samba - Oct 2020 - Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.

Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via
samba:
> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 13/10/2020 15:01, Markus Jansen via samba wrote:
>>> Thank you very much for your hints.
>>>
>>> I got rid of SSSD and managed to get a successful kerberos
>>> authentication via wbinfo -K and the UPN.
>>>
>>> But accessing via SMB (using MAC OS' smbutil or Finder) still
fails with
>>> "FAILED with error NT_STATUS_NO_SUCH_USER".
>>>
>>> As I'm using CentOS 8, I used authselect to configure winbind
>>> integration to PAM (do I really need this for SMB?) and enabled
>>> "with-krb5" and "with-pamaccess" - features to
let /etc/pam.d/-files be
>>> configured automatically.
>>>
>>> I'm really confused. What's missing?
>>>
>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence
>> Centos8, I had to compile the Centos7 package and install it before I
>> could get Centos8 to work correctly.
>>
>> BIG NOTE: this is just my opinion.
>>
>> I really do not think that red-hat wants you to use Samba with RHEL8, I
>> think they really want you to use sssd with freeipa instead. They have
>> removed openldap, smbldap-tools  and libpam-krb5 that I am aware of,
>> there may be others.
Good hint. I switched to Debian Buster - same issue:

Interestinly, "id tim-upn" (the userPrincipalname) works and refers to
the sAMAccountName.

"uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain
users),3001(storage-users),1000001(BUILTIN\users).

"login tim-upn" works, "ssh tim-upn at localhost", too.?
Also: "smbclient
-L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but "smbclient
-L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't.

Still confused.
> This matches my direct observations. Also sssd has many options for
> tuning that get *thrown out* with any security update of the software,
> they are flushed by any run of authconfig which is often built into
> related software updates. sssd is *not your friend* if you want any
> tuning of your LDAP or related behavior, and it insists on pre-caching
> all of your LDAP before completing the setup of sssd. SO it starts up,
> times out on the pre-caching, and *fails* with no legible log of what
> the problem was and no good way to tune it except to resttrict your
> LDAP access to a wafer thin sliver of the upstream setup, *which
> configuration gets overwritten!!!!* with updates of anything that uses
> authconfig.
>
> This iss a condemnation of authconfig's poor management of the
> sophisticated options to sssd, but unless you're running something
> like ansible or chef to replace your /etc/sssd/ files as needed, it's
> an ongoing problem, A  backdoor also cannot rely on sssd to be working
> correctly, so you're compelled to use something like SSH keys for an
> ansible service account or direct root SSH access to support this.
>
>> How wedded are you to Centos ? I personally would advise you to switch
>> to Debian or Ubuntu, everything just works.
> Just ditch sssd if you want actual reliable LDAP. It's handy if you
> need no sophistaction of a smal LDAP setup, but I have real problems
> with it for sophisticated production use. It's not a well integrated
> wrapper for LDAP, Kerberos, and other settihngs.
>
>> If you must use Centos8, then it is possible to get Linux to connect to
>> a Samba share running on a Centos domain member, not sure about a Mac,
I
>> do not have one.

On 14/10/2020 15:07, Markus Jansen via samba wrote:
> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba:
>> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba
>> <samba at lists.samba.org> wrote:
>>> On 13/10/2020 15:01, Markus Jansen via samba wrote:
>>>> Thank you very much for your hints.
>>>>
>>>> I got rid of SSSD and managed to get a successful kerberos
>>>> authentication via wbinfo -K and the UPN.
>>>>
>>>> But accessing via SMB (using MAC OS' smbutil or Finder)
still fails with
>>>> "FAILED with error NT_STATUS_NO_SUCH_USER".
>>>>
>>>> As I'm using CentOS 8, I used authselect to configure
winbind
>>>> integration to PAM (do I really need this for SMB?) and enabled
>>>> "with-krb5" and "with-pamaccess" - features
to let /etc/pam.d/-files be
>>>> configured automatically.
>>>>
>>>> I'm really confused. What's missing?
>>>>
>>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and hence
>>> Centos8, I had to compile the Centos7 package and install it before
I
>>> could get Centos8 to work correctly.
>>>
>>> BIG NOTE: this is just my opinion.
>>>
>>> I really do not think that red-hat wants you to use Samba with
RHEL8, I
>>> think they really want you to use sssd with freeipa instead. They
have
>>> removed openldap, smbldap-tools  and libpam-krb5 that I am aware
of,
>>> there may be others.
> Good hint. I switched to Debian Buster - same issue:
>
> Interestinly, "id tim-upn" (the userPrincipalname) works and
refers to
> the sAMAccountName.
>
> "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain
> users),3001(storage-users),1000001(BUILTIN\users).
>
> "login tim-upn" works, "ssh tim-upn at localhost",
too.? Also: "smbclient
> -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but
"smbclient
> -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't.
>
> Still confused.
>
So am I, '3000' for Domain Users and '1000001' for
BUILTIN\users. Might
help if you post the smb.conf you are using.

Rowland

Am 14.10.20 um 16:19 schrieb Rowland penny via samba:
> On 14/10/2020 15:07, Markus Jansen via samba wrote:
>> Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba:
>>> On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On 13/10/2020 15:01, Markus Jansen via samba wrote:
>>>>> Thank you very much for your hints.
>>>>>
>>>>> I got rid of SSSD and managed to get a successful kerberos
>>>>> authentication via wbinfo -K and the UPN.
>>>>>
>>>>> But accessing via SMB (using MAC OS' smbutil or Finder)
still
>>>>> fails with
>>>>> "FAILED with error NT_STATUS_NO_SUCH_USER".
>>>>>
>>>>> As I'm using CentOS 8, I used authselect to configure
winbind
>>>>> integration to PAM (do I really need this for SMB?) and
enabled
>>>>> "with-krb5" and "with-pamaccess" -
features to let
>>>>> /etc/pam.d/-files be
>>>>> configured automatically.
>>>>>
>>>>> I'm really confused. What's missing?
>>>>>
>>>> Probably libpam-krb5 that Red-Hat has removed from RHEL8 and
hence
>>>> Centos8, I had to compile the Centos7 package and install it
before I
>>>> could get Centos8 to work correctly.
>>>>
>>>> BIG NOTE: this is just my opinion.
>>>>
>>>> I really do not think that red-hat wants you to use Samba with
>>>> RHEL8, I
>>>> think they really want you to use sssd with freeipa instead.
They have
>>>> removed openldap, smbldap-tools? and libpam-krb5 that I am
aware of,
>>>> there may be others.
>> Good hint. I switched to Debian Buster - same issue:
>>
>> Interestinly, "id tim-upn" (the userPrincipalname) works and
refers to
>> the sAMAccountName.
>>
>> "uid=3000(tim-sam) gid=3000(domain users) groups=3000(domain
>> users),3001(storage-users),1000001(BUILTIN\users).
>>
>> "login tim-upn" works, "ssh tim-upn at localhost",
too.? Also: "smbclient
>> -L //localhost -W ADTEST -U tim-sam%Qwertz12345" works, but
"smbclient
>> -L //localhost -W ADTEST -U tim-upn%Qwertz12345" doesn't.
>>
>> Still confused.
>>
> So am I, '3000' for Domain Users and '1000001' for
BUILTIN\users.
> Might help if you post the smb.conf you are using.
>
> Rowland
I made a step backwards and figured out that authenticating via UPN DOES
work if I use a "legal" one with an "@domain"-suffix. Sorry
for that
confusion.

But: I want to use login names without the "@domain"-suffix because,
as
this looks like an email address, people could get irritated as their
email address may look different.
So I set the "winbind use default domain = yes" in the smb.conf and
"wbinfo -K test-storage01" works for user UPN test-storage01 at
ad.adtest.de.

But smbclient (on Debian) or net use (on Windows) does not work if I
omit the "@ad.adtest.de". Am I right when I think that missing the
'@'
leads to a fallback of DOMAIN\sAMAccountName - authentication because
winbind does not know how to navigate through the AD forest?
Interestingly, test-storage01 at ad.bnitm.de could be mapped to
BNITM\test-storage01-sam and authenticate.
(smb.log: "check_ntlm_password:? authentication for user
[test-storage01 at ad.bnitm.de] -> [test-storage01 at ad.bnitm.de] ->
[BNITM\test-storage01-sam] succeeded")

Also: "getent passwd test-storage01 at ad.bnitm.de" ->
"test-storage01-sam:*:3000:3000:Test Storage
01:/home/BNITM/test-storage01-sam:/bin/false"

But "net use y: \\ip\example /user:test-storage01" leads to the
following smb.log entry:
"Auth: [SMB2,(null)] user [DESKTOP-9CASEDK]\[test-storage01] at [Thu, 15
Oct 2020 13:16:53.462240 CEST] with [NTLMv2] status
[NT_STATUS_NO_SUCH_USER] workstation [DESKTOP-9CASEDK] remote host
[ipv4:134.100.203.37:50737] mapped to
[DESKTOP-9CASEDK]\[test-storage01]. local host [ipv4:134.100.202.143:445]
? {"timestamp": "2020-10-15T13:16:53.462447+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
0}, "status": "NT_STATUS_NO_SUCH_USER",
"localAddress":
"ipv4:134.100.202.143:445", "remoteAddress":
"ipv4:134.100.203.37:50737", "serviceDescription":
"SMB2",
"authDescription": null, "clientDomain":
"DESKTOP-9CASEDK",
"clientAccount": "test-storage01", "workstation":
"DESKTOP-9CASEDK",
"becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": "test-storage01", "mappedDomain":
"DESKTOP-9CASEDK",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration":
5391}}


... while "net use y: \\ip\example /user:test-storage01 at
ad.adtest.de" works.

I wonder how authentication without domain suffix could work at all.
My smb.conf:

[global]
?? workgroup = ADTEST
?? security = ADS
?? realm = AD.ADTEST.DE

?? winbind refresh tickets = Yes
?? vfs objects = acl_xattr
?? map acl inherit = Yes
?? store dos attributes = Yes

?? dedicated keytab file = /etc/krb5.keytab
?? kerberos method = secrets and keytab
?? winbind expand groups = 4
?? winbind refresh tickets = Yes
?? winbind normalize names = Yes
?? winbind nss info = rfc2307
?? winbind use default domain = yes

?? winbind enum users = yes
?? winbind enum groups = yes

?? idmap config * : backend = autorid
?? idmap config * : range = 1000000-1999999
?? idmap config * : rangesize = 1000000

?? load printers = no
?? printing = bsd
?? printcap name = /dev/null
?? disable spoolss = yes
?? log level = 3

[example]
? path = /tmp/

? comment = Example Share


Markus


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20201015/fe9f87d4/signature.sig>