samba - Jan 2019 - SSH SSO without keytab file

Hai, 
> -----Oorspronkelijk bericht-----
> Van: Harpoon [mailto:harp00n at protonmail.com] 
> Verzonden: vrijdag 18 januari 2019 9:24
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] SSH SSO without keytab file
> 
> Thanks for the prompt reply!
Your welkom. 
> 
> > I did see that you are using Administrator, and thats the problem.
> 
> > Administrator is mapped to root ( most of the time ),
> > if you assigned Administrator UID = 0 then you have a 
> problem, because only root = uid 0.
> >
> > Never ever give Administrator a UID/GID
> I am using tdb backend. It mapped administrator account to 12000:10000.
No no no.. as said, never ever assign administrator a UID/GID. 
Now your administrator != root anymore and you cannt manage the server correctly
anymore as user Administrator.
You cant use the TDB backend for a domain member only, you MUST choose to set AD
or RID backend.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
See: Choose backend for id mapping in winbindd
> 
> > So try again with a normal user, that does have a UID/GID.
> 
> I tried testing with normal users too whose UID/GID was 
> mapped by tdb in ~10000 range. It produced the same problem.
> 
> > If that does not work, please share these, because this 
> should work fine.
> > /etc/samba/smb.conf
> > /etc/krb5.conf
> > /etc/ssh/sshd_config
> 
> Please find these conf files here:
> 
> -----------------------------
> DC's /etc/samba/smb.conf
> -----------------------------
> [global]
>         netbios name = DC1
>         realm = SAMDOM.EXAMPLE.COM
>         workgroup = SAMDOM
>         dns forwarder = 10.0.5.200
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         template shell = /bin/bash
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samdom.example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
Looks good, except, you dont need : 
winbind enum users = yes
winbind enum groups = yes

For testing fine, but when done testing set these 2 to no. 
These only slowdown you server. 

> --------------------------------
> Client's /etc/samba/smb.conf
> --------------------------------
> [global]
>         netbios name = client1
>         realm = SAMDOM.EXAMPLE.COM
>         workgroup = SAMDOM
>         security = ADS
>         kerberos method = secrets and keytab
>         winbind trusted domains only = no
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind nss info = rfc2307
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 10000-200000
This config is incomplete. 
( and same for the winbind enum set these to no. ) 

My suggested change 


	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab

	# Renew the kerberos tickets
	winbind refresh tickets = yes

	# Enable offline logins
	winbind offline logon = yes


	# With default domain set to yes, wbinfo -u shows username only, not
SAMBADOM\username.
	winbind use default domain = yes

      idmap config * : backend = tdb
      idmap config * : range =  3000-7999

	# https://wiki.samba.org/index.php/Idmap_config_ad 
	# ( based on >         winbind nss info = rfc2307 in you config. ) 
	idmap config SAMDOM : backend = ad
	idmap config SAMDOM : range = 10000-200000

	# Optional, use these, but since you set AD backend you can set this from cli. 
	# Template settings for login shell and home directory
	#	template shell = /bin/bash
	#	template homedir = /home/%U
	# mk_homedir might be needed, this depends on you needs/setup. 
> 
> -------------------------------
> /etc/ssh/sshd_config (Running on DC)
> -------------------------------
> PubkeyAuthentication no
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> X11Forwarding yes
> PrintMotd no
> AcceptEnv LANG LC_*
> Subsystem       sftp    /usr/lib/openssh/sftp-server
> KerberosAuthentication yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UseDNS yes
> PermitRootLogin yes
> UsePAM no
> 
Looks fine. 
> -------------------------------
> /etc/ssh/ssh_config (Client SSH config)
> -------------------------------
> 
> Host *
>     SendEnv LANG LC_*
>     HashKnownHosts yes
>     GSSAPIAuthentication yes
>     GSSAPIDelegateCredentials yes
Looks fine. 
> 
> --------------------------------------
> /etc/krb5.conf (Same of DC and clients)
> --------------------------------------
> 
> [libdefaults]
>         default_realm = SAMDOM.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
Looks fine.  


> Thanks for your help!
Greetz, 

Louis

On Fri, 18 Jan 2019 09:44:27 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Harpoon [mailto:harp00n at protonmail.com] 
> > Verzonden: vrijdag 18 januari 2019 9:24
> > Aan: L.P.H. van Belle
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] SSH SSO without keytab file
> > 
> > Thanks for the prompt reply!
> Your welkom. 
> 
> > 
> > > I did see that you are using Administrator, and thats the
problem.
> > 
> > > Administrator is mapped to root ( most of the time ),
> > > if you assigned Administrator UID = 0 then you have a 
> > problem, because only root = uid 0.
> > >
> > > Never ever give Administrator a UID/GID
> 
> > I am using tdb backend. It mapped administrator account to
> > 12000:10000.
> No no no.. as said, never ever assign administrator a UID/GID. 
He isn't, his borked smb.conf is and it also happens if you use the
'rid' backend:

adminuser at Computer4:~$ getent passwd Administrator
administrator:*:10500:10513::/home/administrator:/bin/bash
> Now your administrator != root anymore and you cannt manage the
> server correctly anymore as user Administrator.
You can, provided you have a user.map in smb.conf

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 18 januari 2019 10:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] SSH SSO without keytab file
> 
............
> 
> You can, provided you have a user.map in smb.conf
Oeps, Ah yes, forgot that, because he was testing on the DC. 
And DC's dont use the user.mapping. 


Thanks for the correction.  

Greetz, 

Louis

> ............
>
> > You can, provided you have a user.map in smb.conf
>
> Oeps, Ah yes, forgot that, because he was testing on the DC.
> And DC's dont use the user.mapping.
>
> Thanks for the correction.
With regard to tdb ipmap, I set this parameter on domain member. Domain
controller has no such parameter set.

I'll look into the other useful suggestions you provided about the config
files.

Regards.

> I suggest also you read this :
On it!
Regard,
Harp
>
> > -----Oorspronkelijk bericht-----
> > Van: Harpoon [mailto:harp00n at protonmail.com]
> > Verzonden: vrijdag 18 januari 2019 10:15
> > Aan: L.P.H. van Belle
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] SSH SSO without keytab file
> >
> > > ............
> > >
> > > > You can, provided you have a user.map in smb.conf
> > >
> > > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > > And DC's dont use the user.mapping.
> > > Thanks for the correction.
> >
> > With regard to tdb ipmap, I set this parameter on domain
> > member. Domain controller has no such parameter set.
> > I'll look into the other useful suggestions you provided
> > about the config files.
> > Regards.