Web lists-archives.com

Re: [Samba] kerberos + winbind + AD authentication for samba 4 domain member




On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Wed, 1 Nov 2017 20:28:05 +0100
> Kacper Wirski <kacper.wirski@xxxxxxxxx> wrote:
> 
> > I'm going to start with clean centos install, so I might as well use
> > some additional guidelines, thank You.
> > 
> > When You run kinit, does Your user have ticket already? What I
> > noticed is that when user has a ticket already, kinit works fine,
> > uses as default principal the one from ticket.
> > Can you do kdestroy - then kinit?
> > 
> > Also, on Fedora, did You install samba from source or from repo's
> > RPM?
> > 
> > And last question - for PAM did You manually edit system-auth, or
> > with authconfig?
> > After I do some tests later on, I will update with whatever I manage
> > to find/debug.
> > 
> 
> I realised I had a Centos 7 VM, so I started this, updated it to 7.4
> set 'winbind use default domain = no' then logged in and ran
> 'kinit', I finally get your problem!!!
> 
> Let me get back to you
> 
> Rowland
> 

OK, I am back ;-)

I understand it now, sigh
This is what I think is happening;
When you kinit as the user, it uses whatever is returned by nsswitch,
but, as a single '\' is treated as an escape character and is
removed, you get DOMAINusername. If you use something else as the
winbind separator e.g. ':' you will get DOMAIN:username, but this
still will not not get you anywhere. You will get this:

kinit: Client 'SAMDOM:rowland@xxxxxxxxxxxxxxxxxx' not found in
Kerberos database while getting initial credentials

It was this that pointed me in the right direction.
If you check the users object in AD, you will find the
userPrincipalName attribute, this will contain something like:

rowland@xxxxxxxxxxxxxxxxxx

This is what kinit is looking for and if you run 'kinit rowland', this
will work and if you run 'klist' you will find that the 'Default
principal' is rowland@xxxxxxxxxxxxxxxxxx

Net result, you will have to use 'winbind use default domain = yes'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba