Kacper Wirski
2017-Oct-31 21:46 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Hello, I'm setting up AD user logins for centos 7.4 box. I've almost managed to do everything the way I want and the way I think it should be, but I'm missing last piece: For ssh access I read parts of the https://wiki.samba.org/index.php/OpenSSH_Single_sign-on Most docs recommend using setting in smb.conf: winbind use default domain = no that means that all domain users have DOMAIN\ prefix attached. As per the aforementioned wiki documet I made the workaround for authentication to krb5.conf, and it works OK. What isn't working is "kinit" as-is for logged in AD user. To be more precise: it works if I specify explicitly username kinit myusername or kinit mysusername at MY.DOMAIN.COM It works as expected (asks for password and grants ticket) otherwise plain "kinit" uses by default posix username, which in this case is DOMAIN\myusername, so it looks for: DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in database (and rightly so), because obviously it should use myusername at MY.DOMAIN.COM. I know it's not strictly samba related, and I could simply change winbind use default domain = yes as a workaround, this way everything works as expected, except that in all docs it's described as not recommended setup, because of possible confusion which user is from DOMAIN and which is local, and of course when multiple domains come into play. So maybe someone knows of a valid workaorund, how to force kinit to automatically remove/strip DOMAIN prefix from e.g. DOMAINmyusername at MY.DOMAIN.COM and change it into myusername at MY.DOMAIN.COM? My understanding is that krb5.conf "auth_to_local" works the other way around, so it takes valid principal, and rewrites it so that it matches posix user and won't work in this case,as it's the other way round (posix user has to be translated into valid principal). My environment is: centos 7.4 OS samba 4.5.x is the AD DC samba 4.6.9 is domain member server and all tests are done on this machine. As i said, kerberos overall works fine, and it's not strictly samba issue, but the issue is because of samba configuration and added DOMAIN prefix. Any help/input/comments are appreciated. Regards, Kacper --- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
Rowland Penny
2017-Oct-31 22:20 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
On Tue, 31 Oct 2017 22:46:53 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > > I'm setting up AD user logins for centos 7.4 box. I've almost managed > to do everything the way I want and the way I think it should be, but > I'm missing last piece: > > For ssh access I read parts of the > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > > Most docs recommend using setting in smb.conf: > winbind use default domain = no > > that means that all domain users have DOMAIN\ prefix attached. As per > the aforementioned wiki documet I made the workaround for > authentication to krb5.conf, and it works OK. > > What isn't working is "kinit" as-is for logged in AD user. To be more > precise: it works if I specify explicitly username > kinit myusername > or > kinit mysusername at MY.DOMAIN.COM > It works as expected (asks for password and grants ticket) > > otherwise plain "kinit" uses by default posix username, which in > this case is DOMAIN\myusername, so it looks for: > DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in > database (and rightly so), because obviously it should use > myusername at MY.DOMAIN.COM. > > I know it's not strictly samba related, and I could simply change > winbind use default domain = yes > as a workaround, this way everything works as expected, except that > in all docs it's described as not recommended setup, because of > possible confusion which user is from DOMAIN and which is local, and > of course when multiple domains come into play. > > So maybe someone knows of a valid workaorund, how to force kinit to > automatically remove/strip DOMAIN prefix from e.g. > DOMAINmyusername at MY.DOMAIN.COM and change it into > myusername at MY.DOMAIN.COM? My understanding is that krb5.conf > "auth_to_local" works the other way around, so it takes valid > principal, and rewrites it so that it matches posix user and won't > work in this case,as it's the other way round (posix user has to be > translated into valid principal). > > My environment is: > centos 7.4 OS > samba 4.5.x is the AD DC > samba 4.6.9 is domain member server and all tests are done on this > machine. > > As i said, kerberos overall works fine, and it's not strictly samba > issue, but the issue is because of samba configuration and added > DOMAIN prefix. > > Any help/input/comments are appreciated. > > Regards, Kacper > >You have something set up incorrectly, if I log into a Unix domain member and run 'kinit', it works: rowland at devstation:~$ whoami SAMDOM\rowland rowland at devstation:~$ kinit Password for rowland at SAMDOM.EXAMPLE.COM: rowland at devstation:~$ It also works on a DC. Can you post the following files: /etc/resolv.conf /etc/hosts /etc/hostname /etc/krb5.conf /etc/samba/smb.conf Rowland
Kacper Wirski
2017-Nov-01 12:11 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Hello,
Thank You for fast response. I'm glad that it's a mistake somewhere on
my side, it means it will work when I fix it :)
Ok, first of all:
Everything is on centos 7.4
All config files will be below, but to start off: behaviour is stranger
than I thought, but there is a pattern:
when doing
[DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
Using default cache: /tmp/krb5cc_101003
Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
Kerberos database while getting initial credentials
but then when I do:
[DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
Using default cache: /tmp/krb5cc_101003
Using principal: kacper_wirski at AD.MYDOMAIN.COM
Password for kacper_wirski at AD.MYDOMAIN.COM:
Warning: Your password will expire in 15 days on Thu 16 Nov 2017
01:50:48 PM CET
Authenticated to Kerberos v5
and after this, user DOMAIN\kacper_wirski can do "kinit", and it
correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM":
[DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
Using principal: kacper_wirski at AD.MYDOMAIN.COM
Password for kacper_wirski at AD.MYDOMAIN.COM:
I don't know what gives. After full reboot it still works for
"this"
user. When I log as DOMAIN\someotheruser it behaves exactly the same
(first adds DOMAIN prefix, then when once ticket is obtained correctly,
it seems to work...)
kerberos ssh authentication (windows via putty to centos with samba 4)
works perfectly:
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to
DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM
(ssh_gssapi_krb5_cmdok)
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]:
pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted access
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted
gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh
All file shares hosted by samba are correctly available to windows clients.
First of all:
On test box I'm using samba 4.6.9 compiled from source.
configure was run with simple --with-systemd --without-ad-dc
//etc/resolv.conf:/
//
/# Generated by NetworkManager//
//search ad.mydomain.com//
//nameserver 192.168.1.5//
//nameserver 192.168.1.6//
//nameserver 192.168.1.7/
all three IP's are DC's with DNS all work correctly
//etc/hostname//
//vs-files.ad.mydomain.com/
//etc/hosts//
//192.168.1.13 vs-files.ad.mydomain.com vs-files//
//127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4//
//::1 localhost localhost.localdomain localhost6
localhost6.localdomain6/
//etc/krb5.conf//
//[libdefaults]//
// default_realm = AD.MYDOMAIN.COM//
// dns_lookup_realm = true//
// dns_lookup_kdc = true//
////
//[realms]//
// AD.MYDOMAIN.COM = {//
// auth_to_local = RULE:[1:MYDOMAIN\$1]//
// }/
The above rule is taken directly from the linked samba wiki guide, and
it really works (without it I won't login with kerberos ticket, unless I
drop "DOMAIN\" part using "winbind use default domain =
yes".
samba also auto-created it's own krb5.conf.DOMAIN file during net ads
join (in /usr/local/samba/var/lock/smb_krb5/
/[libdefaults]//
// default_realm = AD.MYDOMAIN.COM//
// default_etypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
// dns_lookup_realm = false//
//
//[realms]//
// AD.MYDOMAIN.COM = {//
// kdc = 192.168.1.5//
// kdc = 192.168.1.6//
// kdc = 192.168.1.7//
// }/
/etc/nsswitch.conf
/passwd: files winbind//
//shadow: files//
//group: files winbind/
And last but not least:
/usr/local/samba/etc/smb.conf (i compiled from source, so all samba
files reside in /usr/local/samba/...)
[global]
/ security = ADS//
// netbios name = VS-FILES//
// workgroup = DOMAIN//
// realm = AD.MYDOMAIN.COM//
// log file = /var/log/samba/%m.log//
// log level = 5//
//
// idmap config *:backend = tdb//
// idmap config * : range = 1000-2000//
// idmap config DOMAIN:backend = rid//
// idmap config DOMAIN:range = 100000-110000//
////
// vfs objects = acl_xattr//
// map acl inherit = yes//
// store dos attributes = yes//
// template homedir = /home/%U@%D//
// template shell = /bin/bash//
// winbind enum groups = no//
// winbind enum users = no//
// kerberos method = secrets and keytab//
// winbind refresh tickets = yes//
// winbind use default domain = no//
// winbind offline logon = yes/
Example output, when being logged as DOMAIN\kacper_wirski (login was
using kerberos, as shown in log, no password was required):
[DOMAIN\kacper_wirski at vs-files ~]$ whoami
DOMAIN\kacper_wirski
[DOMAIN\kacper_wirski at vs-files ~]$ id
uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users)
groups=100513(DOMAIN\domain users)... and some other groups from domain
but then:
[DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
Using default cache: /tmp/krb5cc_101003
Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
Kerberos database while getting initial credentials
if do:
[DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
Using default cache: /tmp/krb5cc_101003
Using principal: kacper_wirski at AD.MYDOMAIN.COM
Password for kacper_wirski at AD.MYDOMAIN.COM:
Warning: Your password will expire in 15 days on Thu 16 Nov 2017
01:50:48 PM CET
Authenticated to Kerberos v5
then:
[DOMAIN\kacper_wirski at vs-files ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_101003
Default principal: kacper_wirski at AD.MYDOMAIN.COM
Valid starting Expires Service principal
11/01/2017 12:32:36 11/01/2017 22:32:36
krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM
renew until 11/02/2017 12:32:31
commands like:
wbinfo -u etc. everything works, except for the "default principal"
used
when doing kinit.
Please help me understand, where else to look?
Could the RULE in krb5.conf be causing all this? I removed it, restarted
whole machine, but it didn't change much.
W dniu 2017-10-31 o 23:20, Rowland Penny pisze:> On Tue, 31 Oct 2017 22:46:53 +0100
> Kacper Wirski via samba<samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I'm setting up AD user logins for centos 7.4 box. I've almost
managed
>> to do everything the way I want and the way I think it should be, but
>> I'm missing last piece:
>>
>> For ssh access I read parts of the
>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>
>> Most docs recommend using setting in smb.conf:
>> winbind use default domain = no
>>
>> that means that all domain users have DOMAIN\ prefix attached. As per
>> the aforementioned wiki documet I made the workaround for
>> authentication to krb5.conf, and it works OK.
>>
>> What isn't working is "kinit" as-is for logged in AD
user. To be more
>> precise: it works if I specify explicitly username
>> kinit myusername
>> or
>> kinitmysusername at MY.DOMAIN.COM
>> It works as expected (asks for password and grants ticket)
>>
>> otherwise plain "kinit" uses by default posix username,
which in
>> this case is DOMAIN\myusername, so it looks for:
>> DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in
>> database (and rightly so), because obviously it should use
>> myusername at MY.DOMAIN.COM.
>>
>> I know it's not strictly samba related, and I could simply change
>> winbind use default domain = yes
>> as a workaround, this way everything works as expected, except that
>> in all docs it's described as not recommended setup, because of
>> possible confusion which user is from DOMAIN and which is local, and
>> of course when multiple domains come into play.
>>
>> So maybe someone knows of a valid workaorund, how to force kinit to
>> automatically remove/strip DOMAIN prefix from e.g.
>> DOMAINmyusername at MY.DOMAIN.COM and change it into
>> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf
>> "auth_to_local" works the other way around, so it takes valid
>> principal, and rewrites it so that it matches posix user and won't
>> work in this case,as it's the other way round (posix user has to be
>> translated into valid principal).
>>
>> My environment is:
>> centos 7.4 OS
>> samba 4.5.x is the AD DC
>> samba 4.6.9 is domain member server and all tests are done on this
>> machine.
>>
>> As i said, kerberos overall works fine, and it's not strictly samba
>> issue, but the issue is because of samba configuration and added
>> DOMAIN prefix.
>>
>> Any help/input/comments are appreciated.
>>
>> Regards, Kacper
>>
>>
> You have something set up incorrectly, if I log into a Unix domain
> member and run 'kinit', it works:
>
> rowland at devstation:~$ whoami
> SAMDOM\rowland
> rowland at devstation:~$ kinit
> Password forrowland at SAMDOM.EXAMPLE.COM:
> rowland at devstation:~$
>
> It also works on a DC.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hosts
> /etc/hostname
> /etc/krb5.conf
> /etc/samba/smb.conf
>
> Rowland
>
---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus
Reasonably Related Threads
- kerberos + winbind + AD authentication for samba 4 domain member
- kerberos + winbind + AD authentication for samba 4 domain member
- kerberos + winbind + AD authentication for samba 4 domain member
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- kerberos + winbind + AD authentication for samba 4 domain member