Rob Campbell
2022-Nov-19 19:22 UTC
[Samba] Should I be able to access shares w/o authenticating again?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In all things, Be Intentional. On Thu, Nov 17, 2022 at 3:18 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 17/11/2022 19:49, Rob Campbell via samba wrote: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > In all things, Be Intentional. > > > > > > On Thu, Nov 17, 2022 at 2:13 PM Rob Campbell <robcampbell08105 at gmail.com > > > > wrote: > > > >> I've logged into the different machines with my AD login. Shouldn't I > be > >> able to just open up shares and not have to provide a password? I > thought > >> my credentials would be passed and I wouldn't have to reauthenticate. > >> > >> gio mount smb://DC01/photos > >> Authentication Required > >> Enter user and password for share ?photos? on ?dc01?: > > You really shouldn't be using a DC as a fileserver. > > >> User [HOME+robcampbell]: > >> > >> [HOME\robcampbell at f01 ~]$ smbclient //DC01/Movies -c 'ls' > >> Password for [HOME\robcampbell]: > >> > > > > [HOME\robcampbell at f01 ~]$ kinit > > kinit: Client 'HOMErobcampbell at HOME.ROB-CAMPBELL.LAN' not found in > Kerberos > > database while getting initial credentials > > > > I guess something isn't set up right? But I'm not sure what. > > You are using autorid, so you cannot remove the NetBIOS domain name, so > you are going to have to explicitly use it and 'escape' the separator. > All these problems would go away if you used the 'rid' idmap backend > along with 'winbind use default domain = yes', or do you plan on using > trusted domains ? > > I did this and now I am able to log in using domain credentials w/o havingto do 'user at domain' or 'domain\user' but that seems to have disabled the ability to log in using a local user (on the dc only) Nov 19 14:15:12 DC01 kernel: audit: type=1400 audit(1668885312.805:1770): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/proc/4712/cmdline" pid=4110 comm="sssd_nss" requested_mask="r"> Nov 19 14:15:12 DC01 postfix/qmgr[2938]: C42B63E08A4: from=< root at rob-campbell.com>, size=2349, nrcpt=1 (queue active) Nov 19 14:15:12 DC01 postfix/local[4713]: C42B63E08A4: to=< rwcampbell at rob-campbell.com>, orig_to=<root>, relay=local, delay=0.05, delays=0.04/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Nov 19 14:15:12 DC01 postfix/qmgr[2938]: C42B63E08A4: removed Nov 19 14:15:15 DC01 gdm-password][4697]: pam_krb5(gdm-password:auth): authentication failure; logname=rwcampbell uid=0 euid=0 tty=/dev/tty1 ruser= rhostNov 19 14:15:15 DC01 gdm-password][4697]: gkr-pam: unable to locate daemon control file Nov 19 14:15:15 DC01 gdm-password][4697]: gkr-pam: stashed password to try later in open session Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_securetty.so): /lib/security/pam_securetty.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_securetty.so Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_nologin.so): /lib/security/pam_nologin.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_nologin.so Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_winbind.so Nov 19 14:15:19 DC01 gdm-password][4718]: PAM unable to dlopen(/lib/security/pam_unix.so): /lib/security/pam_unix.so: cannot open shared object file: No such file or directory Nov 19 14:15:19 DC01 gdm-password][4718]: PAM adding faulty module: /lib/security/pam_unix.so Is there a package that's missing and that's why these files are missing?> > > cat /etc/krb5.conf > > [libdefaults] > > default_realm = HOME.ROB-CAMPBELL.LAN > > dns_lookup_realm = false > > dns_lookup_kdc = true > > forwardable = yes > > rdns = false > > ticket_lifetime = 10h > > renew_lifetime = 5d > > [realms] > > home.rob-campbell.lan = { > > kdc = dc01.home.rob-campbell.lan > > admin_server = DC01.home.rob-campbell.lan > > # master_key_type = aes256-cts > > # default_principal_flags = +preauth > > } > > HOME = { > > kdc = dc01.home.rob-campbell.lan > > admin_server = DC01.home.rob-campbell.lan > > # master_key_type = aes256-cts > > # default_principal_flags = +preauth > > } > > > > [domain_realm] > > .home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN > > home.rob-campbell.lan = HOME.ROB-CAMPBELL.LAN > > [logging] > > kdc = FILE:/var/log/samba/krb5.log > > admin_server = FILE:/var/log/samba/mit_kadmin.log > > Your /etc/krb5.conf needs only to be this: > > [libdefaults] > default_realm = HOME.ROB-CAMPBELL.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > HOME.ROB-CAMPBELL.LAN = { > default_domain = home.rob-campbell.lan > } > > [domain_realm] > THE_COMPUTERS_SHORT_HOSTNAME_IN_CAPITALS = HOME.ROB-CAMPBELL.LAN > > Updated but still, although I log in with domain name, I am not able toaccess shares w/o authenticating again.> > > > cat /etc/samba/smb.conf > > # Global parameters > > [global] > > server services = ldap, kdc, winbind, ntp_signd, dnsupdate, dns > > The line above is only used on a DC > > > security = ADS > > realm = home.rob-campbell.lan > > workgroup = HOME > > > > idmap config * : range = 10000-9999999 > > idmap config * : backend = autorid > > idmap config * : rangesize = 200000 > > > > map acl inherit = Yes > > vfs objects = acl_xattr > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = Yes > > winbind enum groups = Yes > > winbind enum users = Yes > > The two lines above can slow things down and should only be used for > testing. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2022-Nov-19 19:37 UTC
[Samba] Should I be able to access shares w/o authenticating again?
On 19/11/2022 19:22, Rob Campbell via samba wrote:>> >> I did thisYou did what ?> and now I am able to log in using domain credentials w/o having > to do 'user at domain' or 'domain\user' but that seems to have disabled the > ability to log in using a local user (on the dc only)I think I have already said this, but just in case I didn't, you cannot have a local Unix user called by the same username as an AD user. You make the AD become a Unix user.> > Nov 19 14:15:12 DC01 kernel: audit: type=1400 audit(1668885312.805:1770): > apparmor="ALLOWED" operation="open" > profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss"Ah, well, that's me out of this thread, my opinion of sssd is well known, I do not see the point to it in an AD domain. Rowland