Hi friends,
I have a one way outgoing trust between SAMBA trusting domain and AD
trusted domain.
SSH Authentication of a user belonging to the SAMBA domain works properly
on a Linux computer which is a member of SAMBA domain.
I would like to authenticate a trusted user from the AD domain on the same
Linux computer with SSH. Currently it doesn't work.
I am able to authenticate trusted accounts with wbinfo and kinit. I
followed guides:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf
What I missed? What additional diagnostic can I make? How to make a step
forward?
Samba 4.11
DC:
d@*us-smdc3*:~$ cat /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.1.2 # trusted ad dc
netbios name = US-SMDC3
realm = SVITLA3.ROOM
server role = active directory domain controller
workgroup = SVITLA3
idmap_ldb:use rfc2307 = yes
log level = 1
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/svitla3.room/scripts
read only = No
Member:
d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
[global]
workgroup = SVITLA3
security = ADS
realm = SVITLA3.ROOM
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 3
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SVITLA3:backend = ad
idmap config SVITLA3:schema_mode = rfc2307
idmap config SVITLA3:range = 20000-29999
idmap config SVITLA3:unix_nss_info = yes
idmap config APEX:backend = ad
idmap config APEX:schema_mode = rfc2307
idmap config APEX:range = 10000-19999
idmap config APEX:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
Thanks,
Jake R
What you need is to add the windows group in ssh to allowedgroups And give that windows group a GID. You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group. I separeted that, to there is always ssh access available. I use the following : AllowGroups lin-allow-ssh win-allow-ssh Windows users in win-allow-ssh Linux users lin-allow-ssh ( in my case only Linux admins ) The windows group every windows user want to give access to the server. And did you enable kerberos auth in sshd. # GSSAPI options GSSAPIAuthentication yes GSSAPIKeyExchange yes Should be sufficent. Now, if you followed Stephans guide, and if i would make a guess. Is nsswitch configured? /etc/nsswitch.conf ? Im also assuming your using ubuntu or debian, if so, Running this give us all we need. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed. Dont set the attachments to the list, that will be stripped off. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: maandag 13 juli 2020 16:04 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Authentication with trusted credentials > > Hi friends, > I have a one way outgoing trust between SAMBA trusting domain and AD > trusted domain. > SSH Authentication of a user belonging to the SAMBA domain > works properly > on a Linux computer which is a member of SAMBA domain. > I would like to authenticate a trusted user from the AD > domain on the same > Linux computer with SSH. Currently it doesn't work. > I am able to authenticate trusted accounts with wbinfo and kinit. I > followed guides: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > tutorial.pdf > What I missed? What additional diagnostic can I make? How to > make a step > forward? > > Samba 4.11 > > DC: > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > # Global parameters > [global] > dns forwarder = 10.0.1.2 # trusted ad dc > netbios name = US-SMDC3 > realm = SVITLA3.ROOM > server role = active directory domain controller > workgroup = SVITLA3 > idmap_ldb:use rfc2307 = yes > log level = 1 > ldap server require strong auth = no > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [netlogon] > path = /var/lib/samba/sysvol/svitla3.room/scripts > read only = No > > Member: > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > [global] > workgroup = SVITLA3 > security = ADS > realm = SVITLA3.ROOM > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log file = /var/log/samba/%m.log > log level = 3 > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config SVITLA3:backend = ad > idmap config SVITLA3:schema_mode = rfc2307 > idmap config SVITLA3:range = 20000-29999 > idmap config SVITLA3:unix_nss_info = yes > > idmap config APEX:backend = ad > idmap config APEX:schema_mode = rfc2307 > idmap config APEX:range = 10000-19999 > idmap config APEX:unix_nss_info = yes > > vfs objects = acl_xattr > map acl inherit = yes > > Thanks, > Jake R > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted. SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and *jake *users. test01 - 20000:20000 (uidNumber:gidNumber) jake - 10000:10000 You can see some delay in some places - I marked them bold. It looks like DNS timeouts. The svitla3.room smb config includes DNS Forwarder pointing on apex.corp DNS. apex.corp DNS has conditional forwarding to svitla3.room domain d at uc-smlbox20:~$ host -t A apex.corp apex.corp has address 10.0.1.2 d at uc-smlbox20:~$ host -t A svitla3.room svitla3.room has address 10.0.0.6 d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM Enter administrator at SVITLA3.ROOM's password: Using short domain name -- SVITLA3 Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' *No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.* *DNS update failed: NT_STATUS_INVALID_PARAMETER* *## After that I added A and PTR records manually for uc-smlbox20.svitla3.room **Linux box* *## nslookup recognises the computer in forward and reverse lookups* d at uc-smlbox20:~$ sudo net ads testjoin Join is OK d at uc-smlbox20:~$ wbinfo --online-status BUILTIN : active connection UC-SMLBOX20 : active connection SVITLA3 : active connection *APEX : no active connection* d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM *-- For first time there is delay about 10s* Enter administrator at SVITLA3.ROOM's password: Trusted domains list: APEX S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: *none* d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM Password for administrator at SVITLA3.ROOM: Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM Password for test01 at SVITLA3.ROOM: d at uc-smlbox20:~$ kinit administrator at APEX.CORP Password for administrator at APEX.CORP: d at uc-smlbox20:~$ kinit jake at APEX.CORP Password for jake at APEX.CORP: d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator Enter SVITLA3\administrator's password: plaintext password authentication succeeded Enter SVITLA3\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 Enter SVITLA3\test01's password: plaintext password authentication succeeded Enter SVITLA3\test01's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator Enter APEX\administrator's password: plaintext password authentication succeeded Enter APEX\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake Enter APEX\jake's password: plaintext password authentication succeeded Enter APEX\jake's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\administrator S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\jake S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 test01:*:20000:20000:test01:/home/test01:/bin/bash d at uc-smlbox20:~$ getent passwd APEX\\jake *-- DELAY about 10s, No result* d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" domain users:x:20000: d at uc-smlbox20:~$ getent group "APEX\\Domain Users" *-- DELAY about 10s, No result* d at uc-smlbox20:~$ cat /etc/nsswitch.conf # passwd: files systemd # group: files systemd shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis *passwd: compat winbindgroup: compat winbind* *#passwd: files winbind#group: files winbind* If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20.svitla3.room's password: Permission denied, please try again. If I modify sshd_config # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes AllowGroups "SVITLA3\\Domain Users" I even can?t login with trusting credentials: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Permission denied, please try again. On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> > What you need is to add the windows group in ssh to allowedgroups > And give that windows group a GID. > > You "cant" add a linux user into the windows group, but you can add a > windows user (if it has UID/GID) Into the linux group. > I separeted that, to there is always ssh access available. > > I use the following : > AllowGroups lin-allow-ssh win-allow-ssh > > Windows users in win-allow-ssh > Linux users lin-allow-ssh ( in my case only Linux admins ) > > The windows group every windows user want to give access to the server. > > And did you enable kerberos auth in sshd. > # GSSAPI options > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > > Should be sufficent. > Now, if you followed Stephans guide, and if i would make a guess. > > Is nsswitch configured? /etc/nsswitch.conf ? > > Im also assuming your using ubuntu or debian, if so, > Running this give us all we need. > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > > Anonimize where needed. > Dont set the attachments to the list, that will be stripped off. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Yakov Revyakin via samba > > Verzonden: maandag 13 juli 2020 16:04 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Authentication with trusted credentials > > > > Hi friends, > > I have a one way outgoing trust between SAMBA trusting domain and AD > > trusted domain. > > SSH Authentication of a user belonging to the SAMBA domain > > works properly > > on a Linux computer which is a member of SAMBA domain. > > I would like to authenticate a trusted user from the AD > > domain on the same > > Linux computer with SSH. Currently it doesn't work. > > I am able to authenticate trusted accounts with wbinfo and kinit. I > > followed guides: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > > tutorial.pdf > > What I missed? What additional diagnostic can I make? How to > > make a step > > forward? > > > > Samba 4.11 > > > > DC: > > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > > # Global parameters > > [global] > > dns forwarder = 10.0.1.2 # trusted ad dc > > netbios name = US-SMDC3 > > realm = SVITLA3.ROOM > > server role = active directory domain controller > > workgroup = SVITLA3 > > idmap_ldb:use rfc2307 = yes > > log level = 1 > > ldap server require strong auth = no > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [netlogon] > > path = /var/lib/samba/sysvol/svitla3.room/scripts > > read only = No > > > > Member: > > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > > [global] > > workgroup = SVITLA3 > > security = ADS > > realm = SVITLA3.ROOM > > > > winbind refresh tickets = Yes > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > winbind use default domain = yes > > > > winbind enum users = yes > > winbind enum groups = yes > > > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > log file = /var/log/samba/%m.log > > log level = 3 > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > idmap config SVITLA3:backend = ad > > idmap config SVITLA3:schema_mode = rfc2307 > > idmap config SVITLA3:range = 20000-29999 > > idmap config SVITLA3:unix_nss_info = yes > > > > idmap config APEX:backend = ad > > idmap config APEX:schema_mode = rfc2307 > > idmap config APEX:range = 10000-19999 > > idmap config APEX:unix_nss_info = yes > > > > vfs objects = acl_xattr > > map acl inherit = yes > > > > Thanks, > > Jake R > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai, ? Sorry for the late(r) reply but we all need to sleep also sometimes.? ;-) note, i saw its fixed, but i'll do comment a bit through your replies. ? ? mainly because of this part ? this part.? (Sended: monday 13 juli 2020 18:51)> net ads join -U administrator at SVITLA3.ROOM> Enter administrator at SVITLA3.ROOM's password:> Using short domain name -- SVITLA3> Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'> No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.> DNS update failed: NT_STATUS_INVALID_PARAMETER## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box ## nslookup recognises the computer in forward and reverse lookups ? this often points to a incorrect resolving setup. i advice to lookup and verify /etc/hosts and /etc/resolv.conf. ? Make sure the first resolver in resolv.conf is pointing to the AD-DC. The other check's you did look good, but do verify it. change, /etc/nsswitch.conf to (?optional?switch order?winbind systemd ) passwd: compat winbind systemd group:? compat winbind systemd ? why i say you can switch the oder here, it depends on how you use the server, just test this, time running processes and see what fits your needs the best. ? Sended:?tuedayy 14 juli 2020 1:16> but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'.Yes, for the ssh login, how does SSHD know the UPN/SPN when its in secrets.tdb im not a kerberos expert, i leave that to one of the samba devs, but as far i know, if? you have any service that uses upn/spns we need /etc/krb5.keytab I hope explains it?a bit, of not, maybe Rowland knows more here, or we can ask it @Alexander if you want. Greetz, Louis ? Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] Verzonden: maandag 13 juli 2020 18:51 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Authentication with trusted credentials Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted.? SVITLA3 has administrator and test01 users, APEX has administrator and jake users. test01 - 20000:20000 (uidNumber:gidNumber) jake - 10000:10000 You can see some delay in some places - I marked them bold. It looks like DNS timeouts.? The svitla3.room smb config includes DNS Forwarder?pointing on apex.corp DNS.? apex.corp DNS has conditional forwarding to svitla3.room domain d at uc-smlbox20:~$ host -t A apex.corp apex.corp has address 10.0.1.2 d at uc-smlbox20:~$ host -t A svitla3.room svitla3.room has address 10.0.0.6 d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM Enter administrator at SVITLA3.ROOM's password: Using short domain name -- SVITLA3 Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' No DNS domain configured for uc-smlbox20. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER ## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box ## nslookup recognises the computer in forward and reverse lookups d at uc-smlbox20:~$ sudo net ads testjoin Join is OK d at uc-smlbox20:~$ wbinfo --online-status BUILTIN : active connection UC-SMLBOX20 : active connection SVITLA3 : active connection APEX : no active connection d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM -- For first time there is delay about 10s Enter administrator at SVITLA3.ROOM's password: Trusted domains list: APEX? ? ? ? ? ? ? ? S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: none d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM Password for administrator at SVITLA3.ROOM: Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM Password for test01 at SVITLA3.ROOM: d at uc-smlbox20:~$ kinit administrator at APEX.CORP Password for administrator at APEX.CORP: d at uc-smlbox20:~$ kinit jake at APEX.CORP Password for jake at APEX.CORP: d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator Enter SVITLA3\administrator's password: plaintext password authentication succeeded Enter SVITLA3\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 Enter SVITLA3\test01's password: plaintext password authentication succeeded