samba - Nov 2017 - kerberos + winbind + AD authentication for samba 4 domain member

On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 1 Nov 2017 20:28:05 +0100
> Kacper Wirski <kacper.wirski at gmail.com> wrote:
> 
> > I'm going to start with clean centos install, so I might as well
use
> > some additional guidelines, thank You.
> > 
> > When You run kinit, does Your user have ticket already? What I
> > noticed is that when user has a ticket already, kinit works fine,
> > uses as default principal the one from ticket.
> > Can you do kdestroy - then kinit?
> > 
> > Also, on Fedora, did You install samba from source or from repo's
> > RPM?
> > 
> > And last question - for PAM did You manually edit system-auth, or
> > with authconfig?
> > After I do some tests later on, I will update with whatever I manage
> > to find/debug.
> > 
> 
> I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> set 'winbind use default domain = no' then logged in and ran
> 'kinit', I finally get your problem!!!
> 
> Let me get back to you
> 
> Rowland
> 
OK, I am back ;-)

I understand it now, sigh
This is what I think is happening;
When you kinit as the user, it uses whatever is returned by nsswitch,
but, as a single '\' is treated as an escape character and is
removed, you get DOMAINusername. If you use something else as the
winbind separator e.g. ':' you will get DOMAIN:username, but this
still will not not get you anywhere. You will get this:

kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
Kerberos database while getting initial credentials

It was this that pointed me in the right direction.
If you check the users object in AD, you will find the
userPrincipalName attribute, this will contain something like:

rowland at samdom.example.com

This is what kinit is looking for and if you run 'kinit rowland', this
will work and if you run 'klist' you will find that the 'Default
principal' is rowland at SAMDOM.EXAMPLE.COM

Net result, you will have to use 'winbind use default domain = yes'

Rowland

Ok, at least I know that it's not the fault of my configuration.

I was hoping that there may be some kerberos/kinit option to modify
systemwide default principal pattern, or maybe something could be done with
how winbind presents AD users to local OS while still.. Can't have
everything it seems.

In this case there are is my follow-up question:
- how will this work on DC's? I konw that winbind is integrated into main
"samba" process. I don't have test-dc right now and I can't
test it, but is
at all possible to set "use defaultl domain = yes" on samba DC and not
impair anything? On the DC's it's not as important to me, as only few
actual domain users will ever actually log there (only admins), but still
I'd rather have as much consistency across all systems, as possible\

Regards,
Kacper

2017-11-01 21:21 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 1 Nov 2017 19:49:32 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On Wed, 1 Nov 2017 20:28:05 +0100
> > Kacper Wirski <kacper.wirski at gmail.com> wrote:
> >
> > > I'm going to start with clean centos install, so I might as
well use
> > > some additional guidelines, thank You.
> > >
> > > When You run kinit, does Your user have ticket already? What I
> > > noticed is that when user has a ticket already, kinit works fine,
> > > uses as default principal the one from ticket.
> > > Can you do kdestroy - then kinit?
> > >
> > > Also, on Fedora, did You install samba from source or from
repo's
> > > RPM?
> > >
> > > And last question - for PAM did You manually edit system-auth, or
> > > with authconfig?
> > > After I do some tests later on, I will update with whatever I
manage
> > > to find/debug.
> > >
> >
> > I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> > set 'winbind use default domain = no' then logged in and ran
> > 'kinit', I finally get your problem!!!
> >
> > Let me get back to you
> >
> > Rowland
> >
>
> OK, I am back ;-)
>
> I understand it now, sigh
> This is what I think is happening;
> When you kinit as the user, it uses whatever is returned by nsswitch,
> but, as a single '\' is treated as an escape character and is
> removed, you get DOMAINusername. If you use something else as the
> winbind separator e.g. ':' you will get DOMAIN:username, but this
> still will not not get you anywhere. You will get this:
>
> kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found in
> Kerberos database while getting initial credentials
>
> It was this that pointed me in the right direction.
> If you check the users object in AD, you will find the
> userPrincipalName attribute, this will contain something like:
>
> rowland at samdom.example.com
>
> This is what kinit is looking for and if you run 'kinit rowland',
this
> will work and if you run 'klist' you will find that the
'Default
> principal' is rowland at SAMDOM.EXAMPLE.COM
>
> Net result, you will have to use 'winbind use default domain = yes'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 1 Nov 2017 22:00:59 +0100
Kacper Wirski <kacper.wirski at gmail.com> wrote:
> Ok, at least I know that it's not the fault of my configuration.
> 
> I was hoping that there may be some kerberos/kinit option to modify
> systemwide default principal pattern, or maybe something could be
> done with how winbind presents AD users to local OS while still..
> Can't have everything it seems.
> 
> In this case there are is my follow-up question:
> - how will this work on DC's? I konw that winbind is integrated into
> main "samba" process. I don't have test-dc right now and I
can't test
> it, but is at all possible to set "use defaultl domain = yes" on
> samba DC and not impair anything? On the DC's it's not as important
> to me, as only few actual domain users will ever actually log there
> (only admins), but still I'd rather have as much consistency across
> all systems, as possible\
> 
> Regards,
> Kacper
> 
This is one thing that was throwing me, 'winbind use default domain yes'
has no effect on a DC.

But:

SAMDOM\rowland at dc3:~$ whoami
SAMDOM\rowland
SAMDOM\rowland at dc3:~$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM: 
SAMDOM\rowland at dc3:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_g4wijO
Default principal: rowland at SAMDOM.EXAMPLE.COM

Like a lot of things, it works differently on a DC

Rowland

Maybe try something like this, dont know it its right, i cant test it atm, and i
never used its so..
But in krb5.conf try to match the failty one with a rule.

auth_to_local = RULE:[1:SAMDOM:$1]
Maybe it works maybe not, but imo, try-able ;-) , just an idee.. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Kacper Wirski via samba
> Verzonden: woensdag 1 november 2017 22:01
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication 
> for samba 4 domain member
> 
> Ok, at least I know that it's not the fault of my configuration.
> 
> I was hoping that there may be some kerberos/kinit option to modify
> systemwide default principal pattern, or maybe something 
> could be done with
> how winbind presents AD users to local OS while still.. Can't have
> everything it seems.
> 
> In this case there are is my follow-up question:
> - how will this work on DC's? I konw that winbind is 
> integrated into main
> "samba" process. I don't have test-dc right now and I
can't
> test it, but is
> at all possible to set "use defaultl domain = yes" on samba DC
and not
> impair anything? On the DC's it's not as important to me, as only
few
> actual domain users will ever actually log there (only 
> admins), but still
> I'd rather have as much consistency across all systems, as possible\
> 
> Regards,
> Kacper
> 
> 2017-11-01 21:21 GMT+01:00 Rowland Penny via samba 
> <samba at lists.samba.org>:
> 
> > On Wed, 1 Nov 2017 19:49:32 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > > On Wed, 1 Nov 2017 20:28:05 +0100
> > > Kacper Wirski <kacper.wirski at gmail.com> wrote:
> > >
> > > > I'm going to start with clean centos install, so I 
> might as well use
> > > > some additional guidelines, thank You.
> > > >
> > > > When You run kinit, does Your user have ticket already? What
I
> > > > noticed is that when user has a ticket already, kinit 
> works fine,
> > > > uses as default principal the one from ticket.
> > > > Can you do kdestroy - then kinit?
> > > >
> > > > Also, on Fedora, did You install samba from source or 
> from repo's
> > > > RPM?
> > > >
> > > > And last question - for PAM did You manually edit 
> system-auth, or
> > > > with authconfig?
> > > > After I do some tests later on, I will update with 
> whatever I manage
> > > > to find/debug.
> > > >
> > >
> > > I realised I had a Centos 7 VM, so I started this, 
> updated it to 7.4
> > > set 'winbind use default domain = no' then logged in and
ran
> > > 'kinit', I finally get your problem!!!
> > >
> > > Let me get back to you
> > >
> > > Rowland
> > >
> >
> > OK, I am back ;-)
> >
> > I understand it now, sigh
> > This is what I think is happening;
> > When you kinit as the user, it uses whatever is returned by 
> nsswitch,
> > but, as a single '\' is treated as an escape character and is
> > removed, you get DOMAINusername. If you use something else as the
> > winbind separator e.g. ':' you will get DOMAIN:username, but
this
> > still will not not get you anywhere. You will get this:
> >
> > kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not found
in
> > Kerberos database while getting initial credentials
> >
> > It was this that pointed me in the right direction.
> > If you check the users object in AD, you will find the
> > userPrincipalName attribute, this will contain something like:
> >
> > rowland at samdom.example.com
> >
> > This is what kinit is looking for and if you run 'kinit 
> rowland', this
> > will work and if you run 'klist' you will find that the
'Default
> > principal' is rowland at SAMDOM.EXAMPLE.COM
> >
> > Net result, you will have to use 'winbind use default domain =
yes'
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I'm using this rule, it works, but it's used the other way round. It 
means that principal "kacper_wirski at MYDOMAIN.COM" will match local
user
DOMAIN\kacper_wirski at MYDOMAIN.COM BUT it doesn't work the other way 
round, so local user DOMAIN\kacper_wirski at MYDOMAN.COM will not match 
"kacper_wirski at MYDOMAIN.COM

I know that SSSD has a setting that allows matching kerberos principals 
to local users via pattern, and it works both ways - maybe one day 
winbind will have similar option:)

I am actually thinking of trying SSSD instead of winbind auth, as both 
methods are equally supported on rhel/centos, except that it might cause 
issues on the DC, since it's best to use either/or. Does anyone have 
experience and might shed some light, is running SSSD for user domain 
authorization on samba 4 DC problematic?

Also after some thought, I realized that there is a workaround to have 
"everything" working with "winbind use default domain = no",
and short
answer is "use credential delegation"

scenario:
in smb.conf i set "winbind use default domain = no"

kinit by default uses:
a) principal from cached ticket (if there  is one)
b) unix username (if there is no ticket)

So, if I turn on credential delegation:

WHen i log into windows machine, I automatically get my ticket, then i 
SSH with putty to the centos machine as DOMAIN\kacper_wirski
I log in passwordless (kerberos is used) THEN, because of credential 
delegation, I have my ticket simply forwarded, and kinit works 
perfectly, because it will use by default principal from cache, rather 
then posix username. Once I run "kdestroy", to obtain new ticket on
the
centos box I will still have type my full username, rather than just
"kinit"

Without delegation, there is no ticket in cache (nothing was forwarded), 
and centos can't obtain one automatically, because of the issue already 
explained before.

So there's that at least


W dniu 2017-11-01 o 23:24, L.P.H. van Belle via samba
pisze:
> Maybe try something like this, dont know it its right, i cant test it atm,
and i never used its so..
> But in krb5.conf try to match the failty one with a rule.
>
> auth_to_local = RULE:[1:SAMDOM:$1]
> Maybe it works maybe not, but imo, try-able ;-) , just an idee..
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Kacper Wirski via samba
>> Verzonden: woensdag 1 november 2017 22:01
>> Aan: Rowland Penny
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
>> for samba 4 domain member
>>
>> Ok, at least I know that it's not the fault of my configuration.
>>
>> I was hoping that there may be some kerberos/kinit option to modify
>> systemwide default principal pattern, or maybe something
>> could be done with
>> how winbind presents AD users to local OS while still.. Can't have
>> everything it seems.
>>
>> In this case there are is my follow-up question:
>> - how will this work on DC's? I konw that winbind is
>> integrated into main
>> "samba" process. I don't have test-dc right now and I
can't
>> test it, but is
>> at all possible to set "use defaultl domain = yes" on samba
DC and not
>> impair anything? On the DC's it's not as important to me, as
only few
>> actual domain users will ever actually log there (only
>> admins), but still
>> I'd rather have as much consistency across all systems, as
possible\
>>
>> Regards,
>> Kacper
>>
>> 2017-11-01 21:21 GMT+01:00 Rowland Penny via samba
>> <samba at lists.samba.org>:
>>
>>> On Wed, 1 Nov 2017 19:49:32 +0000
>>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>>
>>>> On Wed, 1 Nov 2017 20:28:05 +0100
>>>> Kacper Wirski <kacper.wirski at gmail.com> wrote:
>>>>
>>>>> I'm going to start with clean centos install, so I
>> might as well use
>>>>> some additional guidelines, thank You.
>>>>>
>>>>> When You run kinit, does Your user have ticket already?
What I
>>>>> noticed is that when user has a ticket already, kinit
>> works fine,
>>>>> uses as default principal the one from ticket.
>>>>> Can you do kdestroy - then kinit?
>>>>>
>>>>> Also, on Fedora, did You install samba from source or
>> from repo's
>>>>> RPM?
>>>>>
>>>>> And last question - for PAM did You manually edit
>> system-auth, or
>>>>> with authconfig?
>>>>> After I do some tests later on, I will update with
>> whatever I manage
>>>>> to find/debug.
>>>>>
>>>> I realised I had a Centos 7 VM, so I started this,
>> updated it to 7.4
>>>> set 'winbind use default domain = no' then logged in
and ran
>>>> 'kinit', I finally get your problem!!!
>>>>
>>>> Let me get back to you
>>>>
>>>> Rowland
>>>>
>>> OK, I am back ;-)
>>>
>>> I understand it now, sigh
>>> This is what I think is happening;
>>> When you kinit as the user, it uses whatever is returned by
>> nsswitch,
>>> but, as a single '\' is treated as an escape character and
is
>>> removed, you get DOMAINusername. If you use something else as the
>>> winbind separator e.g. ':' you will get DOMAIN:username,
but this
>>> still will not not get you anywhere. You will get this:
>>>
>>> kinit: Client 'SAMDOM:rowland at SAMDOM.EXAMPLE.COM' not
found in
>>> Kerberos database while getting initial credentials
>>>
>>> It was this that pointed me in the right direction.
>>> If you check the users object in AD, you will find the
>>> userPrincipalName attribute, this will contain something like:
>>>
>>> rowland at samdom.example.com
>>>
>>> This is what kinit is looking for and if you run 'kinit
>> rowland', this
>>> will work and if you run 'klist' you will find that the
'Default
>>> principal' is rowland at SAMDOM.EXAMPLE.COM
>>>
>>> Net result, you will have to use 'winbind use default domain =
yes'
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus