samba - Nov 2017 - kerberos + winbind + AD authentication for samba 4 domain member

Hello,

Thank You for fast response. I'm glad that it's a mistake somewhere on 
my side, it means it will work when I fix it :)

Ok, first of all:


Everything is on centos 7.4

All config files will be below, but to start off: behaviour is stranger 
than I thought, but there is a pattern:

when doing

[DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
Using default cache: /tmp/krb5cc_101003
Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in 
Kerberos database while getting initial credentials


but then when I do:

[DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
Using default cache: /tmp/krb5cc_101003
Using principal: kacper_wirski at AD.MYDOMAIN.COM
Password for kacper_wirski at AD.MYDOMAIN.COM:
Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
01:50:48 PM CET
Authenticated to Kerberos v5


and after this, user DOMAIN\kacper_wirski can do "kinit", and it 
correctly defaults to principal "kacper_wirski at AD.MYDOMAIN.COM":

[DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
Using principal: kacper_wirski at AD.MYDOMAIN.COM
Password for kacper_wirski at AD.MYDOMAIN.COM:


I don't know what gives. After full reboot it still works for
"this"
user. When I log as DOMAIN\someotheruser it behaves exactly the same 
(first adds DOMAIN prefix, then when once ticket is obtained correctly, 
it seems to work...)

kerberos ssh authentication (windows via putty to centos with samba 4) 
works perfectly:

Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to 
DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM 
(ssh_gssapi_krb5_cmdok)
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: 
pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted access
Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted 
gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh

All file shares hosted by samba are correctly available to windows clients.

First of all:

On test box I'm using samba 4.6.9 compiled from source.

configure was run with simple --with-systemd --without-ad-dc

//etc/resolv.conf:/

//

/# Generated by NetworkManager//
//search ad.mydomain.com//
//nameserver 192.168.1.5//
//nameserver 192.168.1.6//
//nameserver 192.168.1.7/

all three IP's are DC's with DNS all work correctly

//etc/hostname//
//vs-files.ad.mydomain.com/

//etc/hosts//
//192.168.1.13 vs-files.ad.mydomain.com vs-files//
//127.0.0.1   localhost localhost.localdomain localhost4 
localhost4.localdomain4//
//::1         localhost localhost.localdomain localhost6 
localhost6.localdomain6/

//etc/krb5.conf//
//[libdefaults]//
//    default_realm = AD.MYDOMAIN.COM//
//    dns_lookup_realm = true//
//    dns_lookup_kdc = true//
////
//[realms]//
//    AD.MYDOMAIN.COM = {//
//        auth_to_local = RULE:[1:MYDOMAIN\$1]//
//        }/

The above rule is taken directly from the linked samba wiki guide, and 
it really works (without it I won't login with kerberos ticket, unless I 
drop "DOMAIN\" part using "winbind use default domain =
yes".

samba also auto-created it's own krb5.conf.DOMAIN file during net ads 
join (in /usr/local/samba/var/lock/smb_krb5/
/[libdefaults]//
//        default_realm = AD.MYDOMAIN.COM//
//        default_etypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
//        dns_lookup_realm = false//
//
//[realms]//
//        AD.MYDOMAIN.COM = {//
//                kdc = 192.168.1.5//
//                kdc = 192.168.1.6//
//                kdc = 192.168.1.7//
//        }/


/etc/nsswitch.conf
/passwd: files winbind//
//shadow: files//
//group: files winbind/

And last but not least:

/usr/local/samba/etc/smb.conf (i compiled from source, so all samba 
files reside in /usr/local/samba/...)
[global]
/        security = ADS//
//        netbios name = VS-FILES//
//        workgroup = DOMAIN//
//        realm = AD.MYDOMAIN.COM//
//        log file = /var/log/samba/%m.log//
//        log level = 5//
//
//   idmap config *:backend = tdb//
//   idmap config * : range = 1000-2000//
//   idmap config DOMAIN:backend = rid//
//   idmap config DOMAIN:range = 100000-110000//
////
//        vfs objects = acl_xattr//
//        map acl inherit = yes//
//        store dos attributes = yes//
//        template homedir = /home/%U@%D//
//        template shell = /bin/bash//
//        winbind enum groups = no//
//        winbind enum users = no//
//        kerberos method = secrets and keytab//
//        winbind refresh tickets = yes//
//        winbind use default domain = no//
//        winbind offline logon = yes/

Example output, when being logged as DOMAIN\kacper_wirski (login was 
using kerberos, as shown in log, no password was required):
[DOMAIN\kacper_wirski at vs-files ~]$ whoami
DOMAIN\kacper_wirski
[DOMAIN\kacper_wirski at vs-files ~]$ id
uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users) 
groups=100513(DOMAIN\domain users)... and some other groups from domain

but then:
[DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
Using default cache: /tmp/krb5cc_101003
Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in 
Kerberos database while getting initial credentials

if do:

[DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
Using default cache: /tmp/krb5cc_101003
Using principal: kacper_wirski at AD.MYDOMAIN.COM
Password for kacper_wirski at AD.MYDOMAIN.COM:
Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
01:50:48 PM CET
Authenticated to Kerberos v5

then:
[DOMAIN\kacper_wirski at vs-files ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_101003
Default principal: kacper_wirski at AD.MYDOMAIN.COM

Valid starting       Expires              Service principal
11/01/2017 12:32:36  11/01/2017 22:32:36 
krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM
         renew until 11/02/2017 12:32:31

commands like:
wbinfo -u etc. everything works, except for the "default principal"
used
when doing kinit.




