Point #1: is not correct. Why is Jake getting an ID from * Range and not APEX range. ? That need to be found first Run: net cache flush Restart samba. : systemctl restart smbd winbind nmbd (and/or sssd is you use that) wbinfo --all-domains -ug id jake getent passwd jake Any improvement?> if you have set: APEX:backend = adYes, and did you assign an UID/GID after you changed RID to AD backend? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Yakov Revyakin via samba > Verzonden: vrijdag 17 juli 2020 20:38 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Authentication with trusted credentials > > So, > Point #1: > Samba DC before trust. Linux member joined domain. SSH > authentication works > for a domain user. Checked with ad and rid backends. getent / > id returns > correct UID:GID. > > Point #2: > Samba DC after making trust with external AD. With the same > Linux PC SSH > authentication and session still works with the trusting > domain user in the > same right manner. > Trusted authentication works but it is routed according to the default > backend. SSH session is created. > > # trusting user - authentication successful > > Kerberos: TGS-REQ test01 at SVITLA3.ROOM from ipv4:10.0.0.12:50510 for > UC-SM18$@SVITLA3.ROOM > Kerberos: TGS-REQ authtime: 2020-07-17T16:47:35 starttime: > 2020-07-17T16:47:35 endtime: 2020-07-18T02:47:35 renew till: unset > > # trusted user - cross-realm authentication successful > > Kerberos: TGS-REQ jake at APEX.CORP from ipv4:10.0.0.12:52437 for > UC-SM18$@SVITLA3.ROOM > Kerberos: Client not found in database: no such entry found in hdb > Kerberos: cross-realm APEX.CORP -> SVITLA3.ROOM > > Kerberos: TGS-REQ authtime: 2020-07-17T18:07:28 starttime: > 2020-07-17T18:07:28 endtime: 2020-07-18T04:07:28 renew till: unset > > > # uid|gid according with backend range > d at uc-sm18:~$ id test01 at SVITLA3 > uid=20000(SVITLA3\test01) gid=20000(SVITLA3\domain users) > groups=20000(SVITLA3\domain users),3001(BUILTIN\users) > d at uc-sm18:~$ getent passwd test01 at SVITLA3.ROOM > SVITLA3\test01:*:20000:20000:test01:/home/SVITLA3/test01:/bin/bash > > # uid|gid according to the default backend!!! > d at uc-sm18:~$ id APEX\\jake > uid=3000(APEX\jake) gid=3004(APEX\domain users) > groups=3004(APEX\domain > users) > d at uc-sm18:~$ getent passwd APEX\\jake > APEX\jake:*:3000:3004:jake:/home/APEX/jake:/bin/bash > > # Linux client - smb.conf extraction > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config SVITLA3:backend = rid > idmap config SVITLA3:range = 20000-29999 > > idmap config APEX:backend = rid > idmap config APEX:range = 10000-19999 > > template shell = /bin/bash > > If I set APEX:backend = ad I get ssh authentication failed > with Permission > Denied error. Probably authentication process can't extract > uid|gid and > failed. In case of rid there are no such strong restrictions I think. > > By the way, enabling/disabling of GSSAPI and UseDNS properties in > sshd_config don't influence behaviour. > > What do you think about the correctness of trusted > authentication setup? It > would be nice if there is a way to control uid|gid for > trusted accounts. We > can see that we can exclude backend definition for trusted > accounts and it > will still work. It looks like what I am looking for but what about > incorrect uid|gid? > > Could you advise me what is the simplest way to check access to a file > share under trusted domain control with this Linux and > trusted credentials? > > > On Fri, 17 Jul 2020 at 07:56, Yakov Revyakin > <yrevyakin at gmail.com> wrote: > > > Rowland, > > I only tried sssd looking for the cause of the problem. > > I use samba, winbind. > > > > > > > > > > On Fri, 17 Jul 2020 at 00:19, Rowland penny via samba < > > samba at lists.samba.org> wrote: > > > >> On 16/07/2020 22:13, Yakov Revyakin wrote: > >> > Thank you! I have food for tomorrow. Now I only want to > voice some of > >> > my considerations. > >> > > >> > Imagine that a domain had no trusts. At this time a PC > became a member > >> > of this domain. > >> > After some time DC made trust with another domain. In this case > >> > existing members don't consider any extra configuration > like adding > >> > knowledge about new realm, DNS, etc. Existing > configuration already > >> > provides means of login and session for a user of a > trusted domain. > >> > > >> > In my case Linux PC was informed about trusting DNS > before joining > >> > the domain. After setting DNS but before joining the > domain I could > >> > authenticate users from both trusting and trusted > domains with kinit > >> > without any modifications in krb5.conf. And it is what I > was waiting > >> for. > >> > > >> > So, the PC already has a means to authenticate users from both > >> > domains. How to enable that means? > >> > > >> Are you using sssd ? > >> > >> If you are, then ask on the sssd-users mailing list, > because it is sssd > >> that will be doing the authentication, not Samba. We do not produce > >> sssd, so know little about it. > >> > >> If you are not using sssd, then we can look into your problem. > >> > >> Rowland > >> > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 20/07/2020 08:35, L.P.H. van Belle via samba wrote:> Point #1: is not correct. > > Why is Jake getting an ID from * Range and not APEX range. ? > That need to be found firstGood point>> if you have set: APEX:backend = ad > Yes, and did you assign an UID/GID after you changed RID to AD backend?Another good question. The OP posted this: Kerberos: Client not found in database: no such entry found in hdb Now this could just be a bad debug message, but if it isn't, where is the 'hdb' coming from, it is an openldap database. One thing we haven't heard about, what is 'APEX' ? Is it a Windows domain or something else ? If it is a Samba domain, can we see the smb.conf from it ? Rowland>
On 20/07/2020 12:09, Yakov Revyakin wrote:> OK, trying to define the environment more clearly. >OK, I 'think' I know what is going on here, haven't got a fix though :-( Can you run this command on the Linux DC's and a Linux client: wbinfo --online-status On DC's, I get this: BUILTIN : active connection EXAMPLE : active connection SAMDOM : active connection But on Linux domain members, I get this: BUILTIN : active connection DEVSTATION : active connection SAMDOM : active connection EXAMPLE : no active connection This is in the 'SAMDOM' domain on the computer called devstation, if I run it on a client in the 'EXAMPLE' domain, the AD domains are switched, 'EXAMPLE' is active and 'SAMDOM' isn't. If I try to ssh into the 'EXAMPLE' client from a 'SAMDOM' client using a 'SAMDOM' user, I get: Jul 21 11:13:08 linux-client sshd[5506]: pam_krb5(sshd:auth): authentication failure; logname=SAMDOM\rowland uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.49 Jul 21 11:13:08 linux-client sshd[5506]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.49? user=SAMDOM\rowland Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): getting password (0x00000388) Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): pam_get_item returned a password Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers are currently available to service the logon request. Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'SAMDOM\rowland') Jul 21 11:13:12 linux-client sshd[5506]: Failed password for SAMDOM\\rowland from 192.168.0.49 port 51962 ssh2 I can create directories on a client in the 'EXAMPLE' domain and chown to user:group from the 'SAMDOM' domain. I 'think' that the domain that is offline on clients needs to be brought online, but I do not know how to do this :-( I based my testing around a pdf created by Stefan Kania, available here: www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf Rowland
Hi Rowland, Thank you for effort My output as you requested: ## Samba DC d at us-smdc3:~$ wbinfo --online-status BUILTIN : active connection SVITLA3 : active connection APEX : active connection ## Linux Client d at uc-sm18:~$ wbinfo --online-status BUILTIN : online UC-SM18 : online SVITLA3 : online APEX : online # UC-SM18 is a Linux member of SVITLA3. You decided to demonstrate too difficult case. I only want to prove that I can ssh to UC-SM18 at SVITLA3.ROOM with trusted account from trusted APEX.CORP domain using trust capabilities of Samba DC. It is very often case when someone with account in main organization wants to login on-premise of another one which is in trusting relationships with main. One time more: I interpret that authentication of APEX user to UC-SMB18 works: # samba log - trusted user Kerberos: TGS-REQ jake at APEX.CORP from ipv4:10.0.0.12:52437 for UC-SM18$@SVITLA3.ROOM Kerberos: Client not found in database: no such entry found in hdb *Kerberos: cross-realm APEX.CORP -> SVITLA3.ROOM* Kerberos: TGS-REQ authtime: 2020-07-17T18:07:28 starttime: 2020-07-17T18:07:28 endtime: 2020-07-18T04:07:28 renew till: unset d at uc-sm18:~$ id APEX\\jake uid=3000(APEX\jake) gid=3004(APEX\domain users) *groups=3004(APEX\domain users)* d at uc-sm18:~$ getent passwd APEX\\jake APEX\jake:*:3000:3004:jake:/home/APEX/jake:/bin/bash "Kerberos: Client not found in database: no such entry found in hdb" demonstrates that the user wasn't find in Samba db. After that, as Samaba domain has trust with another domain, there was a try to get the user from the trusted (apex.corp) domain "Kerberos: cross-realm APEX.CORP -> SVITLA3.ROOM" The try was successfully: "Kerberos: TGS-REQ authtime: 2020-07-17T18:07:28 starttime: 2020-07-17T18:07:28 endtime: 2020-07-18T04:07:28 renew till: unset" After that I can ssh with trusted account but get IDs according to default idmap. *APEX\rock at uc-sm18*:/$ id uid=3001(APEX\rock) gid=3004(*APEX\domain users*) groups=3004(*APEX\domain users*) I provided credentials from trusted domain, know that authentication was successful with those credentials so that authentication happened in trusted DC. This authentication process happened involving Samba DC - samba log proves this fact. I can access a file share located on trusted side by authenticated trusted account. I don't understand about this default mapping. How does it work in my case? As I understood mapping configuration in smb.conf it is based on realm names in krb5.conf. My krb5.conf includes only SVITLA5.ROOM realm. If I add appropriate mapping for APEX.CORP authentication doesn't work because krb5.conf doesn't know about APEX.CORP. If I add APEX.CORP to krb5.conf authentication process happens by different way without involving Samba DC. Probably I could configure krb5.conf in specific way getting in result interaction for authentication via Samba DC. But I don't know how. If you have idea let me know. Also, could you run net rpc trustdom list -U administrator in your configuration? This command provides output different from what in https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf shown. d at uc-sm18:~$ net rpc trustdom list -U administrator Enter administrator's password: Trusted domains list: APEX S-1-5-21-4020559381-3467740180-2426716988 Trusting domains list: Unable to find a suitable server for domain APEX domain controller is not responding: NT_STATUS_UNSUCCESSFUL APEX couldn't get domain's sid On Tue, 21 Jul 2020 at 13:40, Rowland penny via samba <samba at lists.samba.org> wrote:> On 20/07/2020 12:09, Yakov Revyakin wrote: > > OK, trying to define the environment more clearly. > > > OK, I 'think' I know what is going on here, haven't got a fix though :-( > > Can you run this command on the Linux DC's and a Linux client: > > wbinfo --online-status > > On DC's, I get this: > > BUILTIN : active connection > EXAMPLE : active connection > SAMDOM : active connection > > But on Linux domain members, I get this: > > BUILTIN : active connection > DEVSTATION : active connection > SAMDOM : active connection > EXAMPLE : no active connection > > This is in the 'SAMDOM' domain on the computer called devstation, if I > run it on a client in the 'EXAMPLE' domain, the AD domains are switched, > 'EXAMPLE' is active and 'SAMDOM' isn't. > > If I try to ssh into the 'EXAMPLE' client from a 'SAMDOM' client using a > 'SAMDOM' user, I get: > > Jul 21 11:13:08 linux-client sshd[5506]: pam_krb5(sshd:auth): > authentication failure; logname=SAMDOM\rowland uid=0 euid=0 tty=ssh > ruser= rhost=192.168.0.49 > Jul 21 11:13:08 linux-client sshd[5506]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser> rhost=192.168.0.49 user=SAMDOM\rowland > Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): getting > password (0x00000388) > Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): > pam_get_item returned a password > Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL > (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon > servers are currently available to service the logon request. > Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): > internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user > 'SAMDOM\rowland') > Jul 21 11:13:12 linux-client sshd[5506]: Failed password for > SAMDOM\\rowland from 192.168.0.49 port 51962 ssh2 > > I can create directories on a client in the 'EXAMPLE' domain and chown > to user:group from the 'SAMDOM' domain. > > I 'think' that the domain that is offline on clients needs to be brought > online, but I do not know how to do this :-( > > I based my testing around a pdf created by Stefan Kania, available here: > > www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >