samba - Jan 2019 - SSH SSO without keytab file

> ............
>
> > You can, provided you have a user.map in smb.conf
>
> Oeps, Ah yes, forgot that, because he was testing on the DC.
> And DC's dont use the user.mapping.
>
> Thanks for the correction.
With regard to tdb ipmap, I set this parameter on domain member. Domain
controller has no such parameter set.

I'll look into the other useful suggestions you provided about the config
files.

Regards.

On Fri, 18 Jan 2019 09:15:18 +0000
Harpoon via samba <samba at lists.samba.org> wrote:
> > ............
> >
> > > You can, provided you have a user.map in smb.conf
> >
> > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > And DC's dont use the user.mapping.
> >
> > Thanks for the correction.
> 
> With regard to tdb ipmap, I set this parameter on domain member.
> Domain controller has no such parameter set.
Yes, but just setting this isn't a supported method, you need to also
set an 'idmap config' block for the domain, this isn't optional.
The actual winbind backend you use is up to you, but the two most
popular are the 'ad' and the 'rid'. The former requires adding
uidNumber & gidNumber attributes to AD, but would give you the same IDs
everywhere (plus all the other rfc2307 attributes). The latter doesn't
require anything adding to AD, but you will only get the same IDs on
Unix domain members, the DCs will have totally different ID numbers and
they can (and probably will) be different between DCs, you will also
have to use template shell & homedir lines in smb.conf

Rowland

> > > ............
> > >
> > > > You can, provided you have a user.map in smb.conf
> > >
> > > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > > And DC's dont use the user.mapping.
> > > Thanks for the correction.
> >
> > With regard to tdb ipmap, I set this parameter on domain member.
> > Domain controller has no such parameter set.
>
> Yes, but just setting this isn't a supported method, you need to also
> set an 'idmap config' block for the domain, this isn't
optional.
> The actual winbind backend you use is up to you, but the two most
> popular are the 'ad' and the 'rid'. The former requires
adding
> uidNumber & gidNumber attributes to AD, but would give you the same IDs
> everywhere (plus all the other rfc2307 attributes). The latter doesn't
> require anything adding to AD, but you will only get the same IDs on
> Unix domain members, the DCs will have totally different ID numbers and
> they can (and probably will) be different between DCs, you will also
> have to use template shell & homedir lines in smb.conf
I actually spent the entire last day getting 'ad' backend to work.
Adding 'idmap config SAMDOM : backend = ad' and related lines in the
client's smb.conf results in `getent passwd` showing only local users. When
I remove the 'backend = ad' block from smb.conf, the `getent passwd`
starts showing the AD users as well, and I can also su and ssh (with password)
using those AD users. On a related note, as far as I can remember, I provided
the `use-rfc2307` parameter samba-tool when I provisioned the domain.

On the DC, I tried adding multiple groups with different --gid-number and also
tried adding users with various --uid-number and --gid-number. I followed the
instructions at [1] to add unix users and groups, but still the domain members
were unable to enumerate the domain users using `getent passwd`. After spending
the entire last day trying to troubleshoot/resolve the 'backend = ad'
issue, I settled on removing the 'ad' block from clients. Without the
'ad' block, things are looking better, with the only issue being that I
am unable to ssh using kerberos ticket; hence this mail.


[1]
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Creating_a_Unix_user_with_samba-tool


Regards,
Harp
 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I actually spent the entire last day getting 'ad' backend to work. 
Adding 'idmap config SAMDOM : backend = ad' and related lines in the
client's smb.conf results in `getent passwd`

... 
Use : getent passwd username 
Check if wbinfo -u works also. 

As tip, if you try these.

id username
getent passwd username 
wbinfo -u | grep username

If all work and show your usename, then you should be able to login (sso) on
ssh.

If your users are only on this server and you dont need to share homedirs. 
Then you need mk_homedir in pam also. 
To enable, its simple on ubuntu/debian 

pam-auth-update --package mkhomedir
pam-auth-update
And enable mkhomedir ( you can use pam-auth-update --force also ) 


Greetz, 

Louis