vincent at cojot.name
2021-Jun-06 01:27 UTC
[Samba] Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs
I think I figured it out and in fact the solution was on the samba AD DC. Here's my setup: - dc00/dc01 (two small VMs running RHEL7.9 + samba AD/DC custom rpms) - hypervisor1/2/3 : machines running RHEL8.4 with the RH-provided samba rpms - a few Win10 endpoints (laptops), a few Fedora endpoints (laptops) and no Macs. One Win10 VM for the purpose of running some things, including RSAT. My son was trying to PuTTY/ssh from his Win10 machine to one of the VIPs carried by one of the hypervisors. It worked when connecting to <machine1.lasthome.solace.krynn> but not for '<floating.lasthome.solace.krynn>'. Here's what I did: 1) went into 'Active Directory Users and Computes' from my Win10 VM (I used it to edit Policies for the Win10 endpoints in our domain). 2) View -> Advanced features - Select host (one of the hypervisors) 3) Attribute Editor -> edit servicePrincipalName There, I added these records: host/FLOATING host/floating.lasthome.solace.krynn host/floating.ad.lasthome.solace.krynn 4) restarted sshd on machine1 After that, things started to work and it was now possible for him to PuTTY ssh directly to the VIP by using the floating IP name (this is required because all 3 hypervisors form a cluster and VIPs fail over from one machine to the other) e.g: floating.lasthome.solace.krynn could be carried by any of the 3 hypervisors. ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-, Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~ Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,. Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name They cannot scare me with their empty spaces Between stars - on stars where no human race is I have it in me so much nearer home To scare myself with my own desert places. - Robert Frost On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote:> > Also, > > I just tested this and it's entirely similar: > > I can PuTTY without a password prompt to <hostname1.lasthome.solace.krynn> > or <hostname1.ad.lasthome.solace.krynn> > > If I try to PuTTY to <floating1.lasthome.solace.krynn>, or > <floating1.ad.lasthome.solace.krynn> it prompts for a password. > > The servers are running RHEL8.4. > > I probably need to run 'net ads keytab <something>' so I'll be trying to > figure out the 'something' part.. :) > > Sorry again for the noise, > > Vincent > > > On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote: > >> >> Hi Rowland, >> >> You are 100% right and perhaps what I am seeing in only sssd stuff. I've >> been able to locate a BZ (#1) talking about something similar so perhaps I >> only need to 'net ads keytab add' on the Linux hosts. >> >> Sorry for the noise, >> >> #1: https://bugzilla.redhat.com/show_bug.cgi?id=1529301 >> >> Vincent >> >> On Sat, 5 Jun 2021, Rowland penny via samba wrote: >> >>> On 05/06/2021 20:56, Vincent S. Cojot via samba wrote: >>>> >>>> Hi All, >>>> >>>> I've observed some strange thing and I know too little about Windows >>>> to >>>> figure out what's going on so I would love it if someone could shed >>>> some >>>> light.. >>>> >>>> Here's the thing: >>>> >>>> From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the >>>> remote server's hostname but if I use a VIP hosted on the same server, >>>> my >>>> user gets prompted for a UNIX password (I'm not using SSH keys in this >>>> environment, only plain AD with bind). >>>> >>>> In more detail: >>>> my RHEL servers are joined to the domain using this: >>>> >>>> # realm list >>>> ad.lasthome.solace.krynn >>>> ?type: kerberos >>>> ?realm-name: AD.LASTHOME.SOLACE.KRYNN >>>> ?domain-name: ad.lasthome.solace.krynn >>>> ?configured: kerberos-member >>>> ?server-software: active-directory >>>> ?client-software: sssd >>>> ?required-package: oddjob >>>> ?required-package: oddjob-mkhomedir >>>> ?required-package: sssd >>>> ?required-package: adcli >>>> ?required-package: samba-common-tools >>>> ?login-formats: %U >>>> ?login-policy: allow-realm-logins >>>> >>>> From any Windows10 desktop in the home, I can PuTTY without a password >>>> prompt to <hostname1.lasthome.solace.krynn>. >>>> >>>> If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets >>>> prompted for its password. >>>> >>>> Any ideas? I'm just stumped.. (I don't use Win10 but some of my >>>> children >>>> do and one has a need to ssh from it to a Linux box). >>>> >>>> Thank you, >>>> >>>> Vincent >>>> >>> >>> you appear to be trying to connect to 'floating1.lasthome.solace.krynn' >>> but your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of >>> course you are going to get asked for a password. >>> >>> Can I ask where Samba comes into this ? If there are shares involved and >>> the Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but >>> if you just want authentication, then you don't need Samba, you can just >>> use sssd. >>> >>> Rowland >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Andrew Bartlett
2021-Jun-06 06:54 UTC
[Samba] Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs
If you are using a name that 'floats' around the multiple severs, either avoid using Kerberos/SSH to contact those servers by those names, or create a shared account and distribute the keytab entries to all servers. The shared account would have the SPN for the shared name. Otherwise, you can only put the SPN on one of the target servers, it won't work if the floating name floats to the other server. This is why CTDB manages one 'join' to the domain for an entire file server cluster, as an example. Andrew Bartlett On Sat, 2021-06-05 at 21:27 -0400, Vincent S. Cojot via samba wrote:> I think I figured it out and in fact the solution was on the samba AD DC. > > Here's my setup: > - dc00/dc01 (two small VMs running RHEL7.9 + samba AD/DC custom rpms) > - hypervisor1/2/3 : machines running RHEL8.4 with the RH-provided samba rpms > - a few Win10 endpoints (laptops), a few Fedora endpoints (laptops) and no > Macs. One Win10 VM for the purpose of running some things, including RSAT. > > My son was trying to PuTTY/ssh from his Win10 machine to one of the VIPs > carried by one of the hypervisors. It worked when connecting to > <machine1.lasthome.solace.krynn> but not for > '<floating.lasthome.solace.krynn>'. > > Here's what I did: > > 1) went into 'Active Directory Users and Computes' from my Win10 VM (I > used it to edit Policies for the Win10 endpoints in our domain). > > 2) View -> Advanced features - Select host (one of the hypervisors) > > 3) Attribute Editor -> edit servicePrincipalName > There, I added these records: > host/FLOATING > host/floating.lasthome.solace.krynn > host/floating.ad.lasthome.solace.krynn > > 4) restarted sshd on machine1 > > After that, things started to work and it was now possible for him to > PuTTY ssh directly to the VIP by using the floating IP name (this is > required because all 3 hypervisors form a cluster and VIPs fail over from > one machine to the other) e.g: floating.lasthome.solace.krynn could be > carried by any of the 3 hypervisors. > > ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-, > Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~ > Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,. > Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' > http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name > > They cannot scare me with their empty spaces > Between stars - on stars where no human race is > I have it in me so much nearer home > To scare myself with my own desert places. - Robert Frost > > > > On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote: > > > > > Also, > > > > I just tested this and it's entirely similar: > > > > I can PuTTY without a password prompt to <hostname1.lasthome.solace.krynn> > > or <hostname1.ad.lasthome.solace.krynn> > > > > If I try to PuTTY to <floating1.lasthome.solace.krynn>, or > > <floating1.ad.lasthome.solace.krynn> it prompts for a password. > > > > The servers are running RHEL8.4. > > > > I probably need to run 'net ads keytab <something>' so I'll be trying to > > figure out the 'something' part.. :) > > > > Sorry again for the noise, > > > > Vincent > > > > > > On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote: > > > > > > > > ?Hi Rowland, > > > > > > ?You are 100% right and perhaps what I am seeing in only sssd stuff. I've > > > ?been able to locate a BZ (#1) talking about something similar so perhaps I > > > ?only need to 'net ads keytab add' on the Linux hosts. > > > > > > ?Sorry for the noise, > > > > > > ?#1: https://bugzilla.redhat.com/show_bug.cgi?id=1529301 > > > > > > ?Vincent > > > > > > ?On Sat, 5 Jun 2021, Rowland penny via samba wrote: > > > > > > > ??On 05/06/2021 20:56, Vincent S. Cojot via samba wrote: > > > > > > > > > > ???Hi All, > > > > > > > > > > ???I've observed some strange thing and I know too little about Windows > > > > > ???to > > > > > ???figure out what's going on so I would love it if someone could shed > > > > > ???some > > > > > ???light.. > > > > > > > > > > ???Here's the thing: > > > > > > > > > > ???From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the > > > > > ???remote server's hostname but if I use a VIP hosted on the same server, > > > > > ???my > > > > > ???user gets prompted for a UNIX password (I'm not using SSH keys in this > > > > > ???environment, only plain AD with bind). > > > > > > > > > > ???In more detail: > > > > > ???my RHEL servers are joined to the domain using this: > > > > > > > > > > ???# realm list > > > > > ???ad.lasthome.solace.krynn > > > > > ????type: kerberos > > > > > ????realm-name: AD.LASTHOME.SOLACE.KRYNN > > > > > ????domain-name: ad.lasthome.solace.krynn > > > > > ????configured: kerberos-member > > > > > ????server-software: active-directory > > > > > ????client-software: sssd > > > > > ????required-package: oddjob > > > > > ????required-package: oddjob-mkhomedir > > > > > ????required-package: sssd > > > > > ????required-package: adcli > > > > > ????required-package: samba-common-tools > > > > > ????login-formats: %U > > > > > ????login-policy: allow-realm-logins > > > > > > > > > > ???From any Windows10 desktop in the home, I can PuTTY without a password > > > > > ???prompt to <hostname1.lasthome.solace.krynn>. > > > > > > > > > > ???If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets > > > > > ???prompted for its password. > > > > > > > > > > ???Any ideas? I'm just stumped.. (I don't use Win10 but some of my > > > > > ???children > > > > > ???do and one has a need to ssh from it to a Linux box). > > > > > > > > > > ???Thank you, > > > > > > > > > > ???Vincent > > > > > > > > > > > > > ??you appear to be trying to connect to 'floating1.lasthome.solace.krynn' > > > > ??but your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of > > > > ??course you are going to get asked for a password. > > > > > > > > ??Can I ask where Samba comes into this ? If there are shares involved and > > > > ??the Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but > > > > ??if you just want authentication, then you don't need Samba, you can just > > > > ??use sssd. > > > > > > > > ??Rowland > > > > > > > > > > > > > > > > ??-- > > > > ??To unsubscribe from this list go to the following URL and read the > > > > ??instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > ?-- > > > ?To unsubscribe from this list go to the following URL and read the > > > ?instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba