samba - Feb 2021 - pam_winbind stops working when use_krb5 is enabled

Thanks for everyone who has weighed in on this. Very annoying that Red Hat
decided to do away with pam_krb5. Based on what I'm reading (both here and
in other places), the preferred solution is to use realmd to join to a
domain rather than samba, which isn't really what I want at all :-). Red
Hat does provide instructions for using Samba to join a domain and using
SSSD to handle the authentication, but I don't have a RHEL 7 system handy
to try them on, so I can't speak for whether or not they work.

I do have one question about using pam_krb5 (or pam_sss, if such a thing
would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
get the Kerberos ticket, which pam_winbind would then use to authenticate
the user? Based on the description of the "krb5_auth" parameter in the
pam_winbind man page, I thought that the notion is that pam_winbind would
go off to the DC and get the Kerberos ticket for me, decrypt it using my
password, and then stuff it into whatever ticket cache I've configured. But
if we're actually getting the ticket via pam_krb5, then I've clearly
misunderstood what role pam_winbind is playing in the whole authentication
operation.

Thanks again for everyone's assistance here!
Tim

On Thu, Feb 25, 2021 at 10:55 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 25/02/2021 15:41, cn--- via samba wrote:
> > Am 25.02.21 um 14:35 schrieb Rowland penny via samba:
> >
> >>
> >> You need pam-krb5, which I believe Red-hat has removed in RHEL 8
> >
> > You can do it this way:
> >
> > https://access.redhat.com/solutions/4256011
> >
> > The account is free but you need to log in.
>
>
> I have a red-hat account but I can never see anything, but I take it
> that it is the same as this:
>
> https://sssd.io/docs/users/pam_krb5_migration.html
>
> If it is, then you are shooting yourself in the foot, the first thing
> you would have  to do is to remove Samba as you cannot use sssd with Samba.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello Tim,
I can confirm that joining with Samba works on Centos 8. We have 5 DCs 
and member servers running on 8.
The only thing I have run after the join is this:

authselect select winbind --force

in nsswitch.conf I have this then:

passwd:     files winbind systemd
group:      files winbind systemd


And it works.

I can log in using krb by ssh. SMB works by krb also.


Successful AuthZ: [SMB2,krb5] user [DOMAIN-02]\[XX] 
[S-1-5-21-XXXXXXX-XXXXX-XXXXX-XXXXX].

However, I am not sure how this all works together.

Regards





Am 26.02.21 um 05:20 schrieb Tim Miller via samba:
> Thanks for everyone who has weighed in on this. Very annoying that Red Hat
> decided to do away with pam_krb5. Based on what I'm reading (both here
and
> in other places), the preferred solution is to use realmd to join to a
> domain rather than samba, which isn't really what I want at all :-).
Red
> Hat does provide instructions for using Samba to join a domain and using
> SSSD to handle the authentication, but I don't have a RHEL 7 system
handy
> to try them on, so I can't speak for whether or not they work.
> 
> I do have one question about using pam_krb5 (or pam_sss, if such a thing
> would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
> get the Kerberos ticket, which pam_winbind would then use to authenticate
> the user? Based on the description of the "krb5_auth" parameter
in the
> pam_winbind man page, I thought that the notion is that pam_winbind would
> go off to the DC and get the Kerberos ticket for me, decrypt it using my
> password, and then stuff it into whatever ticket cache I've configured.
But
> if we're actually getting the ticket via pam_krb5, then I've
clearly
> misunderstood what role pam_winbind is playing in the whole authentication
> operation.
> 
> Thanks again for everyone's assistance here!
> Tim
> 
> On Thu, Feb 25, 2021 at 10:55 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On 25/02/2021 15:41, cn--- via samba wrote:
>>> Am 25.02.21 um 14:35 schrieb Rowland penny via samba:
>>>
>>>>
>>>> You need pam-krb5, which I believe Red-hat has removed in RHEL
8
>>>
>>> You can do it this way:
>>>
>>> https://access.redhat.com/solutions/4256011
>>>
>>> The account is free but you need to log in.
>>
>>
>> I have a red-hat account but I can never see anything, but I take it
>> that it is the same as this:
>>
>> https://sssd.io/docs/users/pam_krb5_migration.html
>>
>> If it is, then you are shooting yourself in the foot, the first thing
>> you would have  to do is to remove Samba as you cannot use sssd with
Samba.
>>
>> Rowland
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On 26/02/2021 04:20, Tim Miller via samba wrote:
> Thanks for everyone who has weighed in on this. Very annoying that Red Hat
> decided to do away with pam_krb5. Based on what I'm reading (both here
and
> in other places), the preferred solution is to use realmd to join to a
> domain rather than samba, which isn't really what I want at all :-).
Red
> Hat does provide instructions for using Samba to join a domain and using
> SSSD to handle the authentication, but I don't have a RHEL 7 system
handy
> to try them on, so I can't speak for whether or not they work.
>
> I do have one question about using pam_krb5 (or pam_sss, if such a thing
> would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
> get the Kerberos ticket, which pam_winbind would then use to authenticate
> the user? Based on the description of the "krb5_auth" parameter
in the
> pam_winbind man page, I thought that the notion is that pam_winbind would
> go off to the DC and get the Kerberos ticket for me, decrypt it using my
> password, and then stuff it into whatever ticket cache I've configured.
But
> if we're actually getting the ticket via pam_krb5, then I've
clearly
> misunderstood what role pam_winbind is playing in the whole authentication
> operation.
>
If you are going to use pam_sss, they you are going to be using sssd and 
you cannot use sssd with winbind. sssd has its own version of the 
winbind libs. There is (in my opinion) a kludge where you can use sssd 
with Samba, but this will only give you authentication, no shares and as 
such is pretty pointless, you might as well just run sssd,. If you just 
want authentication, just run sssd, but if you want shares, do not run sssd.

Rowland