Kacper Wirski
2017-Nov-01 12:11 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Hello, Thank You for fast response. I'm glad that it's a mistake somewhere on my side, it means it will work when I fix it :) Ok, first of all: Everything is on centos 7.4 All config files will be below, but to start off: behaviour is stranger than I thought, but there is a pattern: when doing [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using default cache: /tmp/krb5cc_101003 Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in Kerberos database while getting initial credentials but then when I do: [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V Using default cache: /tmp/krb5cc_101003 Using principal: kacper_wirski at AD.MYDOMAIN.COM Password for kacper_wirski at AD.MYDOMAIN.COM: Warning: Your password will expire in 15 days on Thu 16 Nov 2017 01:50:48 PM CET Authenticated to Kerberos v5 and after this, user DOMAIN\kacper_wirski can do "kinit", and it correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM": [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using principal: kacper_wirski at AD.MYDOMAIN.COM Password for kacper_wirski at AD.MYDOMAIN.COM: I don't know what gives. After full reboot it still works for "this" user. When I log as DOMAIN\someotheruser it behaves exactly the same (first adds DOMAIN prefix, then when once ticket is obtained correctly, it seems to work...) kerberos ssh authentication (windows via putty to centos with samba 4) works perfectly: Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM (ssh_gssapi_krb5_cmdok) Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted access Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh All file shares hosted by samba are correctly available to windows clients. First of all: On test box I'm using samba 4.6.9 compiled from source. configure was run with simple --with-systemd --without-ad-dc //etc/resolv.conf:/ // /# Generated by NetworkManager// //search ad.mydomain.com// //nameserver 192.168.1.5// //nameserver 192.168.1.6// //nameserver 192.168.1.7/ all three IP's are DC's with DNS all work correctly //etc/hostname// //vs-files.ad.mydomain.com/ //etc/hosts// //192.168.1.13 vs-files.ad.mydomain.com vs-files// //127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4// //::1 localhost localhost.localdomain localhost6 localhost6.localdomain6/ //etc/krb5.conf// //[libdefaults]// // default_realm = AD.MYDOMAIN.COM// // dns_lookup_realm = true// // dns_lookup_kdc = true// //// //[realms]// // AD.MYDOMAIN.COM = {// // auth_to_local = RULE:[1:MYDOMAIN\$1]// // }/ The above rule is taken directly from the linked samba wiki guide, and it really works (without it I won't login with kerberos ticket, unless I drop "DOMAIN\" part using "winbind use default domain = yes". samba also auto-created it's own krb5.conf.DOMAIN file during net ads join (in /usr/local/samba/var/lock/smb_krb5/ /[libdefaults]// // default_realm = AD.MYDOMAIN.COM// // default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5// // dns_lookup_realm = false// // //[realms]// // AD.MYDOMAIN.COM = {// // kdc = 192.168.1.5// // kdc = 192.168.1.6// // kdc = 192.168.1.7// // }/ /etc/nsswitch.conf /passwd: files winbind// //shadow: files// //group: files winbind/ And last but not least: /usr/local/samba/etc/smb.conf (i compiled from source, so all samba files reside in /usr/local/samba/...) [global] / security = ADS// // netbios name = VS-FILES// // workgroup = DOMAIN// // realm = AD.MYDOMAIN.COM// // log file = /var/log/samba/%m.log// // log level = 5// // // idmap config *:backend = tdb// // idmap config * : range = 1000-2000// // idmap config DOMAIN:backend = rid// // idmap config DOMAIN:range = 100000-110000// //// // vfs objects = acl_xattr// // map acl inherit = yes// // store dos attributes = yes// // template homedir = /home/%U@%D// // template shell = /bin/bash// // winbind enum groups = no// // winbind enum users = no// // kerberos method = secrets and keytab// // winbind refresh tickets = yes// // winbind use default domain = no// // winbind offline logon = yes/ Example output, when being logged as DOMAIN\kacper_wirski (login was using kerberos, as shown in log, no password was required): [DOMAIN\kacper_wirski at vs-files ~]$ whoami DOMAIN\kacper_wirski [DOMAIN\kacper_wirski at vs-files ~]$ id uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users) groups=100513(DOMAIN\domain users)... and some other groups from domain but then: [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V Using default cache: /tmp/krb5cc_101003 Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in Kerberos database while getting initial credentials if do: [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V Using default cache: /tmp/krb5cc_101003 Using principal: kacper_wirski at AD.MYDOMAIN.COM Password for kacper_wirski at AD.MYDOMAIN.COM: Warning: Your password will expire in 15 days on Thu 16 Nov 2017 01:50:48 PM CET Authenticated to Kerberos v5 then: [DOMAIN\kacper_wirski at vs-files ~]$ klist Ticket cache: FILE:/tmp/krb5cc_101003 Default principal: kacper_wirski at AD.MYDOMAIN.COM Valid starting Expires Service principal 11/01/2017 12:32:36 11/01/2017 22:32:36 krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM renew until 11/02/2017 12:32:31 commands like: wbinfo -u etc. everything works, except for the "default principal" used when doing kinit. Please help me understand, where else to look? Could the RULE in krb5.conf be causing all this? I removed it, restarted whole machine, but it didn't change much. W dniu 2017-10-31 o 23:20, Rowland Penny pisze:> On Tue, 31 Oct 2017 22:46:53 +0100 > Kacper Wirski via samba<samba at lists.samba.org> wrote: > >> Hello, >> >> I'm setting up AD user logins for centos 7.4 box. I've almost managed >> to do everything the way I want and the way I think it should be, but >> I'm missing last piece: >> >> For ssh access I read parts of the >> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on >> >> Most docs recommend using setting in smb.conf: >> winbind use default domain = no >> >> that means that all domain users have DOMAIN\ prefix attached. As per >> the aforementioned wiki documet I made the workaround for >> authentication to krb5.conf, and it works OK. >> >> What isn't working is "kinit" as-is for logged in AD user. To be more >> precise: it works if I specify explicitly username >> kinit myusername >> or >> kinitmysusername at MY.DOMAIN.COM >> It works as expected (asks for password and grants ticket) >> >> otherwise plain "kinit" uses by default posix username, which in >> this case is DOMAIN\myusername, so it looks for: >> DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in >> database (and rightly so), because obviously it should use >> myusername at MY.DOMAIN.COM. >> >> I know it's not strictly samba related, and I could simply change >> winbind use default domain = yes >> as a workaround, this way everything works as expected, except that >> in all docs it's described as not recommended setup, because of >> possible confusion which user is from DOMAIN and which is local, and >> of course when multiple domains come into play. >> >> So maybe someone knows of a valid workaorund, how to force kinit to >> automatically remove/strip DOMAIN prefix from e.g. >> DOMAINmyusername at MY.DOMAIN.COM and change it into >> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf >> "auth_to_local" works the other way around, so it takes valid >> principal, and rewrites it so that it matches posix user and won't >> work in this case,as it's the other way round (posix user has to be >> translated into valid principal). >> >> My environment is: >> centos 7.4 OS >> samba 4.5.x is the AD DC >> samba 4.6.9 is domain member server and all tests are done on this >> machine. >> >> As i said, kerberos overall works fine, and it's not strictly samba >> issue, but the issue is because of samba configuration and added >> DOMAIN prefix. >> >> Any help/input/comments are appreciated. >> >> Regards, Kacper >> >> > You have something set up incorrectly, if I log into a Unix domain > member and run 'kinit', it works: > > rowland at devstation:~$ whoami > SAMDOM\rowland > rowland at devstation:~$ kinit > Password forrowland at SAMDOM.EXAMPLE.COM: > rowland at devstation:~$ > > It also works on a DC. > > Can you post the following files: > /etc/resolv.conf > /etc/hosts > /etc/hostname > /etc/krb5.conf > /etc/samba/smb.conf > > Rowland >--- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
Kacper Wirski
2017-Nov-01 12:16 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Also I rushed my response: Behaviour is not strange, default principal was taken from cache. So if run: [DOMAIN\kacper_wirski at vs-files ~]$ kdestroy Error returns (kinit uses DOMAINkacper_wirski at AD.MYDOMAIN.COM as kerberos principal). W dniu 2017-11-01 o 13:11, Kacper Wirski pisze:> > Hello, > > Thank You for fast response. I'm glad that it's a mistake somewhere on > my side, it means it will work when I fix it :) > > Ok, first of all: > > > Everything is on centos 7.4 > > All config files will be below, but to start off: behaviour is > stranger than I thought, but there is a pattern: > > when doing > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > Using default cache: /tmp/krb5cc_101003 > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in > Kerberos database while getting initial credentials > > > but then when I do: > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V > Using default cache: /tmp/krb5cc_101003 > Using principal: kacper_wirski at AD.MYDOMAIN.COM > Password for kacper_wirski at AD.MYDOMAIN.COM: > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 > 01:50:48 PM CET > Authenticated to Kerberos v5 > > > and after this, user DOMAIN\kacper_wirski can do "kinit", and it > correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM": > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > Using principal: kacper_wirski at AD.MYDOMAIN.COM > Password for kacper_wirski at AD.MYDOMAIN.COM: > > > I don't know what gives. After full reboot it still works for "this" > user. When I log as DOMAIN\someotheruser it behaves exactly the same > (first adds DOMAIN prefix, then when once ticket is obtained > correctly, it seems to work...) > > kerberos ssh authentication (windows via putty to centos with samba 4) > works perfectly: > > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to > DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM > (ssh_gssapi_krb5_cmdok) > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: > pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted access > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted > gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh > > All file shares hosted by samba are correctly available to windows > clients. > > First of all: > > On test box I'm using samba 4.6.9 compiled from source. > > configure was run with simple --with-systemd --without-ad-dc > > //etc/resolv.conf:/ > > // > > /# Generated by NetworkManager// > //search ad.mydomain.com// > //nameserver 192.168.1.5// > //nameserver 192.168.1.6// > //nameserver 192.168.1.7/ > > all three IP's are DC's with DNS all work correctly > > //etc/hostname// > //vs-files.ad.mydomain.com/ > > //etc/hosts// > //192.168.1.13 vs-files.ad.mydomain.com vs-files// > //127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4// > //::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6/ > > //etc/krb5.conf// > //[libdefaults]// > // default_realm = AD.MYDOMAIN.COM// > // dns_lookup_realm = true// > // dns_lookup_kdc = true// > //// > //[realms]// > // AD.MYDOMAIN.COM = {// > // auth_to_local = RULE:[1:MYDOMAIN\$1]// > // }/ > > The above rule is taken directly from the linked samba wiki guide, and > it really works (without it I won't login with kerberos ticket, unless > I drop "DOMAIN\" part using "winbind use default domain = yes". > > samba also auto-created it's own krb5.conf.DOMAIN file during net ads > join (in /usr/local/samba/var/lock/smb_krb5/ > /[libdefaults]// > // default_realm = AD.MYDOMAIN.COM// > // default_etypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5// > // dns_lookup_realm = false// > // > //[realms]// > // AD.MYDOMAIN.COM = {// > // kdc = 192.168.1.5// > // kdc = 192.168.1.6// > // kdc = 192.168.1.7// > // }/ > > > /etc/nsswitch.conf > /passwd: files winbind// > //shadow: files// > //group: files winbind/ > > And last but not least: > > /usr/local/samba/etc/smb.conf (i compiled from source, so all samba > files reside in /usr/local/samba/...) > [global] > / security = ADS// > // netbios name = VS-FILES// > // workgroup = DOMAIN// > // realm = AD.MYDOMAIN.COM// > // log file = /var/log/samba/%m.log// > // log level = 5// > // > // idmap config *:backend = tdb// > // idmap config * : range = 1000-2000// > // idmap config DOMAIN:backend = rid// > // idmap config DOMAIN:range = 100000-110000// > // > // vfs objects = acl_xattr// > // map acl inherit = yes// > // store dos attributes = yes// > // template homedir = /home/%U@%D// > // template shell = /bin/bash// > // winbind enum groups = no// > // winbind enum users = no// > // kerberos method = secrets and keytab// > // winbind refresh tickets = yes// > // winbind use default domain = no// > // winbind offline logon = yes/ > > Example output, when being logged as DOMAIN\kacper_wirski (login was > using kerberos, as shown in log, no password was required): > [DOMAIN\kacper_wirski at vs-files ~]$ whoami > DOMAIN\kacper_wirski > [DOMAIN\kacper_wirski at vs-files ~]$ id > uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users) > groups=100513(DOMAIN\domain users)... and some other groups from domain > > but then: > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > Using default cache: /tmp/krb5cc_101003 > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in > Kerberos database while getting initial credentials > > if do: > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V > Using default cache: /tmp/krb5cc_101003 > Using principal: kacper_wirski at AD.MYDOMAIN.COM > Password for kacper_wirski at AD.MYDOMAIN.COM: > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 > 01:50:48 PM CET > Authenticated to Kerberos v5 > > then: > [DOMAIN\kacper_wirski at vs-files ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_101003 > Default principal: kacper_wirski at AD.MYDOMAIN.COM > > Valid starting Expires Service principal > 11/01/2017 12:32:36 11/01/2017 22:32:36 > krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM > renew until 11/02/2017 12:32:31 > > commands like: > wbinfo -u etc. everything works, except for the "default principal" > used when doing kinit. > > > > > Please help me understand, where else to look? > > Could the RULE in krb5.conf be causing all this? I removed it, > restarted whole machine, but it didn't change much. > > W dniu 2017-10-31 o 23:20, Rowland Penny pisze: >> On Tue, 31 Oct 2017 22:46:53 +0100 >> Kacper Wirski via samba<samba at lists.samba.org> wrote: >> >>> Hello, >>> >>> I'm setting up AD user logins for centos 7.4 box. I've almost managed >>> to do everything the way I want and the way I think it should be, but >>> I'm missing last piece: >>> >>> For ssh access I read parts of the >>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on >>> >>> Most docs recommend using setting in smb.conf: >>> winbind use default domain = no >>> >>> that means that all domain users have DOMAIN\ prefix attached. As per >>> the aforementioned wiki documet I made the workaround for >>> authentication to krb5.conf, and it works OK. >>> >>> What isn't working is "kinit" as-is for logged in AD user. To be more >>> precise: it works if I specify explicitly username >>> kinit myusername >>> or >>> kinitmysusername at MY.DOMAIN.COM >>> It works as expected (asks for password and grants ticket) >>> >>> otherwise plain "kinit" uses by default posix username, which in >>> this case is DOMAIN\myusername, so it looks for: >>> DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in >>> database (and rightly so), because obviously it should use >>> myusername at MY.DOMAIN.COM. >>> >>> I know it's not strictly samba related, and I could simply change >>> winbind use default domain = yes >>> as a workaround, this way everything works as expected, except that >>> in all docs it's described as not recommended setup, because of >>> possible confusion which user is from DOMAIN and which is local, and >>> of course when multiple domains come into play. >>> >>> So maybe someone knows of a valid workaorund, how to force kinit to >>> automatically remove/strip DOMAIN prefix from e.g. >>> DOMAINmyusername at MY.DOMAIN.COM and change it into >>> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf >>> "auth_to_local" works the other way around, so it takes valid >>> principal, and rewrites it so that it matches posix user and won't >>> work in this case,as it's the other way round (posix user has to be >>> translated into valid principal). >>> >>> My environment is: >>> centos 7.4 OS >>> samba 4.5.x is the AD DC >>> samba 4.6.9 is domain member server and all tests are done on this >>> machine. >>> >>> As i said, kerberos overall works fine, and it's not strictly samba >>> issue, but the issue is because of samba configuration and added >>> DOMAIN prefix. >>> >>> Any help/input/comments are appreciated. >>> >>> Regards, Kacper >>> >>> >> You have something set up incorrectly, if I log into a Unix domain >> member and run 'kinit', it works: >> >> rowland at devstation:~$ whoami >> SAMDOM\rowland >> rowland at devstation:~$ kinit >> Password forrowland at SAMDOM.EXAMPLE.COM: >> rowland at devstation:~$ >> >> It also works on a DC. >> >> Can you post the following files: >> /etc/resolv.conf >> /etc/hosts >> /etc/hostname >> /etc/krb5.conf >> /etc/samba/smb.conf >> >> Rowland >> > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > Wolny od wirusów. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>--- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
L.P.H. van Belle
2017-Nov-01 13:30 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
Hai, Now, i'll start with.. I know (almost) nothing about centos and i compaired you debug with my debug. Now, i'll give some pointer to check. Is ssh going through pam, then check if you have things like this. password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass ( and remember these configs are from Debian Stretch ) The server in question, does it have delegate rights ( set in ADUC )? Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM Is missing a \ If you go though your logs, and you see : DOMAIN\\kacper_wirski at AD.MYDOMAIN.COM ( see the putty logs part)> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > > Using default cache: /tmp/krb5cc_101003 > > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM > > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in > > Kerberos database while getting initial credentialsThis show that the separator is you problem. You can try it again with setting the separator to "/" and not "\" And maybe you should try this one first. [realms] SAMDOM.EXAMPLE.COM = { auth_to_local = RULE:[1:SAMDOM\\$1] #or auth_to_local = RULE:[1:SAMDOM/$1] } ps, / is replace to \ in most config setups, even in windows, but again i dont know about centos. Thats the best i can say about your setup. I hope it helps you bit more in the right direction. I say, check above and try it out and report back. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Kacper Wirski via samba > Verzonden: woensdag 1 november 2017 13:17 > Aan: Rowland Penny; samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos + winbind + AD authentication > for samba 4 domain member > > Also I rushed my response: > > Behaviour is not strange, default principal was taken from cache. > > So if run: > > [DOMAIN\kacper_wirski at vs-files ~]$ kdestroy > > Error returns (kinit uses DOMAINkacper_wirski at AD.MYDOMAIN.COM as > kerberos principal). > > > > W dniu 2017-11-01 o 13:11, Kacper Wirski pisze: > > > > Hello, > > > > Thank You for fast response. I'm glad that it's a mistake > somewhere on > > my side, it means it will work when I fix it :) > > > > Ok, first of all: > > > > > > Everything is on centos 7.4 > > > > All config files will be below, but to start off: behaviour is > > stranger than I thought, but there is a pattern: > > > > when doing > > > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > > Using default cache: /tmp/krb5cc_101003 > > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM > > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in > > Kerberos database while getting initial credentials > > > > > > but then when I do: > > > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V > > Using default cache: /tmp/krb5cc_101003 > > Using principal: kacper_wirski at AD.MYDOMAIN.COM > > Password for kacper_wirski at AD.MYDOMAIN.COM: > > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 > > 01:50:48 PM CET > > Authenticated to Kerberos v5 > > > > > > and after this, user DOMAIN\kacper_wirski can do "kinit", and it > > correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM": > > > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > > Using principal: kacper_wirski at AD.MYDOMAIN.COM > > Password for kacper_wirski at AD.MYDOMAIN.COM: > > > > > > I don't know what gives. After full reboot it still works > for "this" > > user. When I log as DOMAIN\someotheruser it behaves exactly > the same > > (first adds DOMAIN prefix, then when once ticket is obtained > > correctly, it seems to work...) > > > > kerberos ssh authentication (windows via putty to centos > with samba 4) > > works perfectly: > > > > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to > > DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM > > (ssh_gssapi_krb5_cmdok) > > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: > > pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' > granted access > > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted > > gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 > port 55825 ssh > > > > All file shares hosted by samba are correctly available to windows > > clients. > > > > First of all: > > > > On test box I'm using samba 4.6.9 compiled from source. > > > > configure was run with simple --with-systemd --without-ad-dc > > > > //etc/resolv.conf:/ > > > > // > > > > /# Generated by NetworkManager// > > //search ad.mydomain.com// > > //nameserver 192.168.1.5// > > //nameserver 192.168.1.6// > > //nameserver 192.168.1.7/ > > > > all three IP's are DC's with DNS all work correctly > > > > //etc/hostname// > > //vs-files.ad.mydomain.com/ > > > > //etc/hosts// > > //192.168.1.13 vs-files.ad.mydomain.com vs-files// > > //127.0.0.1 localhost localhost.localdomain localhost4 > > localhost4.localdomain4// > > //::1 localhost localhost.localdomain localhost6 > > localhost6.localdomain6/ > > > > //etc/krb5.conf// > > //[libdefaults]// > > // default_realm = AD.MYDOMAIN.COM// > > // dns_lookup_realm = true// > > // dns_lookup_kdc = true// > > //// > > //[realms]// > > // AD.MYDOMAIN.COM = {// > > // auth_to_local = RULE:[1:MYDOMAIN\$1]// > > // }/ > > > > The above rule is taken directly from the linked samba wiki > guide, and > > it really works (without it I won't login with kerberos > ticket, unless > > I drop "DOMAIN\" part using "winbind use default domain = yes". > > > > samba also auto-created it's own krb5.conf.DOMAIN file > during net ads > > join (in /usr/local/samba/var/lock/smb_krb5/ > > /[libdefaults]// > > // default_realm = AD.MYDOMAIN.COM// > > // default_etypes = aes256-cts-hmac-sha1-96 > > aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5// > > // dns_lookup_realm = false// > > // > > //[realms]// > > // AD.MYDOMAIN.COM = {// > > // kdc = 192.168.1.5// > > // kdc = 192.168.1.6// > > // kdc = 192.168.1.7// > > // }/ > > > > > > /etc/nsswitch.conf > > /passwd: files winbind// > > //shadow: files// > > //group: files winbind/ > > > > And last but not least: > > > > /usr/local/samba/etc/smb.conf (i compiled from source, so all samba > > files reside in /usr/local/samba/...) > > [global] > > / security = ADS// > > // netbios name = VS-FILES// > > // workgroup = DOMAIN// > > // realm = AD.MYDOMAIN.COM// > > // log file = /var/log/samba/%m.log// > > // log level = 5// > > // > > // idmap config *:backend = tdb// > > // idmap config * : range = 1000-2000// > > // idmap config DOMAIN:backend = rid// > > // idmap config DOMAIN:range = 100000-110000// > > // > > // vfs objects = acl_xattr// > > // map acl inherit = yes// > > // store dos attributes = yes// > > // template homedir = /home/%U@%D// > > // template shell = /bin/bash// > > // winbind enum groups = no// > > // winbind enum users = no// > > // kerberos method = secrets and keytab// > > // winbind refresh tickets = yes// > > // winbind use default domain = no// > > // winbind offline logon = yes/ > > > > Example output, when being logged as DOMAIN\kacper_wirski > (login was > > using kerberos, as shown in log, no password was required): > > [DOMAIN\kacper_wirski at vs-files ~]$ whoami > > DOMAIN\kacper_wirski > > [DOMAIN\kacper_wirski at vs-files ~]$ id > > uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users) > > groups=100513(DOMAIN\domain users)... and some other groups > from domain > > > > but then: > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > > Using default cache: /tmp/krb5cc_101003 > > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM > > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in > > Kerberos database while getting initial credentials > > > > if do: > > > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V > > Using default cache: /tmp/krb5cc_101003 > > Using principal: kacper_wirski at AD.MYDOMAIN.COM > > Password for kacper_wirski at AD.MYDOMAIN.COM: > > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 > > 01:50:48 PM CET > > Authenticated to Kerberos v5 > > > > then: > > [DOMAIN\kacper_wirski at vs-files ~]$ klist > > Ticket cache: FILE:/tmp/krb5cc_101003 > > Default principal: kacper_wirski at AD.MYDOMAIN.COM > > > > Valid starting Expires Service principal > > 11/01/2017 12:32:36 11/01/2017 22:32:36 > > krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM > > renew until 11/02/2017 12:32:31 > > > > commands like: > > wbinfo -u etc. everything works, except for the "default principal" > > used when doing kinit. > > > > > > > > > > Please help me understand, where else to look? > > > > Could the RULE in krb5.conf be causing all this? I removed it, > > restarted whole machine, but it didn't change much. > > > > W dniu 2017-10-31 o 23:20, Rowland Penny pisze: > >> On Tue, 31 Oct 2017 22:46:53 +0100 > >> Kacper Wirski via samba<samba at lists.samba.org> wrote: > >> > >>> Hello, > >>> > >>> I'm setting up AD user logins for centos 7.4 box. I've > almost managed > >>> to do everything the way I want and the way I think it > should be, but > >>> I'm missing last piece: > >>> > >>> For ssh access I read parts of the > >>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > >>> > >>> Most docs recommend using setting in smb.conf: > >>> winbind use default domain = no > >>> > >>> that means that all domain users have DOMAIN\ prefix > attached. As per > >>> the aforementioned wiki documet I made the workaround for > >>> authentication to krb5.conf, and it works OK. > >>> > >>> What isn't working is "kinit" as-is for logged in AD > user. To be more > >>> precise: it works if I specify explicitly username > >>> kinit myusername > >>> or > >>> kinitmysusername at MY.DOMAIN.COM > >>> It works as expected (asks for password and grants ticket) > >>> > >>> otherwise plain "kinit" uses by default posix > username, which in > >>> this case is DOMAIN\myusername, so it looks for: > >>> DOMAINmyusername at MY.DOMAIN.COM and fails with no > principle found in > >>> database (and rightly so), because obviously it should use > >>> myusername at MY.DOMAIN.COM. > >>> > >>> I know it's not strictly samba related, and I could simply change > >>> winbind use default domain = yes > >>> as a workaround, this way everything works as expected, > except that > >>> in all docs it's described as not recommended setup, because of > >>> possible confusion which user is from DOMAIN and which is > local, and > >>> of course when multiple domains come into play. > >>> > >>> So maybe someone knows of a valid workaorund, how to > force kinit to > >>> automatically remove/strip DOMAIN prefix from e.g. > >>> DOMAINmyusername at MY.DOMAIN.COM and change it into > >>> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf > >>> "auth_to_local" works the other way around, so it takes valid > >>> principal, and rewrites it so that it matches posix user and won't > >>> work in this case,as it's the other way round (posix user > has to be > >>> translated into valid principal). > >>> > >>> My environment is: > >>> centos 7.4 OS > >>> samba 4.5.x is the AD DC > >>> samba 4.6.9 is domain member server and all tests are done on this > >>> machine. > >>> > >>> As i said, kerberos overall works fine, and it's not > strictly samba > >>> issue, but the issue is because of samba configuration and added > >>> DOMAIN prefix. > >>> > >>> Any help/input/comments are appreciated. > >>> > >>> Regards, Kacper > >>> > >>> > >> You have something set up incorrectly, if I log into a Unix domain > >> member and run 'kinit', it works: > >> > >> rowland at devstation:~$ whoami > >> SAMDOM\rowland > >> rowland at devstation:~$ kinit > >> Password forrowland at SAMDOM.EXAMPLE.COM: > >> rowland at devstation:~$ > >> > >> It also works on a DC. > >> > >> Can you post the following files: > >> /etc/resolv.conf > >> /etc/hosts > >> /etc/hostname > >> /etc/krb5.conf > >> /etc/samba/smb.conf > >> > >> Rowland > >> > > > > > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>> > Wolny od wirusów. www.avast.com > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>> > > > > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > > > --- > Ta wiadomo???? zosta??a sprawdzona na obecno???? wirusów > przez oprogramowanie antywirusowe Avast. > https://www.avast.com/antivirus > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Nov-01 13:52 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
As luck would have it, I installed a Samba Unix domain member on Fedora 26 yesterday, so I started it again and it works on that as well, so it should work on Centos. See comments below: On Wed, 1 Nov 2017 13:11:29 +0100 Kacper Wirski <kacper.wirski at gmail.com> wrote:> Hello, > > Thank You for fast response. I'm glad that it's a mistake somewhere > on my side, it means it will work when I fix it :) > > Ok, first of all: > > > Everything is on centos 7.4 > > All config files will be below, but to start off: behaviour is > stranger than I thought, but there is a pattern: > > when doing > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > Using default cache: /tmp/krb5cc_101003 > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in > Kerberos database while getting initial credentials > > > but then when I do: > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V > Using default cache: /tmp/krb5cc_101003 > Using principal: kacper_wirski at AD.MYDOMAIN.COM > Password for kacper_wirski at AD.MYDOMAIN.COM: > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 > 01:50:48 PM CET > Authenticated to Kerberos v5 > > > and after this, user DOMAIN\kacper_wirski can do "kinit", and it > correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM": > > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V > Using principal: kacper_wirski at AD.MYDOMAIN.COM > Password for kacper_wirski at AD.MYDOMAIN.COM: > > > I don't know what gives. After full reboot it still works for "this" > user. When I log as DOMAIN\someotheruser it behaves exactly the same > (first adds DOMAIN prefix, then when once ticket is obtained > correctly, it seems to work...)No idea why this is happening, all I can say is, it doesn't work like that on Devuan, it just works ;-)> //etc/hostname// > //vs-files.ad.mydomain.com/The FQDN is not the hostname, why does red-hat do this ? I would change this to: vs-files> > //etc/hosts// > //192.168.1.13 vs-files.ad.mydomain.com vs-files// > //127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4// > //::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6/There is no such thing as 'localdomain', I would change this to: 127.0.0.1 localhost ::1 localhost 192.168.1.13 vs-files.ad.mydomain.com vs-files> > //etc/krb5.conf// > //[libdefaults]// > // default_realm = AD.MYDOMAIN.COM// > // dns_lookup_realm = true// > // dns_lookup_kdc = true// > //// > //[realms]// > // AD.MYDOMAIN.COM = {// > // auth_to_local = RULE:[1:MYDOMAIN\$1]// > // }/ > > The above rule is taken directly from the linked samba wiki guide, > and it really works (without it I won't login with kerberos ticket, > unless I drop "DOMAIN\" part using "winbind use default domain = yes".It should be 'dns_lookup_realm = false'> > samba also auto-created it's own krb5.conf.DOMAIN file during net ads > join (in /usr/local/samba/var/lock/smb_krb5/ > /[libdefaults]// > // default_realm = AD.MYDOMAIN.COM// > // default_etypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5// > // dns_lookup_realm = false// > // > //[realms]// > // AD.MYDOMAIN.COM = {// > // kdc = 192.168.1.5// > // kdc = 192.168.1.6// > // kdc = 192.168.1.7// > // }/ >I have never seen a Samba created krb5.conf like that> > /usr/local/samba/etc/smb.conf (i compiled from source, so all samba > files reside in /usr/local/samba/...) > [global] > / security = ADS// > // netbios name = VS-FILES// > // workgroup = DOMAIN// > // realm = AD.MYDOMAIN.COM// > // log file = /var/log/samba/%m.log// > // log level = 5// > // > // idmap config *:backend = tdb// > // idmap config * : range = 1000-2000// > // idmap config DOMAIN:backend = rid// > // idmap config DOMAIN:range = 100000-110000// > //// > // vfs objects = acl_xattr// > // map acl inherit = yes// > // store dos attributes = yes// > // template homedir = /home/%U@%D//I would have used '/home/%D/%U' I changed the files on my Fedora 26 machine to match the Samba wikipage you referred to and it still works, I can login as a domain user and run 'kinit' and it works: [SAMDOM\rowland at f26 ~]$ kinit Password for rowland at SAMDOM.EXAMPLE.COM: [SAMDOM\rowland at f26 ~]$ Rowland
Rowland Penny
2017-Nov-01 17:44 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
On Wed, 1 Nov 2017 17:41:14 +0100 (CET) "k.wirski babkamedica.pl" <k.wirski at babkamedica.pl> wrote:> Thank You, > > /etc/hostname i set it myself, never seen issue with FQDN, I'll > change it > > localdomain in /etc/hosts is from the default config > > this auto krb5.conf.DOMAIN - could it be, that by default samba > builds with heimdall, and centos (as RHEL) uses MIT krb, and > something in /etc/krb5.conf was not ok during join, for whatever > reason? The "auth_to_local" is MIT kerberos specific. > > Also auth_to_local is used when logging to machine, and my issue with > kinit is when mapping is done from local to UPN. > > > I removed whole /usr/local/samba dir, installed from scratch, > re-added to domain, recreated krb5.keytab, and issue is 100% the same. > > > I tried changing winbind separater from default to + and changed > krb5.conf rule accordingly, it changed nothing. Issue is not with > kerberos for login, it works a-ok. The issue is that for whatever > reason POSIX user is used with full name as principal. > > When i changed winbind separator, my posix user was > "DOMAIN+kacper_wirski", and "kinit" used > > DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as principal. > > > I consider setting up new machine from scratch from centos minimal > and go from there or I'll take my risks and set "use default domain > yes", then everything works perfectly. > > > Can this issue be caused by something outside this machine, and > something wrong with the domain overall? I don't believe it, since it > seems very local OS specific, but maybe it is? >All I can say is that when I set up Fedora 26 yesterday in the way I would set up a Devuan computer, 'kinit' works in the way you want. You are correct in that Samba uses Heimdal rather than MIT, but this is supplied with Samba and is only used if you compile for a DC, you haven't. Whilst it isn't recommended to use 'use default domain = yes' it is used rather a lot. The only time it definitely shouldn't be used is if you have more than one DOMAIN set in smb.conf If it helps, I can send you the notes I made whilst setting up Fedora 26 Rowland
Kacper Wirski
2017-Nov-01 19:28 UTC
[Samba] kerberos + winbind + AD authentication for samba 4 domain member
I'm going to start with clean centos install, so I might as well use some additional guidelines, thank You. When You run kinit, does Your user have ticket already? What I noticed is that when user has a ticket already, kinit works fine, uses as default principal the one from ticket. Can you do kdestroy - then kinit? Also, on Fedora, did You install samba from source or from repo's RPM? And last question - for PAM did You manually edit system-auth, or with authconfig? After I do some tests later on, I will update with whatever I manage to find/debug. 1 lis 2017 18:51 "Rowland Penny via samba" <samba at lists.samba.org> napisał(a):> On Wed, 1 Nov 2017 17:41:14 +0100 (CET) > "k.wirski babkamedica.pl" <k.wirski at babkamedica.pl> wrote: > > > Thank You, > > > > /etc/hostname i set it myself, never seen issue with FQDN, I'll > > change it > > > > localdomain in /etc/hosts is from the default config > > > > this auto krb5.conf.DOMAIN - could it be, that by default samba > > builds with heimdall, and centos (as RHEL) uses MIT krb, and > > something in /etc/krb5.conf was not ok during join, for whatever > > reason? The "auth_to_local" is MIT kerberos specific. > > > > Also auth_to_local is used when logging to machine, and my issue with > > kinit is when mapping is done from local to UPN. > > > > > > I removed whole /usr/local/samba dir, installed from scratch, > > re-added to domain, recreated krb5.keytab, and issue is 100% the same. > > > > > > I tried changing winbind separater from default to + and changed > > krb5.conf rule accordingly, it changed nothing. Issue is not with > > kerberos for login, it works a-ok. The issue is that for whatever > > reason POSIX user is used with full name as principal. > > > > When i changed winbind separator, my posix user was > > "DOMAIN+kacper_wirski", and "kinit" used > > > > DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as principal. > > > > > > I consider setting up new machine from scratch from centos minimal > > and go from there or I'll take my risks and set "use default domain > > yes", then everything works perfectly. > > > > > > Can this issue be caused by something outside this machine, and > > something wrong with the domain overall? I don't believe it, since it > > seems very local OS specific, but maybe it is? > > > > All I can say is that when I set up Fedora 26 yesterday in the way I > would set up a Devuan computer, 'kinit' works in the way you want. > > You are correct in that Samba uses Heimdal rather than MIT, but this is > supplied with Samba and is only used if you compile for a DC, you > haven't. > > Whilst it isn't recommended to use 'use default domain = yes' it is > used rather a lot. The only time it definitely shouldn't be used is if > you have more than one DOMAIN set in smb.conf > > If it helps, I can send you the notes I made whilst setting up Fedora 26 > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- kerberos + winbind + AD authentication for samba 4 domain member
- kerberos + winbind + AD authentication for samba 4 domain member
- kerberos + winbind + AD authentication for samba 4 domain member
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- kerberos + winbind + AD authentication for samba 4 domain member