Web lists-archives.com

[Samba] kerberos + winbind + AD authentication for samba 4 domain member


I'm setting up AD user logins for centos 7.4 box. I've almost managed to do everything the way I want and the way I think it should be, but I'm missing last piece:

  For ssh access I read parts of the https://wiki.samba.org/index.php/OpenSSH_Single_sign-on

Most docs recommend using setting in smb.conf:
winbind use default domain = no

that means that all domain users have DOMAIN\ prefix attached. As per the aforementioned wiki documet I made the workaround for authentication to krb5.conf, and it works OK.

What isn't working is "kinit" as-is for logged in AD user. To be more precise: it works if I specify explicitly username
kinit myusername
kinit mysusername@xxxxxxxxxxxxx
It works as expected (asks for password and grants ticket)

 otherwise plain "kinit" uses by default posix username, which in this case is DOMAIN\myusername, so it looks for: DOMAINmyusername@xxxxxxxxxxxxx and fails with no principle found in database (and rightly so), because obviously it should use myusername@xxxxxxxxxxxxx.

I know it's not strictly samba related, and I could simply change
winbind use default domain = yes
as a workaround, this way everything works as expected, except that in all docs it's described as not recommended setup, because of possible confusion which user is from DOMAIN and which is local, and of course when multiple domains come into play.

So maybe someone knows of a valid workaorund, how to force kinit to automatically remove/strip DOMAIN prefix from e.g. DOMAINmyusername@xxxxxxxxxxxxx and change it into myusername@xxxxxxxxxxxxx? My understanding is that krb5.conf "auth_to_local" works the other way around, so it takes valid principal, and rewrites it so that it matches posix user and won't work in this case,as it's the other way round (posix user has to be translated into valid principal).

My environment is:
centos 7.4 OS
samba 4.5.x is the AD DC
samba 4.6.9 is domain member server and all tests are done on this machine.

As i said, kerberos overall works fine, and it's not strictly samba issue, but the issue is because of samba configuration and added DOMAIN prefix.

Any help/input/comments are appreciated.

Regards, Kacper

Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba