.lan
workgroup = HOME

idmap config * : range = 10000-9999999
idmap config * : backend = autorid
idmap config * : rangesize = 200000

map acl inherit = Yes
vfs objects = acl_xattr

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
winbind enum groups = Yes
winbind enum users = Yes
; winbind separator = \

template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map

unix charset = UTF-8
log file = /var/log/samba/%m.log
log level = 3


> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>

On 17/11/2022 19:49, Rob Campbell via samba wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
> 
> 
> On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at
gmail.com>
> wrote:
> 
>> I've logged into the different machines with my AD login. 
Shouldn't I be
>> able to just open up shares and not have to provide a password?  I
thought
>> my credentials would be passed and I wouldn't have to
reauthenticate.
>>
>> gio mount smb://DC01/photos
>> Authentication Required
>> Enter user and password for share ?photos? on ?dc01?:
You really shouldn't be using a DC as a fileserver.
>> User [HOME+robcampbell]:
>>
>> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls'
>> Password for [HOME\robcampbell]:
>>
> 
>   [HOME\robcampbell at f01 ~]$ kinit
> kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found
in Kerberos
> database while getting initial credentials
> 
> I guess something isn't set up right?  But I'm not sure what.
You are using autorid, so you cannot remove the NetBIOS domain name, so 
you are going to have to explicitly use it and 'escape' the separator. 
All these problems would go away if you used the 'rid' idmap backend 
along with 'winbind use default domain = yes', or do you plan on using 
trusted domains ?
> 
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = yes
> rdns = false
> ticket_lifetime = 10h
> renew_lifetime = 5d
> [realms]
> home.rob-campbell.lan = {
> kdc = dc01.home.rob-campbell.lan
> admin_server = DC01.home.rob-campbell.lan
> # master_key_type = aes256-cts
> # default_principal_flags = +preauth
> }
> HOME = {
> kdc = dc01.home.rob-campbell.lan
> admin_server = DC01.home.rob-campbell.lan
> # master_key_type = aes256-cts
> # default_principal_flags = +preauth
> }
> 
> [domain_realm]
> .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN
> [logging]
>         kdc = FILE:/var/log/samba/krb5.log
>         admin_server = FILE:/var/log/samba/mit_kadmin.log
Your /etc/krb5.conf needs only to be this:

[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
HOME.ROB-CAMPBELL.LAN = {
	default_domain = home.rob-campbell.lan
}

[domain_realm]
THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN
> 
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns
The line above is only used on a DC
> security = ADS
> realm = home.rob-campbell.lan
> workgroup = HOME
> 
> idmap config * : range = 10000-9999999
> idmap config * : backend = autorid
> idmap config * : rangesize = 200000
> 
> map acl inherit = Yes
> vfs objects = acl_xattr
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
The two lines above can slow things down and should only be used for 
testing.

Rowland

On Thu, 2022-11-17 at 14:49 -0500, Rob Campbell via samba
wrote:
> server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns
> 
> security = ADS
I just want to say that this is a contradiction.  If this is a
fileserver, as suggested by security=ads, then server services is not
used, it only applies to the 'samba' binary.

Andrew,


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source 
Solutions