Hai, ? Sorry for the late(r) reply but we all need to sleep also sometimes.? ;-) note, i saw its fixed, but i'll do comment a bit through your replies. ? ? mainly because of this part ? this part.? (Sended: monday 13 juli 2020 18:51)> net ads join -U administrator at SVITLA3.ROOM> Enter administrator at SVITLA3.ROOM's password:> Using short domain name -- SVITLA3> Joined 'UC-SMLBOX20' to dns domain 'svitla3.room'> No DNS domain configured for uc-smlbox20. Unable to perform DNS Update.> DNS update failed: NT_STATUS_INVALID_PARAMETER## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box ## nslookup recognises the computer in forward and reverse lookups ? this often points to a incorrect resolving setup. i advice to lookup and verify /etc/hosts and /etc/resolv.conf. ? Make sure the first resolver in resolv.conf is pointing to the AD-DC. The other check's you did look good, but do verify it. change, /etc/nsswitch.conf to (?optional?switch order?winbind systemd ) passwd: compat winbind systemd group:? compat winbind systemd ? why i say you can switch the oder here, it depends on how you use the server, just test this, time running processes and see what fits your needs the best. ? Sended:?tuedayy 14 juli 2020 1:16> but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'.Yes, for the ssh login, how does SSHD know the UPN/SPN when its in secrets.tdb im not a kerberos expert, i leave that to one of the samba devs, but as far i know, if? you have any service that uses upn/spns we need /etc/krb5.keytab I hope explains it?a bit, of not, maybe Rowland knows more here, or we can ask it @Alexander if you want. Greetz, Louis ? Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] Verzonden: maandag 13 juli 2020 18:51 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Authentication with trusted credentials Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted.? SVITLA3 has administrator and test01 users, APEX has administrator and jake users. test01 - 20000:20000 (uidNumber:gidNumber) jake - 10000:10000 You can see some delay in some places - I marked them bold. It looks like DNS timeouts.? The svitla3.room smb config includes DNS Forwarder?pointing on apex.corp DNS.? apex.corp DNS has conditional forwarding to svitla3.room domain d at uc-smlbox20:~$ host -t A apex.corp apex.corp has address 10.0.1.2 d at uc-smlbox20:~$ host -t A svitla3.room svitla3.room has address 10.0.0.6 d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM Enter administrator at SVITLA3.ROOM's password: Using short domain name -- SVITLA3 Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' No DNS domain configured for uc-smlbox20. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER ## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box ## nslookup recognises the computer in forward and reverse lookups d at uc-smlbox20:~$ sudo net ads testjoin Join is OK d at uc-smlbox20:~$ wbinfo --online-status BUILTIN : active connection UC-SMLBOX20 : active connection SVITLA3 : active connection APEX : no active connection d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM -- For first time there is delay about 10s Enter administrator at SVITLA3.ROOM's password: Trusted domains list: APEX? ? ? ? ? ? ? ? S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: none d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM Password for administrator at SVITLA3.ROOM: Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM Password for test01 at SVITLA3.ROOM: d at uc-smlbox20:~$ kinit administrator at APEX.CORP Password for administrator at APEX.CORP: d at uc-smlbox20:~$ kinit jake at APEX.CORP Password for jake at APEX.CORP: d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator Enter SVITLA3\administrator's password: plaintext password authentication succeeded Enter SVITLA3\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 Enter SVITLA3\test01's password: plaintext password authentication succeeded Enter SVITLA3\test01's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator Enter APEX\administrator's password: plaintext password authentication succeeded Enter APEX\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake Enter APEX\jake's password: plaintext password authentication succeeded Enter APEX\jake's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\administrator S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\jake S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 test01:*:20000:20000:test01:/home/test01:/bin/bash d at uc-smlbox20:~$ getent passwd APEX\\jake -- DELAY about 10s, No result d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" domain users:x:20000: d at uc-smlbox20:~$ getent group "APEX\\Domain Users" -- DELAY about 10s, No result d at uc-smlbox20:~$ cat /etc/nsswitch.conf # passwd: ? ? ? ? files systemd # group:? ? ? ? ? files systemd shadow: ? ? ? ? files gshadow:? ? ? ? files hosts:? ? ? ? ? files dns networks: ? ? ? files protocols:? ? ? db files services: ? ? ? db files ethers: ? ? ? ? db files rpc:? ? ? ? ? ? db files netgroup: ? ? ? nis passwd: compat winbind group:? compat winbind #passwd: files winbind #group:? files winbind If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20.svitla3.room's password: Permission denied, please try again. If I modify sshd_config # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes AllowGroups "SVITLA3\\Domain Users" I even can?t login with trusting credentials: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Permission denied, please try again. On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: What you need is to add the windows group in ssh to allowedgroups And give that windows group a GID. You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group. I separeted that, to there is always ssh access available. I use the following : AllowGroups lin-allow-ssh win-allow-ssh Windows users in win-allow-ssh Linux users lin-allow-ssh ( in my case only Linux admins ) The windows group every windows user want to give access to the server. And did you enable kerberos auth in sshd. # GSSAPI options GSSAPIAuthentication yes GSSAPIKeyExchange yes Should be sufficent. Now, if you followed Stephans guide, and if i would make a guess. Is nsswitch configured? /etc/nsswitch.conf ? Im also assuming your using ubuntu or debian, if so, Running this give us all we need. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed. Dont set the attachments to the list, that will be stripped off. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: maandag 13 juli 2020 16:04 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Authentication with trusted credentials > > Hi friends, > I have a one way outgoing trust between SAMBA trusting domain and AD > trusted domain. > SSH Authentication of a user belonging to the SAMBA domain > works properly > on a Linux computer which is a member of SAMBA domain. > I would like to authenticate a trusted user from the AD > domain on the same > Linux computer with SSH. Currently it doesn't work. > I am able to authenticate trusted accounts with wbinfo and kinit. I > followed guides: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > tutorial.pdf > What I missed? What additional diagnostic can I make? How to > make a step > forward? > > Samba 4.11 > > DC: > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > # Global parameters > [global] >? ? ? ? ?dns forwarder = 10.0.1.2 # trusted ad dc >? ? ? ? ?netbios name = US-SMDC3 >? ? ? ? ?realm = SVITLA3.ROOM >? ? ? ? ?server role = active directory domain controller >? ? ? ? ?workgroup = SVITLA3 >? ? ? ? ?idmap_ldb:use rfc2307 = yes >? ? ? ? ?log level = 1 >? ? ? ? ?ldap server require strong auth = no > > [sysvol] >? ? ? ? ?path = /var/lib/samba/sysvol >? ? ? ? ?read only = No > > [netlogon] >? ? ? ? ?path = /var/lib/samba/sysvol/svitla3.room/scripts >? ? ? ? ?read only = No > > Member: > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > [global] >? ? workgroup = SVITLA3 >? ? security = ADS >? ? realm = SVITLA3.ROOM > >? ? winbind refresh tickets = Yes >? ? vfs objects = acl_xattr >? ? map acl inherit = Yes >? ? store dos attributes = Yes > >? ? dedicated keytab file = /etc/krb5.keytab >? ? kerberos method = secrets and keytab > >? ? winbind use default domain = yes > >? ? winbind enum users = yes >? ? winbind enum groups = yes > >? ? load printers = no >? ? printing = bsd >? ? printcap name = /dev/null >? ? disable spoolss = yes > >? ? log file = /var/log/samba/%m.log >? ? log level = 3 > >? ? idmap config * : backend = tdb >? ? idmap config * : range = 3000-7999 > >? ? idmap config SVITLA3:backend = ad >? ? idmap config SVITLA3:schema_mode = rfc2307 >? ? idmap config SVITLA3:range = 20000-29999 >? ? idmap config SVITLA3:unix_nss_info = yes > >? ? idmap config APEX:backend = ad >? ? idmap config APEX:schema_mode = rfc2307 >? ? idmap config APEX:range = 10000-19999 >? ? idmap config APEX:unix_nss_info = yes > >? ? vfs objects = acl_xattr >? ? map acl inherit = yes > > Thanks, > Jake R > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
In this configuration with a trusted domain I miss something important. Need your help to understand. One more time: - I have a validated trust. Trusted (AD "apex.corp") authentication works with Windows PC joined to the trusting (Samba - svitla5.room) domain. So, I have trusted authentication enabled and working properly. For this I set Samba DNS IP and joined that Windows PC to the Samba domain - nothing more. Also I added "APEX\\Domain Users" to the appropriate group to enable RDP for trusted credentials (using GP Management). - I have a Linux PC (Samba, winbind) joined to the Samba trusting domain and ssh login works for trusting credentials. - I have a Linux PC (sssd) joined to the Samba trusting domain and ssh login works for trusting credentials. - For both Linux PCs authentication with trusted credentials doesn't work. Error messages are similar for both winbind and sssd: d at uc-sssdlbox20:~$ sudo grep 'sshd' /var/log/auth.log ## trusting credentials work Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01 Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: Accepted password for SVITLA5.ROOM\\test01 from 10.0.0.1 port 62969 ssh2 Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session opened for user SVITLA5.ROOM\test01 by (uid=0) Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Received disconnect from 10.0.0.1 port 62969:11: disconnected by user Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Disconnected from user SVITLA5.ROOM\\test01 10.0.0.1 port 62969 Jul 16 11:23:51 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session closed for user SVITLA5.ROOM\test01 ## trusted credentials don't work Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): check pass; user unknown Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 Jul 16 11:24:06 uc-sssdlbox20 sshd[2157]: Failed password for invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 ssh2 Jul 16 11:24:09 uc-sssdlbox20 sshd[2157]: Connection closed by invalid user APEX.CORP\\\\jake 10.0.0.1 port 62970 [preauth] - kinit works for users from both realms from Linux PCs sides. What doesn't work after creating trust as described in the guide is: d at us-smdc5:~$ sudo /usr/local/samba/bin/net rpc trustdom list -U SVITLA5\\administrator [sudo] password for d: Enter SVITLA5\administrator's password: Trusted domains list: APEX S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: Unable to find a suitable server for domain APEX domain controller is not responding: NT_STATUS_UNSUCCESSFUL APEX couldn't get domain's sid But as I said I can login to Windows PC without any problems. I didn't change resolv.conf and krb5.conf after making trust on Samba DC and clients sides. So that clients still know only about the trusting domain. I think they also know about the trusted domain all what they need by indirect communication via Samba DC and its DNS forwarder pointing to the trusted domain. ## /etc/resolv.conf nameserver 10.0.0.10 search svitla5.room ## /etc/krb5.conf [libdefaults] default_realm = SVITLA5.ROOM dns_lookup_realm = false dns_lookup_kdc = true What can I diagnose to make the next step? Please, help! On Tue, 14 Jul 2020 at 10:12, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai, > > Sorry for the late(r) reply but we all need to sleep also sometimes. ;-) > note, i saw its fixed, but i'll do comment a bit through your replies. > > > mainly because of this part > > this part. (Sended: monday 13 juli 2020 18:51) > > net ads join -U administrator at SVITLA3.ROOM > > > Enter administrator at SVITLA3.ROOM's password: > > > Using short domain name -- SVITLA3 > > > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' > > > No DNS domain configured for uc-smlbox20. Unable to perform DNS Update. > > > DNS update failed: NT_STATUS_INVALID_PARAMETER > > > > > ## After that I added A and PTR records manually for > uc-smlbox20.svitla3.room Linux box > > ## nslookup recognises the computer in forward and reverse lookups > > > > this often points to a incorrect resolving setup. > i advice to lookup and verify /etc/hosts and /etc/resolv.conf. > > > > Make sure the first resolver in resolv.conf is pointing to the AD-DC. > > The other check's you did look good, but do verify it. > > change, /etc/nsswitch.conf to ( optional switch order winbind systemd ) > > passwd: compat winbind systemd > group: compat winbind systemd > > > > why i say you can switch the oder here, it depends on how you use the > server, > > just test this, time running processes and see what fits your needs the > best. > > > > Sended: tuedayy 14 juli 2020 1:16 > > but users from trusted domain were able to authenticate only after I > changed it from the default value (IIRC 'secrets') to 'secrets and keytab'. > > Yes, for the ssh login, how does SSHD know the UPN/SPN when its in > secrets.tdb > im not a kerberos expert, i leave that to one of the samba devs, but as > far i know, if you have any service that uses upn/spns we need > /etc/krb5.keytab > > I hope explains it a bit, of not, maybe Rowland knows more here, or we can > ask it @Alexander if you want. > > > Greetz, > > Louis > > > > > Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] > Verzonden: maandag 13 juli 2020 18:51 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication with trusted credentials > > > > Some more details. Below is what I have during joining Linux (Ubuntu > 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is > trusted. > SVITLA3 has administrator and test01 users, APEX has administrator and > jake users. > > test01 - 20000:20000 (uidNumber:gidNumber) > jake - 10000:10000 > > > You can see some delay in some places - I marked them bold. It looks like > DNS timeouts. > The svitla3.room smb config includes DNS Forwarder pointing on apex.corp > DNS. > apex.corp DNS has conditional forwarding to svitla3.room domain > > > d at uc-smlbox20:~$ host -t A apex.corp > > apex.corp has address 10.0.1.2 > > d at uc-smlbox20:~$ host -t A svitla3.room > > svitla3.room has address 10.0.0.6 > > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. > > > _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. > > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. > > _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. > > d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. > > _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. > > d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. > > _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. > > > > > > > > d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM > > > Enter administrator at SVITLA3.ROOM's password: > > Using short domain name -- SVITLA3 > > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' > > No DNS domain configured for uc-smlbox20. Unable to perform DNS Update. > > DNS update failed: NT_STATUS_INVALID_PARAMETER > > > > > ## After that I added A and PTR records manually for > uc-smlbox20.svitla3.room Linux box > > ## nslookup recognises the computer in forward and reverse lookups > > > > > d at uc-smlbox20:~$ sudo net ads testjoin > Join is OK > > d at uc-smlbox20:~$ wbinfo --online-status > BUILTIN : active connection > UC-SMLBOX20 : active connection > SVITLA3 : active connection > APEX : no active connection > > > > d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM > > > -- For first time there is delay about 10s > > Enter administrator at SVITLA3.ROOM's password: > > Trusted domains list: > > > > > APEX S-1-5-21-4020559381-3467740180-2426716988 > > > > > Trusting domains list: > > > > > none > > > d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM > Password for administrator at SVITLA3.ROOM: > Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 > AM UTC > d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM > Password for test01 at SVITLA3.ROOM: > d at uc-smlbox20:~$ kinit administrator at APEX.CORP > Password for administrator at APEX.CORP: > d at uc-smlbox20:~$ kinit jake at APEX.CORP > Password for jake at APEX.CORP: > > > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator > Enter SVITLA3\administrator's password: > plaintext password authentication succeeded > Enter SVITLA3\administrator's password: > challenge/response password authentication succeeded > d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 > Enter SVITLA3\test01's password: > plaintext password authentication succeeded > Enter SVITLA3\test01's password: > challenge/response password authentication succeeded > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator > Enter APEX\administrator's password: > plaintext password authentication succeeded > Enter APEX\administrator's password: > challenge/response password authentication succeeded > d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake > Enter APEX\jake's password: > plaintext password authentication succeeded > Enter APEX\jake's password: > challenge/response password authentication succeeded > > > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator > S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) > d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 > S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) > d at uc-smlbox20:~$ wbinfo -n APEX\\administrator > S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) > d at uc-smlbox20:~$ wbinfo -n APEX\\jake > S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) > > > d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 > test01:*:20000:20000:test01:/home/test01:/bin/bash > d at uc-smlbox20:~$ getent passwd APEX\\jake > -- DELAY about 10s, No result > d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" > domain users:x:20000: > d at uc-smlbox20:~$ getent group "APEX\\Domain Users" > -- DELAY about 10s, No result > > > d at uc-smlbox20:~$ cat /etc/nsswitch.conf > # passwd: files systemd > # group: files systemd > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > passwd: compat winbind > group: compat winbind > > > > > #passwd: files winbind > #group: files winbind > > > > > > > > > If I use default sshd_config > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > > > I have: > > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) > > > d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room > > APEX\jake at uc-smlbox20.svitla3.room's password: > > Permission denied, please try again. > > > If I modify sshd_config > > # GSSAPI options > GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > GSSAPIKeyExchange yes > AllowGroups "SVITLA3\\Domain Users" > > > I even can?t login with trusting credentials: > > > d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room > > SVITLA3\test01 at uc-smlbox20.svitla3.room's password: > > Permission denied, please try again. > > > > > > > > > > On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba < > samba at lists.samba.org> wrote: > > > What you need is to add the windows group in ssh to allowedgroups > And give that windows group a GID. > > You "cant" add a linux user into the windows group, but you can add a > windows user (if it has UID/GID) Into the linux group. > I separeted that, to there is always ssh access available. > > I use the following : > AllowGroups lin-allow-ssh win-allow-ssh > > Windows users in win-allow-ssh > Linux users lin-allow-ssh ( in my case only Linux admins ) > > The windows group every windows user want to give access to the server. > > And did you enable kerberos auth in sshd. > # GSSAPI options > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > > Should be sufficent. > Now, if you followed Stephans guide, and if i would make a guess. > > Is nsswitch configured? /etc/nsswitch.conf ? > > Im also assuming your using ubuntu or debian, if so, > Running this give us all we need. > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > > Anonimize where needed. > Dont set the attachments to the list, that will be stripped off. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Yakov Revyakin via samba > > Verzonden: maandag 13 juli 2020 16:04 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Authentication with trusted credentials > > > > Hi friends, > > I have a one way outgoing trust between SAMBA trusting domain and AD > > trusted domain. > > SSH Authentication of a user belonging to the SAMBA domain > > works properly > > on a Linux computer which is a member of SAMBA domain. > > I would like to authenticate a trusted user from the AD > > domain on the same > > Linux computer with SSH. Currently it doesn't work. > > I am able to authenticate trusted accounts with wbinfo and kinit. I > > followed guides: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > > tutorial.pdf > > What I missed? What additional diagnostic can I make? How to > > make a step > > forward? > > > > Samba 4.11 > > > > DC: > > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > > # Global parameters > > [global] > > dns forwarder = 10.0.1.2 # trusted ad dc > > netbios name = US-SMDC3 > > realm = SVITLA3.ROOM > > server role = active directory domain controller > > workgroup = SVITLA3 > > idmap_ldb:use rfc2307 = yes > > log level = 1 > > ldap server require strong auth = no > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [netlogon] > > path = /var/lib/samba/sysvol/svitla3.room/scripts > > read only = No > > > > Member: > > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > > [global] > > workgroup = SVITLA3 > > security = ADS > > realm = SVITLA3.ROOM > > > > winbind refresh tickets = Yes > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > winbind use default domain = yes > > > > winbind enum users = yes > > winbind enum groups = yes > > > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > log file = /var/log/samba/%m.log > > log level = 3 > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > idmap config SVITLA3:backend = ad > > idmap config SVITLA3:schema_mode = rfc2307 > > idmap config SVITLA3:range = 20000-29999 > > idmap config SVITLA3:unix_nss_info = yes > > > > idmap config APEX:backend = ad > > idmap config APEX:schema_mode = rfc2307 > > idmap config APEX:range = 10000-19999 > > idmap config APEX:unix_nss_info = yes > > > > vfs objects = acl_xattr > > map acl inherit = yes > > > > Thanks, > > Jake R > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai, I dont use trusts myself, this is what i see. Lets take small steps here. First of all, why does the DOMAIN contains/shows a dot in it. ( i think its a wrong setting in sssd, but i dont know sssd ) I know this is one of your REALMs and not the domain. I refer to : https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and Goto : NetBIOS domain names and I quote : Names can contain a period, but names cannot start with a period. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names. but again, i dont know sssd that "might" be normal. Per example, my kerberized output of auth.log Jul 16 15:57:24 member1 sshd[110373]: Authorized to username, krb5 principal username at MY.REALM.TLD (krb5_kuserok) Jul 16 15:57:24 member1 sshd[110373]: Accepted gssapi-with-mic for username from 192.168.0.1 port 53254 ssh2: username at MY.REALM.TLD Jul 16 15:57:24 member1 sshd[110373]: pam_unix(sshd:session): session opened for user username by (uid=0) Jul 16 15:57:24 member1 systemd-logind[726]: New session 3450 of user username. And im in my automounted homedir over NFSv4 kerberized. Whats used here, samba winbind libnss-pam libpam-winbind krb5-user (for the packages) thats all you need. Now your lines : Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01 Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 And i noticed this : OK: sshd[2048]: pam_sss(sshd:auth) Wrong: sshd[2157]: pam_unix(sshd:auth) I would gamble on these.. /etc sssd ? Somewhere, i really dont know, never used it. /etc/nsswitch.conf /etc/idmapd.conf (if exists) Also /etc/krb5.conf I "think" you need to add the trusted domains here also and point to the DC's (enough examples in that file how) Might help, but "should" in my optinion not be needed. But this is good : kinit works for users from both realms from Linux PCs sides. Is this that, you cross checked if both users and both authenticate with kinit on server on both sides? If yes, so my advice, drop sssd, or ask the sssd mailing list. Install/setup winbind and setup as it should. The key here is, dont touch anything in pam Use : pam-auth-update Test again. So, what did you change in /etc/pam.d/ any files? Thats best i can come up with for now. This is what i use to setup a Domain Member: ( its a part of the new setup im writing ) ! And beware if you copy past, i sended with outlook that might have change a letter into CAPS in the front of a line. apt-get install -y samba winbind krb5-user libnss-winbind libpam-winbind ldb-tools bind9utils acl attr # disable NMBD, i dont like netbios browsing and i use in smb.conf proxy dns = yes # now you can use \\servername or \\servername.fqdn without seeing the computers. systemctl stop nmbd systemctl mask nmbd systemctl disable nmbd systemctl stop smbd winbind # the base folder i use for my new samba data. SAMBA_BASE_PATH=/srv/samba VAR_HOSTNAME_DEFAULT="$(hostname -s)" VAR_HOSTNAME_LOWCASE="${VAR_HOSTNAME_DEFAULT,,}" VAR_HOSTNAME_UPCASE="${VAR_HOSTNAME_DEFAULT^^}" VAR_DOMAINNAME_DEFAULT="$(hostname -d)" VAR_DOMAINNAME_LOWCASE="${VAR_DOMAINNAME_DEFAULT,,}" VAR_DOMAINNAME_UPCASE="${VAR_DOMAINNAME_DEFAULT^^}" VAR_REALM_DEFAULT="$(grep default_realm /etc/krb5.conf |awk '{ print $NF }')" VAR_REALM_LOWCASE="${VAR_REALM_DEFAULT,,}" VAR_REALM_UPCASE="${VAR_REALM_DEFAULT^^}" if [ "${VAR_REALM_DEFAULT}" != "${VAR_REALM_UPCASE}" ] then sed -i "s/$VAR_REALM_DEFAULT/$VAR_REALM_UPCASE/g" /etc/krb5.conf echo "Adjusted /etc/krb5.conf its default REALM to UPPERCASE" else echo "Detected UPPERCASE REALM, how we like and want it." fi if [ "${VAR_REALM}" != "${VAR_DOMAINNAME}" ] then echo "Warning, realm and primary search domain are not the same" echo "This can work but this setup does not cover that part." echo else echo "Detected same REALM and DNS Domain, this is great" echo fi # Here we assume the domainname is same as the FIRST part of primay search domain. # per example. office.domain.tld OFFICE will be the WORKGROUP name in smb.conf # Change this when your WORKGROUP name is different or you want to use different. # then use values as set in AD-DC servers. VAR_SMB_WORKGROUP="$(echo "${VAR_DOMAINNAME_UPCASE}" | cut -d. -f1)" VAR_SMB_NETBIOSNAME="${VAR_HOSTNAME_UPCASE}" VAR_SMB_REALM="${VAR_REALM_UPCASE}" echo "Samba Workgroupname = $VAR_SMB_WORKGROUP" echo "Samba Netbiosname = $VAR_SMB_NETBIOSNAME" echo "Samba defined REALM = $VAR_SMB_REALM" echo "Samba ip = $VAR_IP" echo "Detected IP's = $VAR_IP_MULTIPLE" echo echo "Writing new smb.conf, please verify it." echo "The ranges set in this AD-BACKEND mode, need to be adjusted to your ranges." echo "[global] log level = 0 auth_audit:1 workgroup = ${VAR_SMB_WORKGROUP} security = ADS realm = ${VAR_SMB_REALM} netbios name = ${VAR_SMB_NETBIOSNAME} preferred master = no domain master = no host msdfs = no #interfaces = 127.0.0.1 $VAR_IP #bind interfaces only = yes # Add and Update TLS Key tls enabled = yes ## Map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-7999 ## Mapped ids from the domain SAMDOM and (*) the range may not overlap ! idmap config ${VAR_SMB_WORKGROUP} : backend = ad idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307 idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999 # Only samba 4.6+ ( get primary group from AD ) idmap config ${VAR_SMB_WORKGROUP} : unix_nss_info = yes # Only samba 4.6+ ( get primary group from unix primary group ) idmap config ${VAR_SMB_WORKGROUP} : unix_primary_group = yes # How you can use kerberos (man smb.conf search : kerberos method ) kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # Renew the kerberos ticket or you member its \"computer password\" will expire. winbind refresh tickets = yes # We strip the domain NTDOM\\username to username # ! Normaly not adviced, but i like it. # winbind use default domain = yes # Dont enable this if you use domain trusts # Use: `getent passwd username` to check if users/groups resolve (wbinfo -u -g) # But enabled (yes) slows down your samba! default = no winbind enum users = no winbind enum groups = no # Enable offline logins winbind offline logon = yes # Check the depth of nested groups, to much slows down your samba #winbind expand groups = 3 # User Administrator workaround, without it you are unable to set privileges/rights # A must for samba Domain members # Format in the file : !root = ${VAR_SMB_WORKGROUP}\Administrator ${VAR_SMB_WORKGROUP}\administrator username map = /etc/samba/samba_usermapping # disable the ability of user that can create shares and save your from errors in your logs. usershare path # Disable printing completely, and save errors in your logs. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For ACL support on member servers with shares are oblicated. ( these are the defaults ) vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally, i hide the following for windows users veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/lost+found/ hide unreadable = yes ######## SHARE DEFINITIONS ################ [samba\$] path = ${SAMBA_BASE_PATH} browseable = yes read only = no " > /etc/samba/smb.conf.new echo "NOTE !!! The ranges set in this AD-BACKEND mode, need to be adjusted to your ranges.!! " mkdir $SAMBA_BASE_PATH chmod 4775 $SAMBA_BASE_PATH echo "!root = ${VAR_SMB_WORKGROUP}\Administrator ${VAR_SMB_WORKGROUP}\administrator" > /etc/samba/samba_usermapping # Cleanup before we start samba with the new smb.conf rm /var/lib/samba/*.tdb rm /var/lib/samba/private/* # Fix : fix-double-color-in-spool # see commit a17cb9ee09419f3ae8e0541aee83df55c4777bd0 if [ -d /var/lib/samba/printers/COLOR ] then if [ ! -d /var/lib/samba/printers/color ] then mv /var/lib/samba/printers/COLOR /var/lib/samba/printers/color else cp -r /var/lib/samba/printers/COLOR/* /var/lib/samba/printers/color/ rm -rf /var/lib/samba/printers/COLOR fi fi # backup old config. mv /etc/samba/smb.conf{,.original} mv /etc/samba/smb.conf.new /etc/samba/smb.conf # just an empty file since i dont like unneeded messages in the logs. touch /etc/samba/lmhosts # Time to join.. kinit Administrator net ads join -k # (tip: example adding nfs to keytab: net ads keytab add_update_ads nfs/$(hostname -f)) # Adjusting nsswitch. sed -i 's/passwd: files systemd/passwd: files systemd winbind/g' /etc/nsswitch.conf sed -i 's/group: files systemd/group: files systemd winbind/g' /etc/nsswitch.conf pam-auth-update ### And i enabled this part in sshd, not automated yet, do this manualy. # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes # If your version supports this/ GSSAPIStoreCredentialsOnRekey yes # If your version supports this/ # Remember with UseDNS no, you cant use kerberos auth UseDNS yes reboot And done, i can login with putty, with kerberos SSO from a windows pc. (after setting putty correctly offcourse). See if above helps you, at least i think it will and i hope so. So far, Greetz, Louis ________________________________ Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] Verzonden: donderdag 16 juli 2020 15:51 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Authentication with trusted credentials In this configuration with a trusted domain I miss something important. Need your help to understand. One more time: - I have a validated trust. Trusted (AD "apex.corp") authentication works with Windows PC joined to the trusting (Samba - svitla5.room) domain. So, I have trusted authentication enabled and working properly. For this I set Samba DNS IP and joined that Windows PC to the Samba domain - nothing more. Also I added "APEX\\Domain Users" to the appropriate group to enable RDP for trusted credentials (using GP Management). - I have a Linux PC (Samba, winbind) joined to the Samba trusting domain and ssh login works for trusting credentials. - I have a Linux PC (sssd) joined to the Samba trusting domain and ssh login works for trusting credentials. - For both Linux PCs authentication with trusted credentials doesn't work. Error messages are similar for both winbind and sssd: d at uc-sssdlbox20:~$ sudo grep 'sshd' /var/log/auth.log ## trusting credentials work Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01 Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: Accepted password for SVITLA5.ROOM\\test01 from 10.0.0.1 port 62969 ssh2 Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session opened for user SVITLA5.ROOM\test01 by (uid=0) Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Received disconnect from 10.0.0.1 port 62969:11: disconnected by user Jul 16 11:23:51 uc-sssdlbox20 sshd[2144]: Disconnected from user SVITLA5.ROOM\\test01 10.0.0.1 port 62969 Jul 16 11:23:51 uc-sssdlbox20 sshd[2048]: pam_unix(sshd:session): session closed for user SVITLA5.ROOM\test01 ## trusted credentials don't work Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): check pass; user unknown Jul 16 11:24:04 uc-sssdlbox20 sshd[2157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 Jul 16 11:24:06 uc-sssdlbox20 sshd[2157]: Failed password for invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 ssh2 Jul 16 11:24:09 uc-sssdlbox20 sshd[2157]: Connection closed by invalid user APEX.CORP\\\\jake 10.0.0.1 port 62970 [preauth] - kinit works for users from both realms from Linux PCs sides. What doesn't work after creating trust as described in the guide is: d at us-smdc5:~$ sudo /usr/local/samba/bin/net rpc trustdom list -U SVITLA5\\administrator [sudo] password for d: Enter SVITLA5\administrator's password: Trusted domains list: APEX S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: Unable to find a suitable server for domain APEX domain controller is not responding: NT_STATUS_UNSUCCESSFUL APEX couldn't get domain's sid But as I said I can login to Windows PC without any problems. I didn't change resolv.conf and krb5.conf after making trust on Samba DC and clients sides. So that clients still know only about the trusting domain. I think they also know about the trusted domain all what they need by indirect communication via Samba DC and its DNS forwarder pointing to the trusted domain. ## /etc/resolv.conf nameserver 10.0.0.10 search svitla5.room ## /etc/krb5.conf [libdefaults] default_realm = SVITLA5.ROOM dns_lookup_realm = false dns_lookup_kdc = true What can I diagnose to make the next step? Please, help! On Tue, 14 Jul 2020 at 10:12, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: Hai, Sorry for the late(r) reply but we all need to sleep also sometimes. ;-) note, i saw its fixed, but i'll do comment a bit through your replies. mainly because of this part this part. (Sended: monday 13 juli 2020 18:51) > net ads join -U administrator at SVITLA3.ROOM > Enter administrator at SVITLA3.ROOM's password: > Using short domain name -- SVITLA3 > Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' > No DNS domain configured for uc-smlbox20. Unable to perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER ## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box ## nslookup recognises the computer in forward and reverse lookups this often points to a incorrect resolving setup. i advice to lookup and verify /etc/hosts and /etc/resolv.conf. Make sure the first resolver in resolv.conf is pointing to the AD-DC. The other check's you did look good, but do verify it. change, /etc/nsswitch.conf to ( optional switch order winbind systemd ) passwd: compat winbind systemd group: compat winbind systemd why i say you can switch the oder here, it depends on how you use the server, just test this, time running processes and see what fits your needs the best. Sended: tuedayy 14 juli 2020 1:16 > but users from trusted domain were able to authenticate only after I changed it from the default value (IIRC 'secrets') to 'secrets and keytab'. Yes, for the ssh login, how does SSHD know the UPN/SPN when its in secrets.tdb im not a kerberos expert, i leave that to one of the samba devs, but as far i know, if you have any service that uses upn/spns we need /etc/krb5.keytab I hope explains it a bit, of not, maybe Rowland knows more here, or we can ask it @Alexander if you want. Greetz, Louis Van: Yakov Revyakin [mailto:yrevyakin at gmail.com] Verzonden: maandag 13 juli 2020 18:51 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Authentication with trusted credentials Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted. SVITLA3 has administrator and test01 users, APEX has administrator and jake users. test01 - 20000:20000 (uidNumber:gidNumber) jake - 10000:10000 You can see some delay in some places - I marked them bold. It looks like DNS timeouts. The svitla3.room smb config includes DNS Forwarder pointing on apex.corp DNS. apex.corp DNS has conditional forwarding to svitla3.room domain d at uc-smlbox20:~$ host -t A apex.corp apex.corp has address 10.0.1.2 d at uc-smlbox20:~$ host -t A svitla3.room svitla3.room has address 10.0.0.6 d at uc-smlbox20:~$ host -t SRV _ldap._tcp.svitla3.room. _ldap._tcp.svitla3.room has SRV record 0 100 389 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.svitla3.room. _kerberos._tcp.svitla3.room has SRV record 0 100 88 us-smdc3.svitla3.room. d at uc-smlbox20:~$ host -t SRV _ldap._tcp.apex.corp. _ldap._tcp.apex.corp has SRV record 0 100 389 ws-addc.apex.corp. d at uc-smlbox20:~$ host -t SRV _kerberos._tcp.apex.corp. _kerberos._tcp.apex.corp has SRV record 0 100 88 ws-addc.apex.corp. d at uc-smlbox20:~$ sudo net ads join -U administrator at SVITLA3.ROOM Enter administrator at SVITLA3.ROOM's password: Using short domain name -- SVITLA3 Joined 'UC-SMLBOX20' to dns domain 'svitla3.room' No DNS domain configured for uc-smlbox20. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER ## After that I added A and PTR records manually for uc-smlbox20.svitla3.room Linux box ## nslookup recognises the computer in forward and reverse lookups d at uc-smlbox20:~$ sudo net ads testjoin Join is OK d at uc-smlbox20:~$ wbinfo --online-status BUILTIN : active connection UC-SMLBOX20 : active connection SVITLA3 : active connection APEX : no active connection d at uc-smlbox20:~$ sudo net rpc trustdom list -U administrator at SVITLA3.ROOM -- For first time there is delay about 10s Enter administrator at SVITLA3.ROOM's password: Trusted domains list: APEX S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: none d at uc-smlbox20:~$ kinit administrator at SVITLA3.ROOM Password for administrator at SVITLA3.ROOM: Warning: Your password will expire in 37 days on Thu 20 Aug 2020 04:15:50 AM UTC d at uc-smlbox20:~$ kinit test01 at SVITLA3.ROOM Password for test01 at SVITLA3.ROOM: d at uc-smlbox20:~$ kinit administrator at APEX.CORP Password for administrator at APEX.CORP: d at uc-smlbox20:~$ kinit jake at APEX.CORP Password for jake at APEX.CORP: d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\administrator Enter SVITLA3\administrator's password: plaintext password authentication succeeded Enter SVITLA3\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a SVITLA3\\test01 Enter SVITLA3\test01's password: plaintext password authentication succeeded Enter SVITLA3\test01's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\administrator Enter APEX\administrator's password: plaintext password authentication succeeded Enter APEX\administrator's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ sudo wbinfo -a APEX\\jake Enter APEX\jake's password: plaintext password authentication succeeded Enter APEX\jake's password: challenge/response password authentication succeeded d at uc-smlbox20:~$ wbinfo -n SVITLA3\\administrator S-1-5-21-2561554547-3530363871-899030780-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n SVITLA3\\test01 S-1-5-21-2561554547-3530363871-899030780-1104 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\administrator S-1-5-21-4020559381-3467740180-2426716988-500 SID_USER (1) d at uc-smlbox20:~$ wbinfo -n APEX\\jake S-1-5-21-4020559381-3467740180-2426716988-1103 SID_USER (1) d at uc-smlbox20:~$ getent passwd SVITLA3\\test01 test01:*:20000:20000:test01:/home/test01:/bin/bash d at uc-smlbox20:~$ getent passwd APEX\\jake -- DELAY about 10s, No result d at uc-smlbox20:~$ getent group "SVITLA3\\Domain Users" domain users:x:20000: d at uc-smlbox20:~$ getent group "APEX\\Domain Users" -- DELAY about 10s, No result d at uc-smlbox20:~$ cat /etc/nsswitch.conf # passwd: files systemd # group: files systemd shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis passwd: compat winbind group: compat winbind #passwd: files winbind #group: files winbind If I use default sshd_config # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no I have: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) d at uc-smlbox20:~$ ssh APEX\\jake at uc-smlbox20.svitla3.room APEX\jake at uc-smlbox20.svitla3.room's password: Permission denied, please try again. If I modify sshd_config # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes AllowGroups "SVITLA3\\Domain Users" I even can?t login with trusting credentials: d at uc-smlbox20:~$ ssh SVITLA3\\test01 at uc-smlbox20.svitla3.room SVITLA3\test01 at uc-smlbox20.svitla3.room's password: Permission denied, please try again. On Mon, 13 Jul 2020 at 17:24, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: What you need is to add the windows group in ssh to allowedgroups And give that windows group a GID. You "cant" add a linux user into the windows group, but you can add a windows user (if it has UID/GID) Into the linux group. I separeted that, to there is always ssh access available. I use the following : AllowGroups lin-allow-ssh win-allow-ssh Windows users in win-allow-ssh Linux users lin-allow-ssh ( in my case only Linux admins ) The windows group every windows user want to give access to the server. And did you enable kerberos auth in sshd. # GSSAPI options GSSAPIAuthentication yes GSSAPIKeyExchange yes Should be sufficent. Now, if you followed Stephans guide, and if i would make a guess. Is nsswitch configured? /etc/nsswitch.conf ? Im also assuming your using ubuntu or debian, if so, Running this give us all we need. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Anonimize where needed. Dont set the attachments to the list, that will be stripped off. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: maandag 13 juli 2020 16:04 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Authentication with trusted credentials > > Hi friends, > I have a one way outgoing trust between SAMBA trusting domain and AD > trusted domain. > SSH Authentication of a user belonging to the SAMBA domain > works properly > on a Linux computer which is a member of SAMBA domain. > I would like to authenticate a trusted user from the AD > domain on the same > Linux computer with SSH. Currently it doesn't work. > I am able to authenticate trusted accounts with wbinfo and kinit. I > followed guides: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > https://www.kania-online.de/wp-content/uploads/2019/06/trusts- > tutorial.pdf > What I missed? What additional diagnostic can I make? How to > make a step > forward? > > Samba 4.11 > > DC: > d@*us-smdc3*:~$ cat /etc/samba/smb.conf > # Global parameters > [global] > dns forwarder = 10.0.1.2 # trusted ad dc > netbios name = US-SMDC3 > realm = SVITLA3.ROOM > server role = active directory domain controller > workgroup = SVITLA3 > idmap_ldb:use rfc2307 = yes > log level = 1 > ldap server require strong auth = no > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [netlogon] > path = /var/lib/samba/sysvol/svitla3.room/scripts > read only = No > > Member: > d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf > [global] > workgroup = SVITLA3 > security = ADS > realm = SVITLA3.ROOM > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log file = /var/log/samba/%m.log > log level = 3 > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config SVITLA3:backend = ad > idmap config SVITLA3:schema_mode = rfc2307 > idmap config SVITLA3:range = 20000-29999 > idmap config SVITLA3:unix_nss_info = yes > > idmap config APEX:backend = ad > idmap config APEX:schema_mode = rfc2307 > idmap config APEX:range = 10000-19999 > idmap config APEX:unix_nss_info = yes > > vfs objects = acl_xattr > map acl inherit = yes > > Thanks, > Jake R > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 16/07/2020 16:11, L.P.H. van Belle via samba wrote:> First of all, why does the DOMAIN contains/shows a dot in it. > ( i think its a wrong setting in sssd, but i dont know sssd ) > I know this is one of your REALMs and not the domain. > > > Now your lines : > Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01 > Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 > And i noticed this : > OK: sshd[2048]: pam_sss(sshd:auth) > Wrong: sshd[2157]: pam_unix(sshd:auth) > > > ## Mapped ids from the domain SAMDOM and (*) the range may not overlap ! > idmap config ${VAR_SMB_WORKGROUP} : backend = ad > idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307 > idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999There is a big problem with all that, the only way to use sssd with Samba >= 4.8.0 is to use: ? idmap config ${VAR_SMB_WORKGROUP} : backend = sss and not run winbind, you also do not get to use shares, it is authentication only. It also will not work correctly on a Samba AD DC, because you cannot change the backend and you cannot stop winbind from running. I would advise dumping sssd if the OP is using it. Rowland