samba - Nov 2012 - Samba & Active Directory w/ Kerberos Trust

Hello,

I'm having some difficulty understanding the best approach to setting up a
samba fileserver in our environment. We have an active directory domain (2008)
that has account "stubs" that we use for security and authorization
(the passwords are unknown/random). This domain has a one-way Kerberos trust to
an MIT Kerberos realm that we use for authentication. The user accounts are
name-mapped to the corresponding principal name in the kerberos/authentication
realm. I had planned to net join the server to the active directory realm for
user and group resolution, but configure PAM to use pam_krb5 for authentication
instead of winbind. However, it appears to me that, by design, Samba is not able
to authenticate and authorize in two different realms this way for the following
reason:

"Samba always ignores PAM for authentication in the case of encrypt
passwords =
yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html

Setting "encrypt passwords = no" results in the following testparm
error:
ERROR: in 'security=domain' mode the 'encrypt passwords'
parameter must always be set to 'true'.

Anyone successfully authenticating this way?

Thanks for the help!
-Joseph



smb.conf:

[global]
log file = /var/log/samba/log.%m
log level = auth:3
max log size = 50
security = ads
netbios name = SERVERNAME
realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
workgroup = AD
idmap uid = 10000-5000000
idmap gid = 10000-5000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
obey pam restrictions = yes

On Thu, 2012-11-01 at 15:00 +0000, Rafferty, Joseph
wrote:
> Hello,
> 
> I'm having some difficulty understanding the best approach to setting
up a samba fileserver in our environment. We have an active directory domain
(2008) that has account "stubs" that we use for security and
authorization (the passwords are unknown/random). This domain has a one-way
Kerberos trust to an MIT Kerberos realm that we use for authentication. The user
accounts are name-mapped to the corresponding principal name in the
kerberos/authentication realm. I had planned to net join the server to the
active directory realm for user and group resolution, but configure PAM to use
pam_krb5 for authentication instead of winbind. However, it appears to me that,
by design, Samba is not able to authenticate and authorize in two different
realms this way for the following reason:
> 
> "Samba always ignores PAM for authentication in the case of encrypt
passwords =
yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html
> 
> Setting "encrypt passwords = no" results in the following
testparm error:
> ERROR: in 'security=domain' mode the 'encrypt passwords'
parameter must always be set to 'true'.
> 
> Anyone successfully authenticating this way?
> 
> Thanks for the help!
> -Joseph
> 
> 
> 
> smb.conf:
> 
> [global]
> log file = /var/log/samba/log.%m
> log level = auth:3
> max log size = 50
> security = ads
> netbios name = SERVERNAME
> realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
> password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
> workgroup = AD
> idmap uid = 10000-5000000
> idmap gid = 10000-5000000
> winbind separator = +
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = yes
> obey pam restrictions = yes
What error do you get when you use *just* what you have above?

You should run winbind, and accept kerberos logins from your clients.
We need to be joined to the AD domain.

As long as the tickets contain a PAC, we really don't mind where they
came from. 

Don't try and involve PAM or turn off encrypted passwords, because we
never get a plaintext password from modern clients anyway.


Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org