Please help me understand, where else to look?

Could the RULE in krb5.conf be causing all this? I removed it, restarted 
whole machine, but it didn't change much.

W dniu 2017-10-31 o 23:20, Rowland Penny pisze:
> On Tue, 31 Oct 2017 22:46:53 +0100
> Kacper Wirski via samba<samba at lists.samba.org>  wrote:
>
>> Hello,
>>
>> I'm setting up AD user logins for centos 7.4 box. I've almost
managed
>> to do everything the way I want and the way I think it should be, but
>> I'm missing last piece:
>>
>>     For ssh access I read parts of the
>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>
>> Most docs recommend using setting in smb.conf:
>> winbind use default domain = no
>>
>> that means that all domain users have DOMAIN\ prefix attached. As per
>> the aforementioned wiki documet I made the workaround for
>> authentication to krb5.conf, and it works OK.
>>
>> What isn't working is "kinit" as-is for logged in AD
user. To be more
>> precise: it works if I specify explicitly username
>> kinit myusername
>> or
>> kinitmysusername at MY.DOMAIN.COM
>> It works as expected (asks for password and grants ticket)
>>
>>    otherwise plain "kinit" uses by default posix username,
which in
>> this case is DOMAIN\myusername, so it looks for:
>> DOMAINmyusername at MY.DOMAIN.COM  and fails with no principle found in
>> database (and rightly so), because obviously it should use
>> myusername at MY.DOMAIN.COM.
>>
>> I know it's not strictly samba related, and I could simply change
>> winbind use default domain = yes
>> as a workaround, this way everything works as expected, except that
>> in all docs it's described as not recommended setup, because of
>> possible confusion which user is from DOMAIN and which is local, and
>> of course when multiple domains come into play.
>>
>> So maybe someone knows of a valid workaorund, how to force kinit to
>> automatically remove/strip DOMAIN prefix from e.g.
>> DOMAINmyusername at MY.DOMAIN.COM  and change it into
>> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf
>> "auth_to_local" works the other way around, so it takes valid
>> principal, and rewrites it so that it matches posix user and won't
>> work in this case,as it's the other way round (posix user has to be
>> translated into valid principal).
>>
>> My environment is:
>> centos 7.4 OS
>> samba 4.5.x is the AD DC
>> samba 4.6.9 is domain member server and all tests are done on this
>> machine.
>>
>> As i said, kerberos overall works fine, and it's not strictly samba
>> issue, but the issue is because of samba configuration and added
>> DOMAIN prefix.
>>
>> Any help/input/comments are appreciated.
>>
>> Regards, Kacper
>>
>>
> You have something set up incorrectly, if I log into a Unix domain
> member and run 'kinit', it works:
>
> rowland at devstation:~$ whoami
> SAMDOM\rowland
> rowland at devstation:~$ kinit
> Password forrowland at SAMDOM.EXAMPLE.COM:
> rowland at devstation:~$
>
> It also works on a DC.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hosts
> /etc/hostname
> /etc/krb5.conf
> /etc/samba/smb.conf
>
> Rowland
>


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus

Also I rushed my response:

Behaviour is not strange, default principal was taken from cache.

So if run:

[DOMAIN\kacper_wirski at vs-files ~]$ kdestroy

Error returns (kinit uses DOMAINkacper_wirski at AD.MYDOMAIN.COM as 
kerberos principal).



W dniu 2017-11-01 o 13:11, Kacper Wirski pisze:
>
> Hello,
>
> Thank You for fast response. I'm glad that it's a mistake somewhere
on
> my side, it means it will work when I fix it :)
>
> Ok, first of all:
>
>
> Everything is on centos 7.4
>
> All config files will be below, but to start off: behaviour is 
> stranger than I thought, but there is a pattern:
>
> when doing
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> Kerberos database while getting initial credentials
>
>
> but then when I do:
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
> 01:50:48 PM CET
> Authenticated to Kerberos v5
>
>
> and after this, user DOMAIN\kacper_wirski can do "kinit", and it 
> correctly defaults to principal "kacper_wirski at
AD.MYDOMAIN.COM":
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
>
>
> I don't know what gives. After full reboot it still works for
"this"
> user. When I log as DOMAIN\someotheruser it behaves exactly the same 
> (first adds DOMAIN prefix, then when once ticket is obtained 
> correctly, it seems to work...)
>
> kerberos ssh authentication (windows via putty to centos with samba 4) 
> works perfectly:
>
> Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to 
> DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM 
> (ssh_gssapi_krb5_cmdok)
> Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: 
> pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' granted
access
> Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted 
> gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 port 55825 ssh
>
> All file shares hosted by samba are correctly available to windows 
> clients.
>
> First of all:
>
> On test box I'm using samba 4.6.9 compiled from source.
>
> configure was run with simple --with-systemd --without-ad-dc
>
> //etc/resolv.conf:/
>
> //
>
> /# Generated by NetworkManager//
> //search ad.mydomain.com//
> //nameserver 192.168.1.5//
> //nameserver 192.168.1.6//
> //nameserver 192.168.1.7/
>
> all three IP's are DC's with DNS all work correctly
>
> //etc/hostname//
> //vs-files.ad.mydomain.com/
>
> //etc/hosts//
> //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> //127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4//
> //::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6/
>
> //etc/krb5.conf//
> //[libdefaults]//
> //    default_realm = AD.MYDOMAIN.COM//
> //    dns_lookup_realm = true//
> //    dns_lookup_kdc = true//
> ////
> //[realms]//
> //    AD.MYDOMAIN.COM = {//
> //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> //        }/
>
> The above rule is taken directly from the linked samba wiki guide, and 
> it really works (without it I won't login with kerberos ticket, unless 
> I drop "DOMAIN\" part using "winbind use default domain =
yes".
>
> samba also auto-created it's own krb5.conf.DOMAIN file during net ads 
> join (in /usr/local/samba/var/lock/smb_krb5/
> /[libdefaults]//
> //        default_realm = AD.MYDOMAIN.COM//
> //        default_etypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> //        dns_lookup_realm = false//
> //
> //[realms]//
> //        AD.MYDOMAIN.COM = {//
> //                kdc = 192.168.1.5//
> //                kdc = 192.168.1.6//
> //                kdc = 192.168.1.7//
> //        }/
>
>
> /etc/nsswitch.conf
> /passwd: files winbind//
> //shadow: files//
> //group: files winbind/
>
> And last but not least:
>
> /usr/local/samba/etc/smb.conf (i compiled from source, so all samba 
> files reside in /usr/local/samba/...)
> [global]
> /        security = ADS//
> //        netbios name = VS-FILES//
> //        workgroup = DOMAIN//
> //        realm = AD.MYDOMAIN.COM//
> //        log file = /var/log/samba/%m.log//
> //        log level = 5//
> //
> //   idmap config *:backend = tdb//
> //   idmap config * : range = 1000-2000//
> //   idmap config DOMAIN:backend = rid//
> //   idmap config DOMAIN:range = 100000-110000//
> //
> //        vfs objects = acl_xattr//
> //        map acl inherit = yes//
> //        store dos attributes = yes//
> //        template homedir = /home/%U@%D//
> //        template shell = /bin/bash//
> //        winbind enum groups = no//
> //        winbind enum users = no//
> //        kerberos method = secrets and keytab//
> //        winbind refresh tickets = yes//
> //        winbind use default domain = no//
> //        winbind offline logon = yes/
>
> Example output, when being logged as DOMAIN\kacper_wirski (login was 
> using kerberos, as shown in log, no password was required):
> [DOMAIN\kacper_wirski at vs-files ~]$ whoami
> DOMAIN\kacper_wirski
> [DOMAIN\kacper_wirski at vs-files ~]$ id
> uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users) 
> groups=100513(DOMAIN\domain users)... and some other groups from domain
>
> but then:
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> Kerberos database while getting initial credentials
>
> if do:
>
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
> 01:50:48 PM CET
> Authenticated to Kerberos v5
>
> then:
> [DOMAIN\kacper_wirski at vs-files ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_101003
> Default principal: kacper_wirski at AD.MYDOMAIN.COM
>
> Valid starting       Expires              Service principal
> 11/01/2017 12:32:36  11/01/2017 22:32:36 
> krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM
>         renew until 11/02/2017 12:32:31
>
> commands like:
> wbinfo -u etc. everything works, except for the "default
principal"
> used when doing kinit.
>
>
>
>
> Please help me understand, where else to look?
>
> Could the RULE in krb5.conf be causing all this? I removed it, 
> restarted whole machine, but it didn't change much.
>
> W dniu 2017-10-31 o 23:20, Rowland Penny pisze:
>> On Tue, 31 Oct 2017 22:46:53 +0100
>> Kacper Wirski via samba<samba at lists.samba.org>  wrote:
>>
>>> Hello,
>>>
>>> I'm setting up AD user logins for centos 7.4 box. I've
almost managed
>>> to do everything the way I want and the way I think it should be,
but
>>> I'm missing last piece:
>>>
>>>     For ssh access I read parts of the
>>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>>
>>> Most docs recommend using setting in smb.conf:
>>> winbind use default domain = no
>>>
>>> that means that all domain users have DOMAIN\ prefix attached. As
per
>>> the aforementioned wiki documet I made the workaround for
>>> authentication to krb5.conf, and it works OK.
>>>
>>> What isn't working is "kinit" as-is for logged in AD
user. To be more
>>> precise: it works if I specify explicitly username
>>> kinit myusername
>>> or
>>> kinitmysusername at MY.DOMAIN.COM
>>> It works as expected (asks for password and grants ticket)
>>>
>>>    otherwise plain "kinit" uses by default posix
username, which in
>>> this case is DOMAIN\myusername, so it looks for:
>>> DOMAINmyusername at MY.DOMAIN.COM  and fails with no principle
found in
>>> database (and rightly so), because obviously it should use
>>> myusername at MY.DOMAIN.COM.
>>>
>>> I know it's not strictly samba related, and I could simply
change
>>> winbind use default domain = yes
>>> as a workaround, this way everything works as expected, except that
>>> in all docs it's described as not recommended setup, because of
>>> possible confusion which user is from DOMAIN and which is local,
and
>>> of course when multiple domains come into play.
>>>
>>> So maybe someone knows of a valid workaorund, how to force kinit to
>>> automatically remove/strip DOMAIN prefix from e.g.
>>> DOMAINmyusername at MY.DOMAIN.COM  and change it into
>>> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf
>>> "auth_to_local" works the other way around, so it takes
valid
>>> principal, and rewrites it so that it matches posix user and
won't
>>> work in this case,as it's the other way round (posix user has
to be
>>> translated into valid principal).
>>>
>>> My environment is:
>>> centos 7.4 OS
>>> samba 4.5.x is the AD DC
>>> samba 4.6.9 is domain member server and all tests are done on this
>>> machine.
>>>
>>> As i said, kerberos overall works fine, and it's not strictly
samba
>>> issue, but the issue is because of samba configuration and added
>>> DOMAIN prefix.
>>>
>>> Any help/input/comments are appreciated.
>>>
>>> Regards, Kacper
>>>
>>>
>> You have something set up incorrectly, if I log into a Unix domain
>> member and run 'kinit', it works:
>>
>> rowland at devstation:~$ whoami
>> SAMDOM\rowland
>> rowland at devstation:~$ kinit
>> Password forrowland at SAMDOM.EXAMPLE.COM:
>> rowland at devstation:~$
>>
>> It also works on a DC.
>>
>> Can you post the following files:
>> /etc/resolv.conf
>> /etc/hosts
>> /etc/hostname
>> /etc/krb5.conf
>> /etc/samba/smb.conf
>>
>> Rowland
>>
>
>
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> 	Wolny od wirusów. www.avast.com 
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus

Hai, 

Now, i'll start with.. I know (almost) nothing about centos and i compaired
you debug with my debug.
Now, i'll give some pointer to check. 

Is ssh going through pam, then check if you have things like this.

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok
try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok
try_first_pass
( and remember these configs are from Debian Stretch ) 

The server in question, does it have delegate rights ( set in ADUC )? 

Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
Is missing a \ 
If you go though your logs, and you see : DOMAIN\\kacper_wirski at
AD.MYDOMAIN.COM  ( see the putty logs part)
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not
found in
> > Kerberos database while getting initial credentials
This show that the separator is you problem. 
You can try it again with setting the separator to "/" and not
"\"
And maybe you should try this one first. 

[realms]
    SAMDOM.EXAMPLE.COM = {
        auth_to_local = RULE:[1:SAMDOM\\$1]
#or	  auth_to_local = RULE:[1:SAMDOM/$1]
    }

ps, / is replace to \ in most config setups, even in windows, but again i dont
know about centos.

Thats the best i can say about your setup.
I hope it helps you bit more in the right direction. 
I say, check above and try it out and report back. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Kacper Wirski via samba
> Verzonden: woensdag 1 november 2017 13:17
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication 
> for samba 4 domain member
> 
> Also I rushed my response:
> 
> Behaviour is not strange, default principal was taken from cache.
> 
> So if run:
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kdestroy
> 
> Error returns (kinit uses DOMAINkacper_wirski at AD.MYDOMAIN.COM as 
> kerberos principal).
> 
> 
> 
> W dniu 2017-11-01 o 13:11, Kacper Wirski pisze:
> >
> > Hello,
> >
> > Thank You for fast response. I'm glad that it's a mistake 
> somewhere on 
> > my side, it means it will work when I fix it :)
> >
> > Ok, first of all:
> >
> >
> > Everything is on centos 7.4
> >
> > All config files will be below, but to start off: behaviour is 
> > stranger than I thought, but there is a pattern:
> >
> > when doing
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not
found in
> > Kerberos database while getting initial credentials
> >
> >
> > but then when I do:
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: kacper_wirski at AD.MYDOMAIN.COM
> > Password for kacper_wirski at AD.MYDOMAIN.COM:
> > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
> > 01:50:48 PM CET
> > Authenticated to Kerberos v5
> >
> >
> > and after this, user DOMAIN\kacper_wirski can do "kinit",
and it
> > correctly defaults to principal "kacper_wirski at
AD.MYDOMAIN.COM":
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using principal: kacper_wirski at AD.MYDOMAIN.COM
> > Password for kacper_wirski at AD.MYDOMAIN.COM:
> >
> >
> > I don't know what gives. After full reboot it still works 
> for "this" 
> > user. When I log as DOMAIN\someotheruser it behaves exactly 
> the same 
> > (first adds DOMAIN prefix, then when once ticket is obtained 
> > correctly, it seems to work...)
> >
> > kerberos ssh authentication (windows via putty to centos 
> with samba 4) 
> > works perfectly:
> >
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Authorized to 
> > DOMAIN\\kacper_wirski, krb5 principal kacper_wirski at AD.MYDOMAIN.COM
> > (ssh_gssapi_krb5_cmdok)
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: 
> > pam_winbind(sshd:account): user 'DOMAIN\kacper_wirski' 
> granted access
> > Nov 01 12:21:29 vs-files.ad.mydomain.com sshd[1024]: Accepted 
> > gssapi-with-mic for DOMAIN\\kacper_wirski from 192.168.1.32 
> port 55825 ssh
> >
> > All file shares hosted by samba are correctly available to windows 
> > clients.
> >
> > First of all:
> >
> > On test box I'm using samba 4.6.9 compiled from source.
> >
> > configure was run with simple --with-systemd --without-ad-dc
> >
> > //etc/resolv.conf:/
> >
> > //
> >
> > /# Generated by NetworkManager//
> > //search ad.mydomain.com//
> > //nameserver 192.168.1.5//
> > //nameserver 192.168.1.6//
> > //nameserver 192.168.1.7/
> >
> > all three IP's are DC's with DNS all work correctly
> >
> > //etc/hostname//
> > //vs-files.ad.mydomain.com/
> >
> > //etc/hosts//
> > //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> > //127.0.0.1   localhost localhost.localdomain localhost4 
> > localhost4.localdomain4//
> > //::1         localhost localhost.localdomain localhost6 
> > localhost6.localdomain6/
> >
> > //etc/krb5.conf//
> > //[libdefaults]//
> > //    default_realm = AD.MYDOMAIN.COM//
> > //    dns_lookup_realm = true//
> > //    dns_lookup_kdc = true//
> > ////
> > //[realms]//
> > //    AD.MYDOMAIN.COM = {//
> > //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> > //        }/
> >
> > The above rule is taken directly from the linked samba wiki 
> guide, and 
> > it really works (without it I won't login with kerberos 
> ticket, unless 
> > I drop "DOMAIN\" part using "winbind use default domain
= yes".
> >
> > samba also auto-created it's own krb5.conf.DOMAIN file 
> during net ads 
> > join (in /usr/local/samba/var/lock/smb_krb5/
> > /[libdefaults]//
> > //        default_realm = AD.MYDOMAIN.COM//
> > //        default_etypes = aes256-cts-hmac-sha1-96 
> > aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> > //        dns_lookup_realm = false//
> > //
> > //[realms]//
> > //        AD.MYDOMAIN.COM = {//
> > //                kdc = 192.168.1.5//
> > //                kdc = 192.168.1.6//
> > //                kdc = 192.168.1.7//
> > //        }/
> >
> >
> > /etc/nsswitch.conf
> > /passwd: files winbind//
> > //shadow: files//
> > //group: files winbind/
> >
> > And last but not least:
> >
> > /usr/local/samba/etc/smb.conf (i compiled from source, so all samba 
> > files reside in /usr/local/samba/...)
> > [global]
> > /        security = ADS//
> > //        netbios name = VS-FILES//
> > //        workgroup = DOMAIN//
> > //        realm = AD.MYDOMAIN.COM//
> > //        log file = /var/log/samba/%m.log//
> > //        log level = 5//
> > //
> > //   idmap config *:backend = tdb//
> > //   idmap config * : range = 1000-2000//
> > //   idmap config DOMAIN:backend = rid//
> > //   idmap config DOMAIN:range = 100000-110000//
> > //
> > //        vfs objects = acl_xattr//
> > //        map acl inherit = yes//
> > //        store dos attributes = yes//
> > //        template homedir = /home/%U@%D//
> > //        template shell = /bin/bash//
> > //        winbind enum groups = no//
> > //        winbind enum users = no//
> > //        kerberos method = secrets and keytab//
> > //        winbind refresh tickets = yes//
> > //        winbind use default domain = no//
> > //        winbind offline logon = yes/
> >
> > Example output, when being logged as DOMAIN\kacper_wirski 
> (login was 
> > using kerberos, as shown in log, no password was required):
> > [DOMAIN\kacper_wirski at vs-files ~]$ whoami
> > DOMAIN\kacper_wirski
> > [DOMAIN\kacper_wirski at vs-files ~]$ id
> > uid=101003(DOMAIN\kacper_wirski) gid=100513(DOMAIN\domain users) 
> > groups=100513(DOMAIN\domain users)... and some other groups 
> from domain
> >
> > but then:
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> > kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not
found in
> > Kerberos database while getting initial credentials
> >
> > if do:
> >
> > [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> > Using default cache: /tmp/krb5cc_101003
> > Using principal: kacper_wirski at AD.MYDOMAIN.COM
> > Password for kacper_wirski at AD.MYDOMAIN.COM:
> > Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
> > 01:50:48 PM CET
> > Authenticated to Kerberos v5
> >
> > then:
> > [DOMAIN\kacper_wirski at vs-files ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_101003
> > Default principal: kacper_wirski at AD.MYDOMAIN.COM
> >
> > Valid starting       Expires              Service principal
> > 11/01/2017 12:32:36  11/01/2017 22:32:36 
> > krbtgt/AD.MYDOMAIN.COM at AD.MYDOMAIN.COM
> >         renew until 11/02/2017 12:32:31
> >
> > commands like:
> > wbinfo -u etc. everything works, except for the "default
principal"
> > used when doing kinit.
> >
> >
> >
> >
> > Please help me understand, where else to look?
> >
> > Could the RULE in krb5.conf be causing all this? I removed it, 
> > restarted whole machine, but it didn't change much.
> >
> > W dniu 2017-10-31 o 23:20, Rowland Penny pisze:
> >> On Tue, 31 Oct 2017 22:46:53 +0100
> >> Kacper Wirski via samba<samba at lists.samba.org>  wrote:
> >>
> >>> Hello,
> >>>
> >>> I'm setting up AD user logins for centos 7.4 box. I've
> almost managed
> >>> to do everything the way I want and the way I think it 
> should be, but
> >>> I'm missing last piece:
> >>>
> >>>     For ssh access I read parts of the
> >>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> >>>
> >>> Most docs recommend using setting in smb.conf:
> >>> winbind use default domain = no
> >>>
> >>> that means that all domain users have DOMAIN\ prefix 
> attached. As per
> >>> the aforementioned wiki documet I made the workaround for
> >>> authentication to krb5.conf, and it works OK.
> >>>
> >>> What isn't working is "kinit" as-is for logged
in AD
> user. To be more
> >>> precise: it works if I specify explicitly username
> >>> kinit myusername
> >>> or
> >>> kinitmysusername at MY.DOMAIN.COM
> >>> It works as expected (asks for password and grants ticket)
> >>>
> >>>    otherwise plain "kinit" uses by default posix 
> username, which in
> >>> this case is DOMAIN\myusername, so it looks for:
> >>> DOMAINmyusername at MY.DOMAIN.COM  and fails with no 
> principle found in
> >>> database (and rightly so), because obviously it should use
> >>> myusername at MY.DOMAIN.COM.
> >>>
> >>> I know it's not strictly samba related, and I could simply
change
> >>> winbind use default domain = yes
> >>> as a workaround, this way everything works as expected, 
> except that
> >>> in all docs it's described as not recommended setup,
because of
> >>> possible confusion which user is from DOMAIN and which is 
> local, and
> >>> of course when multiple domains come into play.
> >>>
> >>> So maybe someone knows of a valid workaorund, how to 
> force kinit to
> >>> automatically remove/strip DOMAIN prefix from e.g.
> >>> DOMAINmyusername at MY.DOMAIN.COM  and change it into
> >>> myusername at MY.DOMAIN.COM? My understanding is that
krb5.conf
> >>> "auth_to_local" works the other way around, so it
takes valid
> >>> principal, and rewrites it so that it matches posix user and
won't
> >>> work in this case,as it's the other way round (posix user 
> has to be
> >>> translated into valid principal).
> >>>
> >>> My environment is:
> >>> centos 7.4 OS
> >>> samba 4.5.x is the AD DC
> >>> samba 4.6.9 is domain member server and all tests are done on
this
> >>> machine.
> >>>
> >>> As i said, kerberos overall works fine, and it's not 
> strictly samba
> >>> issue, but the issue is because of samba configuration and
added
> >>> DOMAIN prefix.
> >>>
> >>> Any help/input/comments are appreciated.
> >>>
> >>> Regards, Kacper
> >>>
> >>>
> >> You have something set up incorrectly, if I log into a Unix domain
> >> member and run 'kinit', it works:
> >>
> >> rowland at devstation:~$ whoami
> >> SAMDOM\rowland
> >> rowland at devstation:~$ kinit
> >> Password forrowland at SAMDOM.EXAMPLE.COM:
> >> rowland at devstation:~$
> >>
> >> It also works on a DC.
> >>
> >> Can you post the following files:
> >> /etc/resolv.conf
> >> /etc/hosts
> >> /etc/hostname
> >> /etc/krb5.conf
> >> /etc/samba/smb.conf
> >>
> >> Rowland
> >>
> >
> >
> > 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=l
ink&utm_campaign=sig-email&utm_content=emailclient>
> > 	Wolny od wirusów. www.avast.com 
> > 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=l
ink&utm_campaign=sig-email&utm_content=emailclient>
> >
> >
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> 
> 
> 
> ---
> Ta wiadomo???? zosta??a sprawdzona na obecno???? wirusów 
> przez oprogramowanie antywirusowe Avast.
> https://www.avast.com/antivirus
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

As luck would have it, I installed a Samba Unix domain member on Fedora
26 yesterday, so I started it again and it works on that as well, so
it should work on Centos.

See comments below:

On Wed, 1 Nov 2017 13:11:29 +0100
Kacper Wirski <kacper.wirski at gmail.com> wrote:
> Hello,
> 
> Thank You for fast response. I'm glad that it's a mistake somewhere
> on my side, it means it will work when I fix it :)
> 
> Ok, first of all:
> 
> 
> Everything is on centos 7.4
> 
> All config files will be below, but to start off: behaviour is
> stranger than I thought, but there is a pattern:
> 
> when doing
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: DOMAINkacper_wirski at AD.MYDOMAIN.COM
> kinit: Client 'DOMAINkacper_wirski at AD.MYDOMAIN.COM' not found in
> Kerberos database while getting initial credentials
> 
> 
> but then when I do:
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit kacper_wirski -V
> Using default cache: /tmp/krb5cc_101003
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> Warning: Your password will expire in 15 days on Thu 16 Nov 2017 
> 01:50:48 PM CET
> Authenticated to Kerberos v5
> 
> 
> and after this, user DOMAIN\kacper_wirski can do "kinit", and it 
> correctly defaults to principal "kacper_wirski at
AD.MYDOMAIN.COM":
> 
> [DOMAIN\kacper_wirski at vs-files ~]$ kinit -V
> Using principal: kacper_wirski at AD.MYDOMAIN.COM
> Password for kacper_wirski at AD.MYDOMAIN.COM:
> 
> 
> I don't know what gives. After full reboot it still works for
"this"
> user. When I log as DOMAIN\someotheruser it behaves exactly the same 
> (first adds DOMAIN prefix, then when once ticket is obtained
> correctly, it seems to work...)
No idea why this is happening, all I can say is, it doesn't work like
that on Devuan, it just works ;-)
> //etc/hostname//
> //vs-files.ad.mydomain.com/
The FQDN is not the hostname, why does red-hat do this ?
I would change this to:

vs-files
> 
> //etc/hosts//
> //192.168.1.13 vs-files.ad.mydomain.com vs-files//
> //127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4//
> //::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6/
There is no such thing as 'localdomain', I would change this to:

127.0.0.1 localhost
::1 localhost
192.168.1.13 vs-files.ad.mydomain.com vs-files
> 
> //etc/krb5.conf//
> //[libdefaults]//
> //    default_realm = AD.MYDOMAIN.COM//
> //    dns_lookup_realm = true//
> //    dns_lookup_kdc = true//
> ////
> //[realms]//
> //    AD.MYDOMAIN.COM = {//
> //        auth_to_local = RULE:[1:MYDOMAIN\$1]//
> //        }/
> 
> The above rule is taken directly from the linked samba wiki guide,
> and it really works (without it I won't login with kerberos ticket,
> unless I drop "DOMAIN\" part using "winbind use default
domain = yes".
It should be 'dns_lookup_realm = false'
> 
> samba also auto-created it's own krb5.conf.DOMAIN file during net ads 
> join (in /usr/local/samba/var/lock/smb_krb5/
> /[libdefaults]//
> //        default_realm = AD.MYDOMAIN.COM//
> //        default_etypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5//
> //        dns_lookup_realm = false//
> //
> //[realms]//
> //        AD.MYDOMAIN.COM = {//
> //                kdc = 192.168.1.5//
> //                kdc = 192.168.1.6//
> //                kdc = 192.168.1.7//
> //        }/
> 
I have never seen a Samba created krb5.conf like that
> 
> /usr/local/samba/etc/smb.conf (i compiled from source, so all samba 
> files reside in /usr/local/samba/...)
> [global]
> /        security = ADS//
> //        netbios name = VS-FILES//
> //        workgroup = DOMAIN//
> //        realm = AD.MYDOMAIN.COM//
> //        log file = /var/log/samba/%m.log//
> //        log level = 5//
> //
> //   idmap config *:backend = tdb//
> //   idmap config * : range = 1000-2000//
> //   idmap config DOMAIN:backend = rid//
> //   idmap config DOMAIN:range = 100000-110000//
> ////
> //        vfs objects = acl_xattr//
> //        map acl inherit = yes//
> //        store dos attributes = yes//
> //        template homedir = /home/%U@%D//
I would have used '/home/%D/%U'

