Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted. SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and *jake *users. test01 - 20000:20000 (uidNumber:gidNumber) jake - 10000:10000 You can see some delay in some places - I marked them bold. It looks like DNS timeouts. The svitla3.room smb config includes DNS Forwarder pointing on apex.corp DNS. apex.corp DNS has conditional forwarding to svitla3.room domain d at uc-smlbox20:~$ host -t A apex.corp apex.corp has address 10.0.1.2 d at uc-smlbox20:~$ host -t A svitla3.room svitla3.room has address 10.0.0.6 d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM Enter administrator at SVITLA3.ROOM's password: Using short domain name -- SVITLA3 Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' *No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.* *DNS update failed: NT_STATUS_INVALID_PARAMETER* *## After that I added A and PTR records manually for uc-smlbox20.svitla3.room **Linux box* *## nslookup recognises the computer in forward and reverse lookups* d at uc-smlbox20:~$ sudo net ads testjoin Join is OK d at uc-smlbox20:~$ wbinfo --online-status BUILTIN : active connection UC-SMLBOX20 : active connection SVITLA3 : active connection *APEX : no active connection* d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM *-- For first time there is delay about 10s* Enter administrator at SVITLA3.ROOM's password: Trusted domains list: APEX S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: *none* d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM Password for administrator at SVITLA3.ROOM: Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM Password for test01 at SVITLA3.ROOM: d at uc-smlbox20:~$ kinit administrator at APEX.CORP Password for administrator at APEX.CORP: d at uc-smlbox20:~$ kinit jake at APEX.CORP Password for jake at APEX.CORP: d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator Enter SVITLA3\administrator's password: plaintext password authentication succeeded Enter SVITLA3\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 Enter SVITLA3\test01's password: plaintext password authentication succeeded Enter SVITLA3\test01's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator Enter APEX\administrator's password: plaintext password authentication succeeded Enter APEX\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake Enter APEX\jake's password: plaintext password authentication succeeded Enter APEX\jake's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\administrator S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\jake S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 test01:*:20000:20000:test01:/home/test01:/bin/bash d at uc-smlbox20:~$ getent passwd APEX\\jake *-- DELAY about 10s, No result* d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" domain users:x:20000: d at uc-smlbox20:~$ getent group "APEX\\Domain Users" *-- DELAY about 10s, No result* d at uc-smlbox20:~$ cat /etc/nsswitch.conf # passwd: files systemd # group: files systemd shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis *passwd: compat winbindgroup: compat winbind* *#passwd: files winbind#group: files winbind* If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20.svitla3.room's password: Permission denied, please try again. If I modify sshd_config # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes AllowGroups "SVITLA3\\Domain Users" I even can?t login with trusting credentials: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Permission denied, please try again. On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> > What you need is to add the windows group in ssh to allowedgroups > And give that windows group a GID. > > You "cant" add a linux user into the windows group, but you can add a > windows user (if it has UID/GID) Into the linux group. > I separeted that, to there is always ssh access available. > > I use the following : > AllowGroups lin-allow-ssh win-allow-ssh > > Windows users in win-allow-ssh > Linux users lin-allow-ssh ( in my case only Linux admins ) > > The windows group every windows user want to give access to the server. > > And did you enable kerberos auth in sshd. > # GSSAPI options > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > > Should be sufficent. > Now, if you followed Stephans guide, and if i would make a guess. > > Is nsswitch configured? /etc/nsswitch.conf ? > > Im also assuming your using ubuntu or debian, if so, > Running this give us all we need. > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > > Anonimize where needed. > Dont set the attachments to the list, that will be stripped off. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Yakov Revyakin via samba > > Verzonden: maandag 13 juli 2020 16:04 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Authentication with trusted credentials > > > > Hi friends, > > I have a one way outgoing trust between SAMBA trusting domain and AD > > trusted domain. > > SSH Authentication of a user belonging to the SAMBA domain > > works properly > > on a Linux computer which is a member of SAMBA domain. > > I would like to authenticate a trusted user from the AD > > domain on the same > > Linux computer with SSH. Currently it doesn't work. > > I am able to authenticate trusted accounts with wbinfo and kinit. I > > followed guides: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > > tutorial.pdf > > What I missed? What additional diagnostic can I make? How to > > make a step > > forward? > > > > Samba 4.11 > > > > DC: > > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > > # Global parameters > > [global] > > dns forwarder = 10.0.1.2 # trusted ad dc > > netbios name = US-SMDC3 > > realm = SVITLA3.ROOM > > server role = active directory domain controller > > workgroup = SVITLA3 > > idmap_ldb:use rfc2307 = yes > > log level = 1 > > ldap server require strong auth = no > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [netlogon] > > path = /var/lib/samba/sysvol/svitla3.room/scripts > > read only = No > > > > Member: > > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > > [global] > > workgroup = SVITLA3 > > security = ADS > > realm = SVITLA3.ROOM > > > > winbind refresh tickets = Yes > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > winbind use default domain = yes > > > > winbind enum users = yes > > winbind enum groups = yes > > > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > log file = /var/log/samba/%m.log > > log level = 3 > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > idmap config SVITLA3:backend = ad > > idmap config SVITLA3:schema_mode = rfc2307 > > idmap config SVITLA3:range = 20000-29999 > > idmap config SVITLA3:unix_nss_info = yes > > > > idmap config APEX:backend = ad > > idmap config APEX:schema_mode = rfc2307 > > idmap config APEX:range = 10000-19999 > > idmap config APEX:unix_nss_info = yes > > > > vfs objects = acl_xattr > > map acl inherit = yes > > > > Thanks, > > Jake R > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Louis, could you take a look on my case again? I am not sure that the problem is in incorrect groups. Only trusted credentials don't work. Have you any idea what the reason is? On Mon, 13 Jul 2020 at 19:50, Yakov Revyakin <yrevyakin at gmail.com> wrote:> Some more details. Below is what I have during joining Linux (Ubuntu > 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is > trusted. > SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and > *jake *users. > test01 - 20000:20000 (uidNumber:gidNumber) > jake - 10000:10000 > > You can see some delay in some places - I marked them bold. It looks like > DNS timeouts. > The svitla3.room smb config includes DNS Forwarder pointing on apex.corp > DNS. > apex.corp DNS has conditional forwarding to svitla3.room domain > > d at uc-smlbox20:~$ host -t A apex.corp > > apex.corp has address 10.0.1.2 > > d at uc-smlbox20:~$ host -t A svitla3.room > > svitla3.room has address 10.0.0.6 > > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. > > _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. > > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. > > _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. > > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. > > _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. > > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. > > _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. > > > > d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM > > Enter administrator at SVITLA3.ROOM's password: > > Using short domain name -- SVITLA3 > > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' > > *No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.* > > *DNS update failed: NT_STATUS_INVALID_PARAMETER* > > > *## After that I added A and PTR records manually for > uc-smlbox20.svitla3.room **Linux box* > > *## nslookup recognises the computer in forward and reverse lookups* > > > d at uc-smlbox20:~$ sudo net ads testjoin > Join is OK > > d at uc-smlbox20:~$ wbinfo --online-status > BUILTIN : active connection > UC-SMLBOX20 : active connection > SVITLA3 : active connection > *APEX : no active connection* > > d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM > > *-- For first time there is delay about 10s* > > Enter administrator at SVITLA3.ROOM's password: > > Trusted domains list: > > > APEX S-1-5-21-4020559381-3467740180-2426716988 > > > Trusting domains list: > > > *none* > > > d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM > Password for administrator at SVITLA3.ROOM: > Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 > AM UTC > d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM > Password for test01 at SVITLA3.ROOM: > d at uc-smlbox20:~$ kinit administrator at APEX.CORP > Password for administrator at APEX.CORP: > d at uc-smlbox20:~$ kinit jake at APEX.CORP > Password for jake at APEX.CORP: > > > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator > Enter SVITLA3\administrator's password: > plaintext password authentication succeeded > Enter SVITLA3\administrator's password: > challenge/response password authentication succeeded > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 > Enter SVITLA3\test01's password: > plaintext password authentication succeeded > Enter SVITLA3\test01's password: > challenge/response password authentication succeeded > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator > Enter APEX\administrator's password: > plaintext password authentication succeeded > Enter APEX\administrator's password: > challenge/response password authentication succeeded > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake > Enter APEX\jake's password: > plaintext password authentication succeeded > Enter APEX\jake's password: > challenge/response password authentication succeeded > > > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator > S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 > S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) > d at uc-smlbox20:~$ wbinfo -n APEX\\administrator > S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) > d at uc-smlbox20:~$ wbinfo -n APEX\\jake > S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) > > > d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 > test01:*:20000:20000:test01:/home/test01:/bin/bash > d at uc-smlbox20:~$ getent passwd APEX\\jake > *-- DELAY about 10s, No result* > d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" > domain users:x:20000: > d at uc-smlbox20:~$ getent group "APEX\\Domain Users" > *-- DELAY about 10s, No result* > > > d at uc-smlbox20:~$ cat /etc/nsswitch.conf > # passwd: files systemd > # group: files systemd > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > *passwd: compat winbindgroup: compat winbind* > > > > *#passwd: files winbind#group: files winbind* > > > If I use default sshd_config > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > I have: > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) > > d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room > > APEX\jake at uc-smlbox20.svitla3.room's password: > > Permission denied, please try again. > > If I modify sshd_config > > # GSSAPI options > GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > GSSAPIKeyExchange yes > AllowGroups "SVITLA3\\Domain Users" > > I even can?t login with trusting credentials: > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > Permission denied, please try again. > > > > > On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba < > samba at lists.samba.org> wrote: > >> >> What you need is to add the windows group in ssh to allowedgroups >> And give that windows group a GID. >> >> You "cant" add a linux user into the windows group, but you can add a >> windows user (if it has UID/GID) Into the linux group. >> I separeted that, to there is always ssh access available. >> >> I use the following : >> AllowGroups lin-allow-ssh win-allow-ssh >> >> Windows users in win-allow-ssh >> Linux users lin-allow-ssh ( in my case only Linux admins ) >> >> The windows group every windows user want to give access to the server. >> >> And did you enable kerberos auth in sshd. >> # GSSAPI options >> GSSAPIAuthentication yes >> GSSAPIKeyExchange yes >> >> Should be sufficent. >> Now, if you followed Stephans guide, and if i would make a guess. >> >> Is nsswitch configured? /etc/nsswitch.conf ? >> >> Im also assuming your using ubuntu or debian, if so, >> Running this give us all we need. >> >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh >> >> Anonimize where needed. >> Dont set the attachments to the list, that will be stripped off. >> >> >> Greetz, >> >> Louis >> >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> > Yakov Revyakin via samba >> > Verzonden: maandag 13 juli 2020 16:04 >> > Aan: samba at lists.samba.org >> > Onderwerp: [Samba] Authentication with trusted credentials >> > >> > Hi friends, >> > I have a one way outgoing trust between SAMBA trusting domain and AD >> > trusted domain. >> > SSH Authentication of a user belonging to the SAMBA domain >> > works properly >> > on a Linux computer which is a member of SAMBA domain. >> > I would like to authenticate a trusted user from the AD >> > domain on the same >> > Linux computer with SSH. Currently it doesn't work. >> > I am able to authenticate trusted accounts with wbinfo and kinit. I >> > followed guides: >> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- >> > tutorial.pdf >> > What I missed? What additional diagnostic can I make? How to >> > make a step >> > forward? >> > >> > Samba 4.11 >> > >> > DC: >> > d@*us-smdc3*:~$ cat /etc/samba/smb.conf >> > # Global parameters >> > [global] >> > dns forwarder = 10.0.1.2 # trusted ad dc >> > netbios name = US-SMDC3 >> > realm = SVITLA3.ROOM >> > server role = active directory domain controller >> > workgroup = SVITLA3 >> > idmap_ldb:use rfc2307 = yes >> > log level = 1 >> > ldap server require strong auth = no >> > >> > [sysvol] >> > path = /var/lib/samba/sysvol >> > read only = No >> > >> > [netlogon] >> > path = /var/lib/samba/sysvol/svitla3.room/scripts >> > read only = No >> > >> > Member: >> > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf >> > [global] >> > workgroup = SVITLA3 >> > security = ADS >> > realm = SVITLA3.ROOM >> > >> > winbind refresh tickets = Yes >> > vfs objects = acl_xattr >> > map acl inherit = Yes >> > store dos attributes = Yes >> > >> > dedicated keytab file = /etc/krb5.keytab >> > kerberos method = secrets and keytab >> > >> > winbind use default domain = yes >> > >> > winbind enum users = yes >> > winbind enum groups = yes >> > >> > load printers = no >> > printing = bsd >> > printcap name = /dev/null >> > disable spoolss = yes >> > >> > log file = /var/log/samba/%m.log >> > log level = 3 >> > >> > idmap config * : backend = tdb >> > idmap config * : range = 3000-7999 >> > >> > idmap config SVITLA3:backend = ad >> > idmap config SVITLA3:schema_mode = rfc2307 >> > idmap config SVITLA3:range = 20000-29999 >> > idmap config SVITLA3:unix_nss_info = yes >> > >> > idmap config APEX:backend = ad >> > idmap config APEX:schema_mode = rfc2307 >> > idmap config APEX:range = 10000-19999 >> > idmap config APEX:unix_nss_info = yes >> > >> > vfs objects = acl_xattr >> > map acl inherit = yes >> > >> > Thanks, >> > Jake R >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
When I was trying to get the users from trusted domains to authenticate on the host I had to change kerberos method in smb.conf. I don't fully understand why, but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'. On Monday, 13 July 2020 12:01:59 PDT Yakov Revyakin via samba wrote:> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > Louis, could you take a look on my case again? > I am not sure that the problem is in incorrect groups. > Only trusted credentials don't work. Have you any idea what the reason is? > > On Mon, 13 Jul 2020 at 19:50, Yakov Revyakin <yrevyakin at gmail.com> wrote: > > > Some more details. Below is what I have during joining Linux (Ubuntu > > 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is > > trusted. > > SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and > > *jake *users. > > test01 - 20000:20000 (uidNumber:gidNumber) > > jake - 10000:10000 > > > > You can see some delay in some places - I marked them bold. It looks like > > DNS timeouts. > > The svitla3.room smb config includes DNS Forwarder pointing on apex.corp > > DNS. > > apex.corp DNS has conditional forwarding to svitla3.room domain > > > > d at uc-smlbox20:~$ host -t A apex.corp > > > > apex.corp has address 10.0.1.2 > > > > d at uc-smlbox20:~$ host -t A svitla3.room > > > > svitla3.room has address 10.0.0.6 > > > > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. > > > > _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. > > > > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. > > > > _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. > > > > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. > > > > _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. > > > > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. > > > > _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. > > > > > > > > d@*uc-smlbox20*:~$ sudo net ads join -U administrator at SVITLA3.ROOM > > > > Enter administrator at SVITLA3.ROOM's password: > > > > Using short domain name -- SVITLA3 > > > > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' > > > > *No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.* > > > > *DNS update failed: NT_STATUS_INVALID_PARAMETER* > > > > > > *## After that I added A and PTR records manually for > > uc-smlbox20.svitla3.room **Linux box* > > > > *## nslookup recognises the computer in forward and reverse lookups* > > > > > > d at uc-smlbox20:~$ sudo net ads testjoin > > Join is OK > > > > d at uc-smlbox20:~$ wbinfo --online-status > > BUILTIN : active connection > > UC-SMLBOX20 : active connection > > SVITLA3 : active connection > > *APEX : no active connection* > > > > d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM > > > > *-- For first time there is delay about 10s* > > > > Enter administrator at SVITLA3.ROOM's password: > > > > Trusted domains list: > > > > > > APEX S-1-5-21-4020559381-3467740180-2426716988 > > > > > > Trusting domains list: > > > > > > *none* > > > > > > d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM > > Password for administrator at SVITLA3.ROOM: > > Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 > > AM UTC > > d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM > > Password for test01 at SVITLA3.ROOM: > > d at uc-smlbox20:~$ kinit administrator at APEX.CORP > > Password for administrator at APEX.CORP: > > d at uc-smlbox20:~$ kinit jake at APEX.CORP > > Password for jake at APEX.CORP: > > > > > > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator > > Enter SVITLA3\administrator's password: > > plaintext password authentication succeeded > > Enter SVITLA3\administrator's password: > > challenge/response password authentication succeeded > > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 > > Enter SVITLA3\test01's password: > > plaintext password authentication succeeded > > Enter SVITLA3\test01's password: > > challenge/response password authentication succeeded > > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator > > Enter APEX\administrator's password: > > plaintext password authentication succeeded > > Enter APEX\administrator's password: > > challenge/response password authentication succeeded > > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake > > Enter APEX\jake's password: > > plaintext password authentication succeeded > > Enter APEX\jake's password: > > challenge/response password authentication succeeded > > > > > > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator > > S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) > > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 > > S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) > > d at uc-smlbox20:~$ wbinfo -n APEX\\administrator > > S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) > > d at uc-smlbox20:~$ wbinfo -n APEX\\jake > > S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) > > > > > > d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 > > test01:*:20000:20000:test01:/home/test01:/bin/bash > > d at uc-smlbox20:~$ getent passwd APEX\\jake > > *-- DELAY about 10s, No result* > > d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" > > domain users:x:20000: > > d at uc-smlbox20:~$ getent group "APEX\\Domain Users" > > *-- DELAY about 10s, No result* > > > > > > d at uc-smlbox20:~$ cat /etc/nsswitch.conf > > # passwd: files systemd > > # group: files systemd > > shadow: files > > gshadow: files > > > > hosts: files dns > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > > > > > *passwd: compat winbindgroup: compat winbind* > > > > > > > > *#passwd: files winbind#group: files winbind* > > > > > > If I use default sshd_config > > > > # GSSAPI options > > #GSSAPIAuthentication no > > #GSSAPICleanupCredentials yes > > #GSSAPIStrictAcceptorCheck yes > > #GSSAPIKeyExchange no > > > > I have: > > > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > > > Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) > > > > d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room > > > > APEX\jake at uc-smlbox20.svitla3.room's password: > > > > Permission denied, please try again. > > > > If I modify sshd_config > > > > # GSSAPI options > > GSSAPIAuthentication yes > > #GSSAPICleanupCredentials yes > > #GSSAPIStrictAcceptorCheck yes > > GSSAPIKeyExchange yes > > AllowGroups "SVITLA3\\Domain Users" > > > > I even can?t login with trusting credentials: > > > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > > > Permission denied, please try again. > > > > > > > > > > On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba < > > samba at lists.samba.org> wrote: > > > >> > >> What you need is to add the windows group in ssh to allowedgroups > >> And give that windows group a GID. > >> > >> You "cant" add a linux user into the windows group, but you can add a > >> windows user (if it has UID/GID) Into the linux group. > >> I separeted that, to there is always ssh access available. > >> > >> I use the following : > >> AllowGroups lin-allow-ssh win-allow-ssh > >> > >> Windows users in win-allow-ssh > >> Linux users lin-allow-ssh ( in my case only Linux admins ) > >> > >> The windows group every windows user want to give access to the server. > >> > >> And did you enable kerberos auth in sshd. > >> # GSSAPI options > >> GSSAPIAuthentication yes > >> GSSAPIKeyExchange yes > >> > >> Should be sufficent. > >> Now, if you followed Stephans guide, and if i would make a guess. > >> > >> Is nsswitch configured? /etc/nsswitch.conf ? > >> > >> Im also assuming your using ubuntu or debian, if so, > >> Running this give us all we need. > >> > >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > >> > >> Anonimize where needed. > >> Dont set the attachments to the list, that will be stripped off. > >> > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > -----Oorspronkelijk bericht----- > >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> > Yakov Revyakin via samba > >> > Verzonden: maandag 13 juli 2020 16:04 > >> > Aan: samba at lists.samba.org > >> > Onderwerp: [Samba] Authentication with trusted credentials > >> > > >> > Hi friends, > >> > I have a one way outgoing trust between SAMBA trusting domain and AD > >> > trusted domain. > >> > SSH Authentication of a user belonging to the SAMBA domain > >> > works properly > >> > on a Linux computer which is a member of SAMBA domain. > >> > I would like to authenticate a trusted user from the AD > >> > domain on the same > >> > Linux computer with SSH. Currently it doesn't work. > >> > I am able to authenticate trusted accounts with wbinfo and kinit. I > >> > followed guides: > >> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >> > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > >> > tutorial.pdf > >> > What I missed? What additional diagnostic can I make? How to > >> > make a step > >> > forward? > >> > > >> > Samba 4.11 > >> > > >> > DC: > >> > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > >> > # Global parameters > >> > [global] > >> > dns forwarder = 10.0.1.2 # trusted ad dc > >> > netbios name = US-SMDC3 > >> > realm = SVITLA3.ROOM > >> > server role = active directory domain controller > >> > workgroup = SVITLA3 > >> > idmap_ldb:use rfc2307 = yes > >> > log level = 1 > >> > ldap server require strong auth = no > >> > > >> > [sysvol] > >> > path = /var/lib/samba/sysvol > >> > read only = No > >> > > >> > [netlogon] > >> > path = /var/lib/samba/sysvol/svitla3.room/scripts > >> > read only = No > >> > > >> > Member: > >> > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > >> > [global] > >> > workgroup = SVITLA3 > >> > security = ADS > >> > realm = SVITLA3.ROOM > >> > > >> > winbind refresh tickets = Yes > >> > vfs objects = acl_xattr > >> > map acl inherit = Yes > >> > store dos attributes = Yes > >> > > >> > dedicated keytab file = /etc/krb5.keytab > >> > kerberos method = secrets and keytab > >> > > >> > winbind use default domain = yes > >> > > >> > winbind enum users = yes > >> > winbind enum groups = yes > >> > > >> > load printers = no > >> > printing = bsd > >> > printcap name = /dev/null > >> > disable spoolss = yes > >> > > >> > log file = /var/log/samba/%m.log > >> > log level = 3 > >> > > >> > idmap config * : backend = tdb > >> > idmap config * : range = 3000-7999 > >> > > >> > idmap config SVITLA3:backend = ad > >> > idmap config SVITLA3:schema_mode = rfc2307 > >> > idmap config SVITLA3:range = 20000-29999 > >> > idmap config SVITLA3:unix_nss_info = yes > >> > > >> > idmap config APEX:backend = ad > >> > idmap config APEX:schema_mode = rfc2307 > >> > idmap config APEX:range = 10000-19999 > >> > idmap config APEX:unix_nss_info = yes > >> > > >> > vfs objects = acl_xattr > >> > map acl inherit = yes > >> > > >> > Thanks, > >> > Jake R > >> > -- > >> > To unsubscribe from this list go to the following URL and read the > >> > instructions: https://lists.samba.org/mailman/options/samba > >> > > >> > > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20200713/31593fce/signature.sig>