samba - Nov 2017 - kerberos + winbind + AD authentication for samba 4 domain member

I'm going to start with clean centos install, so I might as well use some
additional guidelines, thank You.

When You run kinit, does Your user have ticket already? What I noticed is
that when user has a ticket already, kinit works fine, uses as default
principal the one from ticket.
Can you do kdestroy - then kinit?

Also, on Fedora, did You install samba from source or from repo's RPM?

And last question - for PAM did You manually edit system-auth, or with
authconfig?
After I do some tests later on, I will update with whatever I manage to
find/debug.

1 lis 2017 18:51 "Rowland Penny via samba" <samba at
lists.samba.org>
napisał(a):
> On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
> "k.wirski babkamedica.pl" <k.wirski at babkamedica.pl>
wrote:
>
> > Thank You,
> >
> > /etc/hostname i set it myself, never seen issue with FQDN, I'll
> > change it
> >
> > localdomain in /etc/hosts is from the default config
> >
> > this auto krb5.conf.DOMAIN - could it be, that by default samba
> > builds with heimdall, and centos (as RHEL) uses MIT krb, and
> > something in /etc/krb5.conf was not ok  during join, for whatever
> > reason? The "auth_to_local" is MIT kerberos specific.
> >
> > Also auth_to_local is used when logging to machine, and my issue with
> > kinit is when mapping is done from local to UPN.
> >
> >
> > I removed whole /usr/local/samba dir, installed from scratch,
> > re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> >
> >
> > I tried changing winbind separater from default to + and changed
> > krb5.conf rule accordingly, it changed nothing. Issue is not with
> > kerberos for login, it works a-ok. The issue is that for whatever
> > reason POSIX user is used with full name as principal.
> >
> > When i changed winbind separator, my posix user was
> > "DOMAIN+kacper_wirski", and "kinit" used
> >
> > DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as  principal.
> >
> >
> > I consider setting up new machine from scratch from centos minimal
> > and go from there or I'll take my risks and set "use default
domain > > yes", then everything works perfectly.
> >
> >
> > Can this issue be caused by something outside this machine, and
> > something wrong with the domain overall? I don't believe it, since
it
> > seems very local OS specific, but maybe it is?
> >
>
> All I can say is that when I set up Fedora 26 yesterday in the way I
> would set up a Devuan computer, 'kinit' works in the way you want.
>
> You are correct in that Samba uses Heimdal rather than MIT, but this is
> supplied with Samba and is only used if you compile for a DC, you
> haven't.
>
> Whilst it isn't recommended to use 'use default domain = yes'
it is
> used rather a lot. The only time it definitely shouldn't be used is if
> you have more than one DOMAIN set in smb.conf
>
> If it helps, I can send you the notes I made whilst setting up Fedora 26
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Wed, 1 Nov 2017 20:28:05 +0100
Kacper Wirski <kacper.wirski at gmail.com> wrote:
> I'm going to start with clean centos install, so I might as well use
> some additional guidelines, thank You.
> 
> When You run kinit, does Your user have ticket already? What I
> noticed is that when user has a ticket already, kinit works fine,
> uses as default principal the one from ticket.
> Can you do kdestroy - then kinit?
> 
> Also, on Fedora, did You install samba from source or from repo's RPM?
> 
> And last question - for PAM did You manually edit system-auth, or with
> authconfig?
> After I do some tests later on, I will update with whatever I manage
> to find/debug.
> 
I realised I had a Centos 7 VM, so I started this, updated it to 7.4
set 'winbind use default domain = no' then logged in and ran
'kinit', I finally get your problem!!!

Let me get back to you

Rowland

On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 1 Nov 2017 20:28:05 +0100
> Kacper Wirski <kacper.wirski at gmail.com> wrote:
> 
> > I'm going to start with clean centos install, so I might as well
use
> > some additional guidelines, thank You.
> > 
> > When You run kinit, does Your user have ticket already? What I
> > noticed is that when user has a ticket already, kinit works fine,
> > uses as default principal the one from ticket.
> > Can you do kdestroy - then kinit?
> > 
> > Also, on Fedora, did You install samba from source or from repo's
> > RPM?
> > 
> > And last question - for PAM did You manually edit system-auth, or
> > with authconfig?
> > After I do some tests later on, I will update with whatever I manage
> > to find/debug.
> > 
> 
> I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> set 'winbind use default domain = no' then logged in and ran
> 'kinit', I finally get your problem!!!
> 
> Let me get back to you
> 
> Rowland
> 
OK, I am back ;-)

I understand it now, sigh
This is what I think is happening;
When you kinit as the user, it uses whatever is returned by nsswitch,
but, as a single '\' is treated as an escape character and is
removed, you get DOMAINusername. If you use something else as the
winbind separator e.g. ':' you will get DOMAIN:username, but this
still will not not get you anywhere. You will get this:

kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
Kerberos database while getting initial credentials

It was this that pointed me in the right direction.
If you check the users object in AD, you will find the
userPrincipalName attribute, this will contain something like:

rowland at samdom.example.com

This is what kinit is looking for and if you run 'kinit rowland', this
will work and if you run 'klist' you will find that the 'Default
principal' is rowland at SAMDOM.EXAMPLE.COM

Net result, you will have to use 'winbind use default domain = yes'

Rowland