samba - Apr 2017 - Samba authentication using non-AD Kerberos?

On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba
wrote:
> I was looking into samba wiki pages and cannot find 
> documentation for this. Generally most the documentation pages 
> either discussing samba as AD member or standalone.
So still looking at this.

So this is the state currently: kerberos setup (krb5.conf and 
keytab) is working in the server, I can do kinit properly. But 
setting of Samba still not working. Here is what I have in 
/etc/smb.conf:

[global]
         workgroup = MYREALM
         server string = UATest Samba Server Version %v
         netbios name = myserver
         log file = /var/log/samba/log.%m
         max log size = 50
         security = ads
         realm = MYREALM.CA
         password server = mykerberos.myrealm.ca
         kerberos method = system keytab
         log level = 3 passdb:5 auth:10

         load printers = no
         cups options = raw
         printing = bsd
[tmp]
         comment = Temporary Stuff
         path = /tmp
         public = yes
         writable = yes
         printable = no


When I try to connect locally:

# kinit mykerbuser
Password for mykerbuser at MYREALM.CA:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mykerbuser at MYREALM.CA

Valid starting     Expires            Service principal
20/04/17 07:24:13  21/04/17 08:24:10  krbtgt/MYREALM.CA at MYREALM.CA
# smbclient -k -U mykerbuser -L localhost
session setup failed: NT_STATUS_IO_TIMEOUT


If I do tcpdump on the Kerberos server, I see this output 
repeated:

07:18:55.708609 mykerberos.myrealm.ca > 172.1.1.111: icmp:
mykerberos.myrealm.ca udp port netbios-ns unreachable
07:18:56.709751 172.1.1.111.34265 > mykerberos.myrealm.ca.netbios-ns: udp 50
(DF)

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

On Thu, 20 Apr 2017 07:25:14 -0600 (MDT)
S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:

> # smbclient -k -U mykerbuser -L localhost
> session setup failed: NT_STATUS_IO_TIMEOUT
> 
> 
It works against a Samba AD DC from a Unix domain member, provided you
change 'localhost' to the domain members short hostname.

Rowland

On Thu, 20 Apr 2017 07:25:14 -0600 (MDT)
S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:

Aha, very funny, cc'ed the OP and got this:

From: S P Arif Sahari Wibowo <arifsaha at yahoo.com>
To: Rowland Penny <rpenny at samba.org>
Subject: Auto Response: Re: [Samba] Samba AD DC autenticated by non-AD Kerberos
(~ Re: Samba authentication using non-AD Kerberos?)
Date: Thu, 20 Apr 2017 13:46:28 +0000 (UTC)

If you know I am expecting the message you sent just now, please disregard this
message.
Otherwise, I am not checking this account regularly. You may get a response much
later and in some occasion you may never get one. If you need to get in touch
with me in timely and reliable manner, please start from this web page:
 http://www.arifsaha.com/contact/ 
 Thank you for your understanding. 
 69928b34ff78b0c185aa82f72b5407f0

but when you go to 'http://www.arifsaha.com/contact/', you get this:

 Software error:

Can't locate HTML/Template.pm in @INC (@INC contains: /etc/perl
/usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5
/usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10
/usr/local/lib/site_perl .) at index.cgi line 32.
BEGIN failed--compilation aborted at index.cgi line 32.

Please e-mail the error message above, either directly to arifsaha at yahoo.com
or by first sending an e-mail an empty e-mail to contact at arifsaha.com,
then e-mail the error message to the e-mail address provided in the
bounce e-mail (something like
contact-confirmXXXXXXXXXXXXXXX at arifsaha.com). Thank you!! 


Please turn this rubbish off!!!!

Rowland

On 2017-04-20, 08:03, Rowland Penny via samba wrote:
> It works against a Samba AD DC from a Unix domain member,
There are no Samba AD DC, as the title said, I am setting Samba 
to authenticate with non-AD Kerberos.
> provided you change 'localhost' to the domain members short 
> hostname.
No change:

# smbclient -k -U mykerbuser -L myserver
session setup failed: NT_STATUS_IO_TIMEOUT


I already remove any firewall blocking, BTW.

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

On Thu, 2017-04-20 at 07:25 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba wrote:
> > I was looking into samba wiki pages and cannot find 
> > documentation for this. Generally most the documentation pages 
> > either discussing samba as AD member or standalone.
> 
> So still looking at this.
> 
> So this is the state currently: kerberos setup (krb5.conf and 
> keytab) is working in the server, I can do kinit properly. But 
> setting of Samba still not working. Here is what I have in 
> /etc/smb.conf:
> 
> [global]
>          workgroup = MYREALM
>          server string = UATest Samba Server Version %v
>          netbios name = myserver
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          security = ads
As I mentioned first up, please set
security=user
>          realm = MYREALM.CA
>          password server = mykerberos.myrealm.ca
Don't set this.  Samba won't be contacting the KDC, in Kerberos that is
the client's job.  
>          kerberos method = system keytab
>          log level = 3 passdb:5 auth:10
> 
>          load printers = no
>          cups options = raw
>          printing = bsd
> [tmp]
>          comment = Temporary Stuff
>          path = /tmp
>          public = yes
>          writable = yes
>          printable = no
I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> Not windows clients without much pain.  In theory Windows can 
> join a non-AD KDC, but it is incredibly rarely done.
Would you mind to give clearer picture how much pain we are 
talking about here? Any link to somebody who did it? I need to 
compare it to the pain of another alternatives I have in the 
table, like let clients mount files using sshfs.

On 2017-04-22, 02:27, Andrew Bartlett via samba wrote:
> As I mentioned first up, please set
> security=user
...
>>          password server = mykerberos.myrealm.ca
>
> Don't set this.  Samba won't be contacting the KDC, in 
> Kerberos that is the client's job.
Turn out when I manage to get it working, neither option matter, 
I can set it up either way and still works. This is the 
configuration that works:

[global]
         workgroup = MYREALM.CA
         server string = MyTest Samba Server Version %v
         netbios name = myserver
         dns proxy = no
         log file = /var/log/samba/log.%m
         max log size = 50
         realm = MYREALM.CA
         kerberos method = dedicated keytab
         dedicated keytab file = /etc/krb5.keytab
         log level = 3 passdb:5 auth:10
         obey pam restrictions = no
         load printers = no
         cups options = raw
         printing = bsd
[tmp]
         comment = Temporary Stuff
         path = /tmp
         public = yes
         writable = yes
         printable = no

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/