Hi,
My name is Shyam Prasad. I work at Microsoft in the Azure Files team.
For the past few days, I've been working on getting the Azure Linux VMs to
join the AD domain in Azure, login as domain users, and mount Azure file
shares over SMB3.
Most things work fine. Except that I need perform a few Kerberos related
tasks manually, for the SMB3 mount to work with domain user credentials.
I did some debugging of the issue, and looks like cifs.upcall (the
userspace helper program for cifs.ko) is unable to find the krb5 TGT for
the domain user in the cred-cache. If the cred-cache is missing, it looks
for it in the system krb5.keytab.
Since winbind is configured with kerberos method "secrets and keytab",
I
would expect either the secrets.tdb or the krb5.keytab to have an entry for
the domain user lxsmbadmin. Even with the domain user already logged in
through ssh, I'm unable to get those in both those places. cred-cache file
is not created in the first place.
With the domain user already logged in through ssh, I expected that the
kerberos TGT would already have been retrieved and stored locally.
Where does winbind store its Kerberos tickets, so that I can point
cifs.upcall to look there for tickets instead?
The mount only works when I use kinit to populate the cred-cache with the
domain user.
Any help in troubleshooting this issue is appreciated.
Also, I'm interested to know, how can I enable the debug logs in the
libkrb5 shared libraries that are built from the samba source code? I don't
see the debug logs in that code being logged, even if log level is set to
maximum in smb.conf.
Regards,
Shyam
======================================================Details of my setup:
I'm using an Ubuntu 19.10 server VM.
I'm mounting as the local root user, however, I'm using a domain user
credentials for mounting the using sec=krb5.
Below are my mount options:
vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credentials,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='domain
users'
The VM is already joined to the AD domain aaddomain.example.com using
winbind.
This is what my smb.conf looks like for winbind:
localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf
[global]
workgroup = AADDOMAIN
security = ADS
realm = AADDOMAIN.EXAMPLE.COM
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = Yes
load printers = No
printing = bsd
printcap name = /dev/null
disable spoolss = Yes
log file = /var/log/samba/log.%m
log level = 10
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config AADDOMAIN : backend = rid
idmap config AADDOMAIN : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf
[libdefaults]
default_realm = AADDOMAIN.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Initially, I tried to use the ubuntu apt packages to install winbind and
related packages.
After going through a bit of code, I wanted to be able to print the debug
logs.
So I decided to install winbind from the latest source:
master branch on git://git.samba.org/samba.git
Here is the configure I used to build it:
./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin
--libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba
--localstatedir=/run/samba --includedir=/usr/include/
--datadir=/usr/share/samba --mandir /usr/share/man --enable-debug
--enable-developer --systemd-install-services
--with-systemddir=/usr/lib/systemd/system
--with-privatedir=/var/lib/samba/private --with-systemd --with-pam
After tweaking a few config files here and there, I've now reached the same
state as when I was running winbind from Ubuntu packages.
I'm now able to ssh/su as the domain user to this system.
However, I do not see the cred-cache populated.
localadmin at lxsmb-canvm13:~/samba$ sudo klist
klist: No ticket file: /tmp/krb5cc_0
localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb*
ls: cannot access '/tmp/krb*': No such file or directory
After a bit of code reading of cifs.upcall, it looks to me like the
expectation is that cred-cache would be populated for the domain user.
If in case the cred-cache is missing, then it creates a new cred-cache from
the keytab at /etc/krb5.keytab
So clearly, the expectation is that atleast the keytab is already
populated.
The kerberos method that I've chosen in smb.conf is "secrets and
keytab".
So I expect either the secrets.tdb or the krb5.keytab to have an entry for
the domain user lxsmbadmin.
However, I do not see those entries in either of them:
localadmin at lxsmb-canvm13:~$ sudo tdbdump
/var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin
localadmin at lxsmb-canvm13:~$
localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin
localadmin at lxsmb-canvm13:~$
With the domain user already logged in through ssh, I expected that the
kerberos TGT would already have been retrieved and stored locally.
Where would I find that?
Do note that if I populate the cred-cache manually with the kinit utility
like so:
localadmin at lxsmb-canvm13:~$ sudo kinit lxsmbadmin at aaddomain.example.com
lxsmbadmin at aaddomain.example.com's Password:
localadmin at lxsmb-canvm13:~$
The cred-cache does get populated and I'm then able to mount the file share
successfully.
With the log level set to 10 in smb.conf, the logging in /var/log/samba/ is
pretty verbose. I can share those if needed for further debugging.
=======================================================
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Shyam Prasad N via samba > Verzonden: woensdag 1 april 2020 13:10 > Aan: samba-technical at lists.samba.org; samba at lists.samba.org > CC: sribhat.msa at outlook.com > Onderwerp: [Samba] Missing domain user tickets with winbind > > Hi, > > My name is Shyam Prasad. I work at Microsoft in the Azure Files team. > For the past few days, I've been working on getting the Azure > Linux VMs to > join the AD domain in Azure, login as domain users, and mount > Azure file > shares over SMB3. > > Most things work fine. Except that I need perform a few > Kerberos related > tasks manually, for the SMB3 mount to work with domain user > credentials.For that to work, you need to add the CIFS/hostname.fqdn at REALM to the host your logging in. The COMPUTER$ should hold it. Allow the computer to delegate the cifs service. ( or all ) Try that.> I did some debugging of the issue, and looks like cifs.upcall (the > userspace helper program for cifs.ko) is unable to find the > krb5 TGT for > the domain user in the cred-cache. If the cred-cache is > missing, it looks > for it in the system krb5.keytab. > > Since winbind is configured with kerberos method "secrets and > keytab", I > would expect either the secrets.tdb or the krb5.keytab to > have an entry for > the domain user lxsmbadmin. Even with the domain user already > logged in > through ssh, I'm unable to get those in both those places. > cred-cache file > is not created in the first place. > > With the domain user already logged in through ssh, I > expected that the > kerberos TGT would already have been retrieved and stored locally. > Where does winbind store its Kerberos tickets, so that I can point > cifs.upcall to look there for tickets instead? > > The mount only works when I use kinit to populate the > cred-cache with the > domain user. > > Any help in troubleshooting this issue is appreciated. > > Also, I'm interested to know, how can I enable the debug logs in the > libkrb5 shared libraries that are built from the samba source > code? I don't > see the debug logs in that code being logged, even if log > level is set to > maximum in smb.conf. > > Regards, > Shyam > > ======================================================> Details of my setup: > I'm using an Ubuntu 19.10 server VM. > I'm mounting as the local root user, however, I'm using a domain user > credentials for mounting the using sec=krb5. > Below are my mount options: > vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credentials,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='doma> in> users' > > The VM is already joined to the AD domain aaddomain.example.com using > winbind. > This is what my smb.conf looks like for winbind: > localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf > [global] > workgroup = AADDOMAIN > security = ADS > realm = AADDOMAIN.EXAMPLE.COM > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = Yes > > load printers = No > printing = bsd > printcap name = /dev/null > disable spoolss = Yes > > log file = /var/log/samba/log.%m > log level = 10 > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config AADDOMAIN : backend = rid > idmap config AADDOMAIN : range = 10000-999999 > > template shell = /bin/bash > template homedir = /home/%U > > localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf > [libdefaults] > default_realm = AADDOMAIN.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > Initially, I tried to use the ubuntu apt packages to install > winbind and > related packages. > After going through a bit of code, I wanted to be able to > print the debug > logs. > So I decided to install winbind from the latest source: > master branch on git://git.samba.org/samba.git > > Here is the configure I used to build it: > ./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin > --libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba > --localstatedir=/run/samba --includedir=/usr/include/ > --datadir=/usr/share/samba --mandir /usr/share/man --enable-debug > --enable-developer --systemd-install-services > --with-systemddir=/usr/lib/systemd/system > --with-privatedir=/var/lib/samba/private --with-systemd --with-pam > > After tweaking a few config files here and there, I've now > reached the same > state as when I was running winbind from Ubuntu packages. > I'm now able to ssh/su as the domain user to this system. > > However, I do not see the cred-cache populated. > localadmin at lxsmb-canvm13:~/samba$ sudo klist > klist: No ticket file: /tmp/krb5cc_0 > localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb* > ls: cannot access '/tmp/krb*': No such file or directory > > After a bit of code reading of cifs.upcall, it looks to me like the > expectation is that cred-cache would be populated for the domain user. > If in case the cred-cache is missing, then it creates a new > cred-cache from > the keytab at /etc/krb5.keytab > > So clearly, the expectation is that atleast the keytab is already > populated. > > The kerberos method that I've chosen in smb.conf is "secrets > and keytab". > So I expect either the secrets.tdb or the krb5.keytab to have > an entry for > the domain user lxsmbadmin. > However, I do not see those entries in either of them: > > localadmin at lxsmb-canvm13:~$ sudo tdbdump > /var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin > localadmin at lxsmb-canvm13:~$ > > localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin > localadmin at lxsmb-canvm13:~$ > > With the domain user already logged in through ssh, I > expected that the > kerberos TGT would already have been retrieved and stored locally. > Where would I find that? > > Do note that if I populate the cred-cache manually with the > kinit utility > like so: > localadmin at lxsmb-canvm13:~$ sudo kinit > lxsmbadmin at aaddomain.example.com > lxsmbadmin at aaddomain.example.com's Password: > localadmin at lxsmb-canvm13:~$ > > The cred-cache does get populated and I'm then able to mount > the file share > successfully. > > With the log level set to 10 in smb.conf, the logging in > /var/log/samba/ is > pretty verbose. I can share those if needed for further debugging. > > ======================================================> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 01/04/2020 12:20, L.P.H. van Belle via samba wrote:> For that to work, you need to add the CIFS/hostname.fqdn at REALM to the host your logging in. > The COMPUTER$ should hold it. > Allow the computer to delegate the cifs service. ( or all )Thing is, the OP is trying to use a users ticket to mount, but seems to be doing it as root, which isn't going to work, mainly because 'root' will use the root ticket /tmp/krb5cc_0. He needs to use the users ticket, typically /tmp/krb5cc_{user_id} He is also setting a credentials file in his mount command, this should be removed. Also, are libnss-winbind, libpam-winbind and libpam-krb5 installed ? I would also point him to your repo: http://apt.van-belle.nl/ This would save him having to compile Samba himself. Finally, I would suggest he installs libpam-mount, this will do all the heavy lifting for him. Rowland> > >> >> ======================================================>> Details of my setup: >> I'm using an Ubuntu 19.10 server VM. >> I'm mounting as the local root user, however, I'm using a domain user >> credentials for mounting the using sec=krb5. >> Below are my mount options: >> vers=3.0,sec=krb5,credentials=/home/localadmin/.smb3credential > s,serverino,noperm,nosharesock,mfsymlinks,uid=lxsmbadmin,gid='doma> in