Edwin Mackenzie-Owen
2021-Dec-21 20:18 UTC
[Samba] Winbind messes up Kerberos tickets when renewing them
Hi,
Winbind often messes up my Kerberos ticket when renewing it.
This is the valid ticket:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1234567
Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM
Valid starting???? Expires??????????? Service principal
12/20/21 21:40:12? 12/21/21 07:40:12
krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
????????renew until 12/21/21 21:40:07
Winbind then creates a ticket with a weird principal that I can't use
for SSO (sorry, I have only saved it in German):
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567
Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM
Valid starting?????? Expires????????????? Service principal
17.12.2021 20:05:24? 18.12.2021 06:05:24?
krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
????????f?r Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis
24.12.2021 15:05:24
My krb5.conf (auth_to_local is for SSH SSO):
[libdefaults]
??????? default_realm = SAMDOM.EXAMPLE.COM
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
????????default_ccache_name = FILE:/tmp/krb5cc_%{uid}
????????forwardable = true
[realms]
????????SAMDOM.EXAMPLE.COM = {
????????????????auth_to_local = RULE:[1:SAMDOM\$1]
????????????????auth_to_local = DEFAULT
????????}
[domain_realm]
????????.samdom.example.com = SAMDOM.EXAMPLE.COM
smb.conf:
[global]
apply group policies = yes
client use kerberos = required
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
netbios name = DHYANA
realm = SAMDOM.EXAMPLE.COM
security = ADS
server role = member server
template homedir = /home/%D/%U
template shell = /usr/bin/zsh
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 20
winbind nss info = rfc2307
winbind offline logon = yes
winbind refresh tickets = yes
workgroup = SAMDOM
idmap config * : backend = autorid
idmap config * : range = 1000000-1999999
map acl inherit = yes
store dos attributes = yes
vfs objects = acl_xattr
winbind use default domain = no
Distribution and Samba version (both workstation and DC): Arch Linux /
Arch Linux / Arch Linux ARM; Samba 4.15.3.
Best regards,
Edwin Mackenzie-Owen
Rowland Penny
2021-Dec-21 21:01 UTC
[Samba] Winbind messes up Kerberos tickets when renewing them
On Tue, 2021-12-21 at 21:18 +0100, Edwin Mackenzie-Owen via samba wrote:> Hi, > > Winbind often messes up my Kerberos ticket when renewing it. > This is the valid ticket: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_1234567 > Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM > > Valid starting Expires Service principal > 12/20/21 21:40:12 12/21/21 07:40:12 > krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM > renew until 12/21/21 21:40:07 > > Winbind then creates a ticket with a weird principal that I can't use > for SSO (sorry, I have only saved it in German): > > $ klist > Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567 > Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM > > Valid starting Expires Service principal > 17.12.2021 20:05:24 18.12.2021 06:05:24 > krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM > f?r Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis > 24.12.2021 15:05:24 > > My krb5.conf (auth_to_local is for SSH SSO): > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > default_ccache_name = FILE:/tmp/krb5cc_%{uid} > forwardable = true > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] > auth_to_local = DEFAULT > } > [domain_realm] > .samdom.example.com = SAMDOM.EXAMPLE.COMI do not have all that in krb5.conf (I just have the first 4 lines) and it works for myself on Debian Buster using Samba 4.15.3 Perhaps it is a problem with the Samba from Arch ?? Rowland
L. van Belle
2021-Dec-22 08:41 UTC
[Samba] Winbind messes up Kerberos tickets when renewing them
Good morning Edwin, I personaly dont seen anything wrong here. Read this one. Bit older but does explain it sufficently. https://adsecurity.org/?p=483 So i wonder why cant you use SSO. The default is still the user at REALM. Anything in the SSH (auth) logs? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Edwin Mackenzie-Owen via samba > Verzonden: dinsdag 21 december 2021 21:19 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Winbind messes up Kerberos tickets when > renewing them > > Hi, > > Winbind often messes up my Kerberos ticket when renewing it. > This is the valid ticket: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_1234567 > Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM > > Valid starting???? Expires??????????? Service principal > 12/20/21 21:40:12? 12/21/21 07:40:12 > krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM > ????????renew until 12/21/21 21:40:07 > > Winbind then creates a ticket with a weird principal that I can't use > for SSO (sorry, I have only saved it in German): > > $ klist > Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567 > Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM > > Valid starting?????? Expires????????????? Service principal > 17.12.2021 20:05:24? 18.12.2021 06:05:24? > krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM > ????????f?r Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis > 24.12.2021 15:05:24 > > My krb5.conf (auth_to_local is for SSH SSO): > > [libdefaults] > ??????? default_realm = SAMDOM.EXAMPLE.COM > ??????? dns_lookup_realm = false > ??????? dns_lookup_kdc = true > ????????default_ccache_name = FILE:/tmp/krb5cc_%{uid} > ????????forwardable = true > [realms] > ????????SAMDOM.EXAMPLE.COM = { > ????????????????auth_to_local = RULE:[1:SAMDOM\$1] > ????????????????auth_to_local = DEFAULT > ????????} > [domain_realm] > ????????.samdom.example.com = SAMDOM.EXAMPLE.COM > > > smb.conf: > > [global] > apply group policies = yes > client use kerberos = required > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > netbios name = DHYANA > realm = SAMDOM.EXAMPLE.COM > security = ADS > server role = member server > template homedir = /home/%D/%U > template shell = /usr/bin/zsh > usershare allow guests = Yes > usershare max shares = 100 > usershare owner only = Yes > usershare path = /var/lib/samba/usershares > winbind enum groups = yes > winbind enum users = yes > winbind expand groups = 20 > winbind nss info = rfc2307 > winbind offline logon = yes > winbind refresh tickets = yes > workgroup = SAMDOM > idmap config * : backend = autorid > idmap config * : range = 1000000-1999999 > map acl inherit = yes > store dos attributes = yes > vfs objects = acl_xattr > winbind use default domain = no > > Distribution and Samba version (both workstation and DC): Arch Linux / > Arch Linux / Arch Linux ARM; Samba 4.15.3. > > Best regards, > Edwin Mackenzie-Owen > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >