Oscar Alonso | MailTecK
2024-May-02 08:39 UTC
[Samba] Group Membership Retrieval not using kerberos authentication
Hello, I have an Active Directory domain to which a Linux machine with Ubuntu 20.04 LTS is joined using Winbind. The version of Winbind is 4.15.13. On this machine, users authenticate via SSH using PAM (pam_winbind), and I need to know their group membership. NSS is configured for this purpose. When users authenticate via username and password, there's no issue retrieving the list of groups because they are obtained through the PAC of the Kerberos ticket. However, when users authenticate via SSH public key, since there's no Kerberos authentication, I'm unable to retrieve the user's group list. Previously, Winbind could accomplish this through an LDAP query using the server's machine account, but it seems that functionality has been removed.>From what I've read in some technical presentations about Samba, the correct approach is to do this using S4U2Self, so that the machine or service obtains a Kerberos ticket on behalf of the user to retrieve the list of groups to which the user belongs.I'm unaware if this functionality is fully developed and if so, from which version of Samba. If it is, I would be very grateful if someone could assist me in configuring it, as I am unable to find documentation on the subject. I should also add that the machine has a two-way trust relationship between 2 forests, allowing users from 2 different domains to authenticate. I'm not sure if this impacts the configuration in any way. Please, if anyone can assist me, I would be very grateful. Best regards, ?scar Alonso Este correo electr?nico y la informaci?n contenida en ?l es confidencial, dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. Si usted no es el destinatario de este correo, no lo utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros." Los datos personales facilitados por usted o por terceros forman parte de un fichero responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relaci?n que mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser? su consentimiento, el inter?s leg?timo o la necesidad para gestionar una relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n, Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s - Madrid, o mediante un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at mailteck.com).
Kees van Vloten
2024-May-02 09:56 UTC
[Samba] Group Membership Retrieval not using kerberos authentication
Op 02-05-2024 om 10:39 schreef Oscar Alonso | MailTecK via samba:> Hello, > > I have an Active Directory domain to which a Linux machine with Ubuntu 20.04 LTS is joined using Winbind. The version of Winbind is 4.15.13. > On this machine, users authenticate via SSH using PAM (pam_winbind), and I need to know their group membership. > NSS is configured for this purpose. > When users authenticate via username and password, there's no issue retrieving the list of groups because they are obtained through the PAC of the Kerberos ticket. > However, when users authenticate via SSH public key, since there's no Kerberos authentication, I'm unable to retrieve the user's group list.This is done by nss_winbind. Did you install it and configure it in /etc/samba/smb.conf and add it to /etc/nsswitch.conf? You should be able to do:? id <some-user> and see all groups of the user> Previously, Winbind could accomplish this through an LDAP query using the server's machine account, but it seems that functionality has been removed. > From what I've read in some technical presentations about Samba, the correct approach is to do this using S4U2Self, so that the machine or service obtains a Kerberos ticket on behalf of the user to retrieve the list of groups to which the user belongs. > I'm unaware if this functionality is fully developed and if so, from which version of Samba. If it is, I would be very grateful if someone could assist me in configuring it, as I am unable to find documentation on the subject. > I should also add that the machine has a two-way trust relationship between 2 forests, allowing users from 2 different domains to authenticate. I'm not sure if this impacts the configuration in any way. > > Please, if anyone can assist me, I would be very grateful. > > Best regards, > ?scar Alonso > > Este correo electr?nico y la informaci?n contenida en ?l es confidencial, dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. Si usted no es el destinatario de este correo, no lo utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros." Los datos personales facilitados por usted o por terceros forman parte de un fichero responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relaci?n que mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser? su consentimiento, el inter?s leg?timo o la necesidad para gestionar una relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n, Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s - Madrid, o mediante un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at mailteck.com).