samba - Nov 2023 - Use of S4U2Self in Winbind in a forest trust - obtaining group list

Hi to all,

First of all, let this message serve as an introduction. Nice to be here.

A while back, we updated a server that still had Samba 4.13.17 on Ubuntu 20.04
LTS. We use this server for Winbind authentication in an Active Directory
domain, to retrieve the list of groups from Active Directory, and then based on
those groups, authorize or deny user access via SFTP with OpenSSH. After
upgrading Samba to version 4.15.13 (the latest version available as of the date
on Ubuntu 20.04 LTS), we started encountering issues in obtaining the list of
groups for users connecting via SFTP using SSH key authentication, meaning they
do not authenticate via Winbind. I understand that this is because without
Winbind authentication against Active Directory, we cannot retrieve the list of
groups through the Kerberos ticket PAC.

Previously, even without Kerberos authentication, we obtained the list of groups
through that old functionality that allowed us to retrieve the user's group
list via LDAP query using the server's computer account. Since the Samba
update, this functionality has ceased to work.

As I could see in several slides by Stefan Metzmacher, the correct way to
achieve this and what would be implemented is through S4U2Self. In this
approach, the server would request a Kerberos ticket from Active Directory,
impersonating the user, and thus obtain the group list from the PAC.

The question is, has this functionality already been implemented in Winbind?
I've seen references to Samba 4.17 (I believe that was the version)
implementing S4U2Self in a Samba AD DC, but I'm not sure if this means that
using Winbind against a Windows AD DC allows you to obtain the group list via
S4U2Self.

I also seemed to understand that to support S4U2Self, it's a requirement to
use MIT Kerberos 1.20, while MIT Kerberos in Ubuntu 20.04 LTS has version 1.17.
I was wondering if I could install an updated version of Samba+ on Ubuntu 20.04
LTS or 22.04 LTS and would I obtain the desired functionality of retrieving the
user's group list.

In case it has any relevance, I should also clarify that these are users not
directly belonging to the domain to which the machine is joined but belonging to
another domain with which the machine's domain has a two-way trust
relationship.

I would appreciate any assistance on this matter.

Best regards,
Oscar Alonso


Este correo electr?nico y la informaci?n contenida en ?l es confidencial,
dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el
encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no
los transmita a terceros. Si usted no es el destinatario de este correo, no lo
utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros." Los
datos personales facilitados por usted o por terceros forman parte de un fichero
responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los
contactos y relaciones que se produzcan como consecuencia de la relaci?n que
mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser?
su consentimiento, el inter?s leg?timo o la necesidad para gestionar una
relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que
se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos
vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s
informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n,
Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en
contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La
Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s - Madrid, o mediante
un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at
mailteck.com).