Enter SVITLA3\test01's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator Enter APEX\administrator's password: plaintext password authentication succeeded Enter APEX\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake Enter APEX\jake's password: plaintext password authentication succeeded Enter APEX\jake's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\administrator S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\jake S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 test01:*:20000:20000:test01:/home/test01:/bin/bash d at uc-smlbox20:~$ getent passwd APEX\\jake -- DELAY about 10s, No result d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" domain users:x:20000: d at uc-smlbox20:~$ getent group "APEX\\Domain Users" -- DELAY about 10s, No result d at uc-smlbox20:~$ cat /etc/nsswitch.conf # passwd: ? ? ? ? files systemd # group:? ? ? ? ? files systemd shadow: ? ? ? ? files gshadow:? ? ? ? files hosts:? ? ? ? ? files dns networks: ? ? ? files protocols:? ? ? db files services: ? ? ? db files ethers: ? ? ? ? db files rpc:? ? ? ? ? ? db files netgroup: ? ? ? nis passwd: compat winbind group:? compat winbind #passwd: files winbind #group:? files winbind If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20.svitla3.room's password: Permission denied, please try again. If I modify sshd_config # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes AllowGroups "SVITLA3\\Domain Users" I even can?t login with trusting credentials: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Permission denied, please try again. On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: What you need is to add the windows group in ssh to allowedgroups And give that windows group a GID. You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group. I separeted that, to there is always ssh access available. I use the following : AllowGroups lin-allow-ssh win-allow-ssh Windows users in win-allow-ssh Linux users lin-allow-ssh ( in my case only Linux admins ) The windows group every windows user want to give access to the server. And did you enable kerberos auth in sshd. # GSSAPI options GSSAPIAuthentication yes GSSAPIKeyExchange yes Should be sufficent. Now, if you followed Stephans guide, and if i would make a guess. Is nsswitch configured? /etc/nsswitch.conf ? Im also assuming your using ubuntu or debian, if so, Running this give us all we need. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed. Dont set the attachments to the list, that will be stripped off. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: maandag 13 juli 2020 16:04 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Authentication with trusted credentials > > Hi friends, > I have a one way outgoing trust between SAMBA trusting domain and AD > trusted domain. > SSH Authentication of a user belonging to the SAMBA domain > works properly > on a Linux computer which is a member of SAMBA domain. > I would like to authenticate a trusted user from the AD > domain on the same > Linux computer with SSH. Currently it doesn't work. > I am able to authenticate trusted accounts with wbinfo and kinit. I > followed guides: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > tutorial.pdf > What I missed? What additional diagnostic can I make? How to > make a step > forward? > > Samba 4.11 > > DC: > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > # Global parameters > [global] >? ? ? ? ?dns forwarder = 10.0.1.2 # trusted ad dc >? ? ? ? ?netbios name = US-SMDC3 >? ? ? ? ?realm = SVITLA3.ROOM >? ? ? ? ?server role = active directory domain controller >? ? ? ? ?workgroup = SVITLA3 >? ? ? ? ?idmap_ldb:use rfc2307 = yes >? ? ? ? ?log level = 1 >? ? ? ? ?ldap server require strong auth = no > > [sysvol] >? ? ? ? ?path = /var/lib/samba/sysvol >? ? ? ? ?read only = No > > [netlogon] >? ? ? ? ?path = /var/lib/samba/sysvol/svitla3.room/scripts >? ? ? ? ?read only = No > > Member: > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > [global] >? ? workgroup = SVITLA3 >? ? security = ADS >? ? realm = SVITLA3.ROOM > >? ? winbind refresh tickets = Yes >? ? vfs objects = acl_xattr >? ? map acl inherit = Yes >? ? store dos attributes = Yes > >? ? dedicated keytab file = /etc/krb5.keytab >? ? kerberos method = secrets and keytab > >? ? winbind use default domain = yes > >? ? winbind enum users = yes >? ? winbind enum groups = yes > >? ? load printers = no >? ? printing = bsd >? ? printcap name = /dev/null >? ? disable spoolss = yes > >? ? log file = /var/log/samba/%m.log >? ? log level = 3 > >? ? idmap config * : backend = tdb >? ? idmap config * : range = 3000-7999 > >? ? idmap config SVITLA3:backend = ad >? ? idmap config SVITLA3:schema_mode = rfc2307 >? ? idmap config SVITLA3:range = 20000-29999 >? ? idmap config SVITLA3:unix_nss_info = yes > >? ? idmap config APEX:backend = ad >? ? idmap config APEX:schema_mode = rfc2307 >? ? idmap config APEX:range = 10000-19999 >? ? idmap config APEX:unix_nss_info = yes > >? ? vfs objects = acl_xattr >? ? map acl inherit = yes > > Thanks, > Jake R > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba