Hi Rowland,> Are you using sssd or nslcd ?I am using sssd. I can ssh into the server using credentials from either kerberos realm. E.g. ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu (works) ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu (works) PHYSICS.WISC.EDU is an MIT kerberos KDC. AD.WISC.EDU is a active directory KDC (etc). The reason I thought sssd would be best is because I want to use the /etc/passwd file for user existence and was easy to set up. If sssd is not going to work for the overall goal of being able to use credentials from either Kerberos realm to authenticate, then I'm happy to ditch it!> Also on a domain member (this is what you have), you cannot use ' unix > password sync', mainly because you can have users etc in AD or in > /etc/passwd, but not both.I thought as much, but also did not remove this default from the smb.conf as yet. There are other mechanisms for changing passwords in the two Kerberos realms.> > To answer your original question, no I don't think you can have two > 'Realms'. What you can have are trusts, I suggest you start here to see > how to setup smb.conf correctly: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_MemberI did not see anything useful for setting up authentication to multiple Kerberos realms or multiple trusts.>Sorry but it isn't a standalone server. > >> # testparm >> Load smb config files from /etc/samba/smb.conf >> Processing section "[generic]" >> Loaded services file OK. >> Server role: ROLE_DOMAIN_MEMBERHmm, I also have 'server role = standalone server' in the config file, but I guess that has been overridden. I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU . It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU kerberos database and into the local machine's keytab. What other config does it change? Does 'net ads join' also override the 'server role =' in smb.conf and this explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone? Thanks for the help! Chad.
On 01/03/16 23:16, Chad William Seys wrote:> Hi Rowland, > >> Are you using sssd or nslcd ? > I am using sssd. I can ssh into the server using credentials from either > kerberos realm. > E.g. > ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu > (works) > ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu > (works) > > PHYSICS.WISC.EDU is an MIT kerberos KDC. > AD.WISC.EDU is a active directory KDC (etc). > > The reason I thought sssd would be best is because I want to use the > /etc/passwd file for user existence and was easy to set up.You cannot have the same user in /etc/passwd and AD i.e. user 'foo' in /etc/passwd could, and probably would, be seen as the the AD user 'foo'.> > If sssd is not going to work for the overall goal of being able to use > credentials from either Kerberos realm to authenticate, then I'm happy to > ditch it!I am not saying that sssd won't work for what you are trying to do, you are just asking this in the wrong place, try the sssd-users mailing list.> >> Also on a domain member (this is what you have), you cannot use ' unix >> password sync', mainly because you can have users etc in AD or in >> /etc/passwd, but not both. > I thought as much, but also did not remove this default from the smb.conf as > yet. There are other mechanisms for changing passwords in the two Kerberos > realms. > >> To answer your original question, no I don't think you can have two >> 'Realms'. What you can have are trusts, I suggest you start here to see >> how to setup smb.conf correctly: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > I did not see anything useful for setting up authentication to multiple > Kerberos realms or multiple trusts.To be honest, I have never needed to do this, but I don't think you actually authenticate to both kerberos realms, you just setup a trust between the two realms, try a search on the internet using 'active directory' and 'trusts'.> >> Sorry but it isn't a standalone server. >> >>> # testparm >>> Load smb config files from /etc/samba/smb.conf >>> Processing section "[generic]" >>> Loaded services file OK. >>> Server role: ROLE_DOMAIN_MEMBER > Hmm, I also have 'server role = standalone server' in the config file, but I > guess that has been overridden.Just adding 'server role' to a machine you have joined to a domain isn't going to make it a standalone server. The definition of a 'standalone server' is a server that is not connected to a domain and holds it own database of users, groups etc.> > I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU . > > It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU > kerberos database and into the local machine's keytab. What other config does > it change?It probably creates a keytab.> > Does 'net ads join' also override the 'server role =' in smb.conf and this > explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?Yes Rowland> Thanks for the help! > Chad. >
Hi Rowland et al,> > The reason I thought sssd would be best is because I want to use the > > /etc/passwd file for user existence and was easy to set up. > > You cannot have the same user in /etc/passwd and AD i.e. user 'foo' in > /etc/passwd could, and probably would, be seen as the the AD user 'foo'.The way the system is set up, username existance and UID is determined by /etc/passwd . Then sssd checks whether username/password are correct or not with the kerberos servers and retrieves nothing else (from them). This works fine as I can log in with ssh using username/password from either kerberos realms.> > If sssd is not going to work for the overall goal of being able to use > > credentials from either Kerberos realm to authenticate, then I'm happy to > > ditch it! > > I am not saying that sssd won't work for what you are trying to do, you > are just asking this in the wrong place, try the sssd-users mailing list.It seems to me that samba is the sticking point. If REALM=AD.WISC.EDU I can gain access to samba shares with seys at AD.WISC.EDU, but not cwseys at PHYSICS.WISC.EDU. If REALM=PHYSICS.WISC.EDU, cwseys at PHYSICS.WISC.EDU can gain access, but seys at AD.WISC.EDU can not. I change nothing else besides REALM= in smb.conf . My guess is that Samba is using REALM=BLAH to check only principals in the keytab whose realm is BLAH. So, it seems as though if Samba could be taught to understand a realm list REALM=BLAH,FOO,BAR and check principals from all of them in the keytab, then my problem would be solved.> Just adding 'server role' to a machine you have joined to a domain isn't > going to make it a standalone server. The definition of a 'standalone > server' is a server that is not connected to a domain and holds it own > database of users, groups etc.I hope to use /etc/passwd /etc/groups as the database of user and groups, not get them from active directory. So I guess I'm hoping for semi-joined. :)> To be honest, I have never needed to do this, but I don't think you > actually authenticate to both kerberos realms, you just setup a trust > between the two realms, try a search on the internet using 'active > directory' and 'trusts'.I think this would work, so long as the active directory admins agree to add the krbtgt to their database! Crossing my fingers. Thanks again! Chad.