I changed the files on my Fedora 26 machine to match the Samba wikipage
you referred to and it still works, I can login as a domain user and
run 'kinit' and it works:

[SAMDOM\rowland at f26 ~]$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM:
[SAMDOM\rowland at f26 ~]$

Rowland

On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
"k.wirski babkamedica.pl" <k.wirski at babkamedica.pl> wrote:
> Thank You,
> 
> /etc/hostname i set it myself, never seen issue with FQDN, I'll
> change it
> 
> localdomain in /etc/hosts is from the default config
> 
> this auto krb5.conf.DOMAIN - could it be, that by default samba
> builds with heimdall, and centos (as RHEL) uses MIT krb, and
> something in /etc/krb5.conf was not ok  during join, for whatever
> reason? The "auth_to_local" is MIT kerberos specific.
> 
> Also auth_to_local is used when logging to machine, and my issue with
> kinit is when mapping is done from local to UPN.
> 
> 
> I removed whole /usr/local/samba dir, installed from scratch,
> re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> 
> 
> I tried changing winbind separater from default to + and changed
> krb5.conf rule accordingly, it changed nothing. Issue is not with
> kerberos for login, it works a-ok. The issue is that for whatever
> reason POSIX user is used with full name as principal. 
> 
> When i changed winbind separator, my posix user was
> "DOMAIN+kacper_wirski", and "kinit" used
> 
> DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as  principal.
> 
> 
> I consider setting up new machine from scratch from centos minimal
> and go from there or I'll take my risks and set "use default
domain > yes", then everything works perfectly.
> 
> 
> Can this issue be caused by something outside this machine, and
> something wrong with the domain overall? I don't believe it, since it
> seems very local OS specific, but maybe it is?
> 
All I can say is that when I set up Fedora 26 yesterday in the way I
would set up a Devuan computer, 'kinit' works in the way you want.

You are correct in that Samba uses Heimdal rather than MIT, but this is
supplied with Samba and is only used if you compile for a DC, you
haven't.

Whilst it isn't recommended to use 'use default domain = yes' it is
used rather a lot. The only time it definitely shouldn't be used is if
you have more than one DOMAIN set in smb.conf

If it helps, I can send you the notes I made whilst setting up Fedora 26

Rowland

I'm going to start with clean centos install, so I might as well use some
additional guidelines, thank You.

When You run kinit, does Your user have ticket already? What I noticed is
that when user has a ticket already, kinit works fine, uses as default
principal the one from ticket.
Can you do kdestroy - then kinit?

Also, on Fedora, did You install samba from source or from repo's RPM?

And last question - for PAM did You manually edit system-auth, or with
authconfig?
After I do some tests later on, I will update with whatever I manage to
find/debug.

1 lis 2017 18:51 "Rowland Penny via samba" <samba at
lists.samba.org>
napisał(a):
> On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
> "k.wirski babkamedica.pl" <k.wirski at babkamedica.pl>
wrote:
>
> > Thank You,
> >
> > /etc/hostname i set it myself, never seen issue with FQDN, I'll
> > change it
> >
> > localdomain in /etc/hosts is from the default config
> >
> > this auto krb5.conf.DOMAIN - could it be, that by default samba
> > builds with heimdall, and centos (as RHEL) uses MIT krb, and
> > something in /etc/krb5.conf was not ok  during join, for whatever
> > reason? The "auth_to_local" is MIT kerberos specific.
> >
> > Also auth_to_local is used when logging to machine, and my issue with
> > kinit is when mapping is done from local to UPN.
> >
> >
> > I removed whole /usr/local/samba dir, installed from scratch,
> > re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> >
> >
> > I tried changing winbind separater from default to + and changed
> > krb5.conf rule accordingly, it changed nothing. Issue is not with
> > kerberos for login, it works a-ok. The issue is that for whatever
> > reason POSIX user is used with full name as principal.
> >
> > When i changed winbind separator, my posix user was
> > "DOMAIN+kacper_wirski", and "kinit" used
> >
> > DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as  principal.
> >
> >
> > I consider setting up new machine from scratch from centos minimal
> > and go from there or I'll take my risks and set "use default
domain > > yes", then everything works perfectly.
> >
> >
> > Can this issue be caused by something outside this machine, and
> > something wrong with the domain overall? I don't believe it, since
it
> > seems very local OS specific, but maybe it is?
> >
>
> All I can say is that when I set up Fedora 26 yesterday in the way I
> would set up a Devuan computer, 'kinit' works in the way you want.
>
> You are correct in that Samba uses Heimdal rather than MIT, but this is
> supplied with Samba and is only used if you compile for a DC, you
> haven't.
>
> Whilst it isn't recommended to use 'use default domain = yes'
it is
> used rather a lot. The only time it definitely shouldn't be used is if
> you have more than one DOMAIN set in smb.conf
>
> If it helps, I can send you the notes I made whilst setting up Fedora 26
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba