Rowland Penny
2022-Nov-17 20:17 UTC
[Samba] Should I be able to access shares w/o authenticating again?
On 17/11/2022 19:49, Rob Campbell via samba wrote:> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > In all things, Be Intentional. > > > On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at gmail.com> > wrote: > >> I've logged into the different machines with my AD login. Shouldn't I be >> able to just open up shares and not have to provide a password? I thought >> my credentials would be passed and I wouldn't have to reauthenticate. >> >> gio mount smb://DC01/photos >> Authentication Required >> Enter user and password for share ?photos? on ?dc01?:You really shouldn't be using a DC as a fileserver.>> User [HOME+robcampbell]: >> >> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls' >> Password for [HOME\robcampbell]: >> > > [HOME\robcampbell at f01 ~]$ kinit > kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in Kerberos > database while getting initial credentials > > I guess something isn't set up right? But I'm not sure what.You are using autorid, so you cannot remove the NetBIOS domain name, so you are going to have to explicitly use it and 'escape' the separator. All these problems would go away if you used the 'rid' idmap backend along with 'winbind use default domain = yes', or do you plan on using trusted domains ?> > cat /etc/krb5.conf > [libdefaults] > default_realm = HOME.ROB-CAMPBELL.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > forwardable = yes > rdns = false > ticket_lifetime = 10h > renew_lifetime = 5d > [realms] > home.rob-campbell.lan = { > kdc = dc01.home.rob-campbell.lan > admin_server = DC01.home.rob-campbell.lan > # master_key_type = aes256-cts > # default_principal_flags = +preauth > } > HOME = { > kdc = dc01.home.rob-campbell.lan > admin_server = DC01.home.rob-campbell.lan > # master_key_type = aes256-cts > # default_principal_flags = +preauth > } > > [domain_realm] > .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN > home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN > [logging] > kdc = FILE:/var/log/samba/krb5.log > admin_server = FILE:/var/log/samba/mit_kadmin.logYour /etc/krb5.conf needs only to be this: [libdefaults] default_realm = HOME.ROB-CAMPBELL.LAN dns_lookup_realm = false dns_lookup_kdc = true [realms] HOME.ROB-CAMPBELL.LAN = { default_domain = home.rob-campbell.lan } [domain_realm] THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN> > cat /etc/samba/smb.conf > # Global parameters > [global] > server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dnsThe line above is only used on a DC> security = ADS > realm = home.rob-campbell.lan > workgroup = HOME > > idmap config * : range = 10000-9999999 > idmap config * : backend = autorid > idmap config * : rangesize = 200000 > > map acl inherit = Yes > vfs objects = acl_xattr > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > winbind enum groups = Yes > winbind enum users = YesThe two lines above can slow things down and should only be used for testing. Rowland
Rob Campbell
2022-Nov-19 19:22 UTC
[Samba] Should I be able to access shares w/o authenticating again?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In all things, Be Intentional. On Thu, Nov 17, 2022 at 3:18 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 17/11/2022 19:49, Rob Campbell via samba wrote: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > In all things, Be Intentional. > > > > > > On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at gmail.com > > > > wrote: > > > >> I've logged into the different machines with my AD login. Shouldn't I > be > >> able to just open up shares and not have to provide a password? I > thought > >> my credentials would be passed and I wouldn't have to reauthenticate. > >> > >> gio mount smb://DC01/photos > >> Authentication Required > >> Enter user and password for share ?photos? on ?dc01?: > > You really shouldn't be using a DC as a fileserver. > > >> User [HOME+robcampbell]: > >> > >> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls' > >> Password for [HOME\robcampbell]: > >> > > > > [HOME\robcampbell at f01 ~]$ kinit > > kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in > Kerberos > > database while getting initial credentials > > > > I guess something isn't set up right? But I'm not sure what. > > You are using autorid, so you cannot remove the NetBIOS domain name, so > you are going to have to explicitly use it and 'escape' the separator. > All these problems would go away if you used the 'rid' idmap backend > along with 'winbind use default domain = yes', or do you plan on using > trusted domains ? > > I did this and now I am able to log in using domain credentials w/o havingto do 'user at domain' or 'domain\user' but that seems to have disabled the ability to log in using a local user (on the dc only) Nov 19 14:15:12 DC01 kernel: audit: type=1400 audit(1668885312.805:1770): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/proc/4712/cmdline" pid=4110 comm="sssd_nss" requested_mask="r"> Nov 19 14:15:12 DC01 postfix/qmgr[2938]: C42B63E08A4: from=< root at rob-campbell.com>, size=2349, nrcpt=1 (queue active) Nov 19 14:15:12 DC01 postfix/local[4713]: C42B63E08A4: to=< rwcampbell at rob-campbell.com>, orig_to=<root>, relay=local, delay=0.05, delays=0.04/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Nov 19 14:15:12 DC01 postfix/qmgr[2938]: C42B63E08A4: removed Nov 19 14:15:15 DC01 gdm-password][4697]: pam_krb5(gdm-password:auth): authentication failure; logname=rwcampbell uid=0 euid=0 tty=/dev/tty1 ruser= rhostNov 19 14:15:15 DC01 gdm-password][4697]: gkr-pam: unable to locate daemon control file Nov 19 14:15:15 DC01 gdm-password][4697]: gkr-pam: stashed password to try later in open session Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_securetty.so): /lib/security/pam_securetty.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_securetty.so Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_nologin.so): /lib/security/pam_nologin.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_nologin.so Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_winbind.so Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_unix.so): /lib/security/pam_unix.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_unix.so Is there a package that's missing and that's why these files are missing?> > > cat /etc/krb5.conf > > [libdefaults] > > default_realm = HOME.ROB-CAMPBELL.LAN > > dns_lookup_realm = false > > dns_lookup_kdc = true > > forwardable = yes > > rdns = false > > ticket_lifetime = 10h > > renew_lifetime = 5d > > [realms] > > home.rob-campbell.lan = { > > kdc = dc01.home.rob-campbell.lan > > admin_server = DC01.home.rob-campbell.lan > > # master_key_type = aes256-cts > > # default_principal_flags = +preauth > > } > > HOME = { > > kdc = dc01.home.rob-campbell.lan > > admin_server = DC01.home.rob-campbell.lan > > # master_key_type = aes256-cts > > # default_principal_flags = +preauth > > } > > > > [domain_realm] > > .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN > > home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN > > [logging] > > kdc = FILE:/var/log/samba/krb5.log > > admin_server = FILE:/var/log/samba/mit_kadmin.log > > Your /etc/krb5.conf needs only to be this: > > [libdefaults] > default_realm = HOME.ROB-CAMPBELL.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > HOME.ROB-CAMPBELL.LAN = { > default_domain = home.rob-campbell.lan > } > > [domain_realm] > THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN > > Updated but still, although I log in with domain name, I am not able toaccess shares w/o authenticating again.> > > > cat /etc/samba/smb.conf > > # Global parameters > > [global] > > server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns > > The line above is only used on a DC > > > security = ADS > > realm = home.rob-campbell.lan > > workgroup = HOME > > > > idmap config * : range = 10000-9999999 > > idmap config * : backend = autorid > > idmap config * : rangesize = 200000 > > > > map acl inherit = Yes > > vfs objects = acl_xattr > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = Yes > > winbind enum groups = Yes > > winbind enum users = Yes > > The two lines above can slow things down and should only be used for > testing. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >