samba - Jul 2020 - using samba-tool from a domain member other than the DC

On 23/07/2020 20:36, Jason Keltz via samba wrote:
>
>
>
> On the client, I have the same krb5.conf as above.? For smb.conf I 
> have the following (I don't even really know if it's required but I
> highly suspect samba-tool is at least reading it):
>
> [global]
> ??????? workgroup =<workgroup name>
> ??????? security = ADS
> ??????? realm = <realm server name>
>
> I was under the impression that in order to use ldap:// URLs, on the 
> DC smb.conf, you need to add "ldap server require strong auth =
no".?
> You said the default is no, but at least in my configuration on the 
> server it is "yes":
OOPS, senior moment there ;-)

The 'no' should have been 'yes' and it still works for me ;-)
>
> I'm not permitted to set ldap server require strong auth = no. 
> Ideally, samba-tool would work with ldaps, but if I can use samba-tool 
> over ldap without having to set the require strong auth = no, then 
> that would be great.
You should be able to use samba-tool with kerberos:

rowland at devstation:~$ samba-tool user list -H 
ldap://dc01.samdom.example.com -k yes -d5
< snipped for brevity >
Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire 
in 33327 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
<LONG LIST OF USERS>

This is from a domain joined Unix client and 'rowland' has a valid 
kerberos ticket.

The client is running nmbd, smbd and winbind.

You say that you are running sssd, we cannot help you with this, we do 
not produce sssd etc.

Rowland

Hi Rowland,

Speaking of senior moment. I just figured out the problem...

My DC host has its regular name - dc01.example.com and then its AD name 
dc01.ad.example.com.? Even though both resolve to the same IP, I was 
using dc01.example.com which is apparently a no no because Kerberos is 
particular about name.? If I use dc01.ad.example.com it actually 
works!!!!!!!!!!? Using either dc01.example.com or using the IP address 
both do not work.

And just to prove that this has nothing whatsoever to do with smb.conf, 
I moved it out of the way completely, and it now works as well!!

Thanks a lot! I've spent *hours* looking at this.? I think I have a few 
extra gray hairs.

Jason.

On 7/23/2020 3:58 PM, Rowland penny via samba wrote:
> On 23/07/2020 20:36, Jason Keltz via samba wrote:
>>
>>
>>
>> On the client, I have the same krb5.conf as above.? For smb.conf I 
>> have the following (I don't even really know if it's required
but I
>> highly suspect samba-tool is at least reading it):
>>
>> [global]
>> ??????? workgroup =<workgroup name>
>> ??????? security = ADS
>> ??????? realm = <realm server name>
>>
>> I was under the impression that in order to use ldap:// URLs, on the 
>> DC smb.conf, you need to add "ldap server require strong auth =
no".?
>> You said the default is no, but at least in my configuration on the 
>> server it is "yes":
>
> OOPS, senior moment there ;-)
>
> The 'no' should have been 'yes' and it still works for me
;-)
>
>>
>> I'm not permitted to set ldap server require strong auth = no. 
>> Ideally, samba-tool would work with ldaps, but if I can use 
>> samba-tool over ldap without having to set the require strong auth = 
>> no, then that would be great.
>
> You should be able to use samba-tool with kerberos:
>
> rowland at devstation:~$ samba-tool user list -H 
> ldap://dc01.samdom.example.com -k yes -d5
> < snipped for brevity >
> Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire 
> in 33327 secs
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> <LONG LIST OF USERS>
>
> This is from a domain joined Unix client and 'rowland' has a valid 
> kerberos ticket.
>
> The client is running nmbd, smbd and winbind.
>
> You say that you are running sssd, we cannot help you with this, we do 
> not produce sssd etc.
>
> Rowland
>
>
>

Just word of warning there... 

If you AD-DC has 2 hostnames. 
Does it also has 2 ipnumbers, if not.. And you have setup in
the DNS 2x an A record, then beware and rethink your setup.
And do check if you then also have 2 x a PTR record. 

If you have 1 PTR record and 1 ipadres, which i assumbe based on
the info i saw, and setup A+PTR+CNAME and not 2xA and PTR
You have less problems with A + PTR + CNAME with kerberos. 

dc01.ad.example.com A -> PTR IP -> CNAME dc01.example.com
Also, resolving order and routing can bork the setup.
So since it now works, just a notice. 

But this triggered me to reply. 
> My DC host has its regular name - dc01.example.com and then 
> its AD name dc01.ad.example.com.? 

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Keltz via samba
> Verzonden: vrijdag 24 juli 2020 2:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] using samba-tool from a domain member 
> other than the DC
> 
> Hi Rowland,
> 
> Speaking of senior moment. I just figured out the problem...
> 
> My DC host has its regular name - dc01.example.com and then 
> its AD name 
> dc01.ad.example.com.? Even though both resolve to the same IP, I was 
> using dc01.example.com which is apparently a no no because 
> Kerberos is 
> particular about name.? If I use dc01.ad.example.com it actually 
> works!!!!!!!!!!? Using either dc01.example.com or using the 
> IP address 
> both do not work.
> 
> And just to prove that this has nothing whatsoever to do with 
> smb.conf, 
> I moved it out of the way completely, and it now works as well!!
> 
> Thanks a lot! I've spent *hours* looking at this.? I think I 
> have a few 
> extra gray hairs.
> 
> Jason.
> 
> On 7/23/2020 3:58 PM, Rowland penny via samba wrote:
> > On 23/07/2020 20:36, Jason Keltz via samba wrote:
> >>
> >>
> >>
> >> On the client, I have the same krb5.conf as above.? For smb.conf I
> >> have the following (I don't even really know if it's 
> required but I 
> >> highly suspect samba-tool is at least reading it):
> >>
> >> [global]
> >> ??????? workgroup =<workgroup name>
> >> ??????? security = ADS
> >> ??????? realm = <realm server name>
> >>
> >> I was under the impression that in order to use ldap:// 
> URLs, on the 
> >> DC smb.conf, you need to add "ldap server require strong 
> auth = no".? 
> >> You said the default is no, but at least in my 
> configuration on the 
> >> server it is "yes":
> >
> > OOPS, senior moment there ;-)
> >
> > The 'no' should have been 'yes' and it still works for
me ;-)
> >
> >>
> >> I'm not permitted to set ldap server require strong auth = no.
> >> Ideally, samba-tool would work with ldaps, but if I can use 
> >> samba-tool over ldap without having to set the require 
> strong auth = 
> >> no, then that would be great.
> >
> > You should be able to use samba-tool with kerberos:
> >
> > rowland at devstation:~$ samba-tool user list -H 
> > ldap://dc01.samdom.example.com -k yes -d5
> > < snipped for brevity >
> > Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM 
> will expire 
> > in 33327 secs
> > gensec_gssapi: NO credentials were delegated
> > GSSAPI Connection will be cryptographically signed
> > <LONG LIST OF USERS>
> >
> > This is from a domain joined Unix client and 'rowland' has a
valid
> > kerberos ticket.
> >
> > The client is running nmbd, smbd and winbind.
> >
> > You say that you are running sssd, we cannot help you with 
> this, we do 
> > not produce sssd etc.
> >
> > Rowland
> >
> >
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 24/07/2020 01:01, Jason Keltz via samba wrote:
> Hi Rowland,
>
> Speaking of senior moment. I just figured out the problem...
>
> My DC host has its regular name - dc01.example.com and then its AD 
> name dc01.ad.example.com.? Even though both resolve to the same IP, I 
> was using dc01.example.com which is apparently a no no because 
> Kerberos is particular about name.? If I use dc01.ad.example.com it 
> actually works!!!!!!!!!!? Using either dc01.example.com or using the 
> IP address both do not work.
Why does your DC have two FQDN's ???

This is a NO-NO, a DC must be authoritative for the AD dns domain, how 
can it do this reliably if it is schizophrenic. I would remove 
'dc01.example.com' or make it a CNAME.

Whilst a kerberos realm != dns domain, it is expected to be the dns 
domain in uppercase, also kerberos will not work with ipaddresses.
>
> And just to prove that this has nothing whatsoever to do with 
> smb.conf, I moved it out of the way completely, and it now works as 
> well!!
Could have told you that, provided you have a kerberos ticket granted by 
a domain DC, samba-tool will work against a domain DC.
>
> Thanks a lot! I've spent *hours* looking at this.? I think I have a 
> few extra gray hairs.
Sign of wisdom lol

Rowland