Web lists-archives.com

Re: [Samba] kerberos + winbind + AD authentication for samba 4 domain member




I'm using this rule, it works, but it's used the other way round. It means that principal "kacper_wirski@xxxxxxxxxxxx" will match local user DOMAIN\kacper_wirski@xxxxxxxxxxxx BUT it doesn't work the other way round, so local user DOMAIN\kacper_wirski@xxxxxxxxxxx will not match "kacper_wirski@xxxxxxxxxxxx

I know that SSSD has a setting that allows matching kerberos principals to local users via pattern, and it works both ways - maybe one day winbind will have similar option:)

I am actually thinking of trying SSSD instead of winbind auth, as both methods are equally supported on rhel/centos, except that it might cause issues on the DC, since it's best to use either/or. Does anyone have experience and might shed some light, is running SSSD for user domain authorization on samba 4 DC problematic?

Also after some thought, I realized that there is a workaround to have "everything" working with "winbind use default domain = no", and short answer is "use credential delegation"

scenario:
in smb.conf i set "winbind use default domain = no"

kinit by default uses:
a) principal from cached ticket (if there  is one)
b) unix username (if there is no ticket)

So, if I turn on credential delegation:

WHen i log into windows machine, I automatically get my ticket, then i SSH with putty to the centos machine as DOMAIN\kacper_wirski I log in passwordless (kerberos is used) THEN, because of credential delegation, I have my ticket simply forwarded, and kinit works perfectly, because it will use by default principal from cache, rather then posix username. Once I run "kdestroy", to obtain new ticket on the centos box I will still have type my full username, rather than just "kinit"

Without delegation, there is no ticket in cache (nothing was forwarded), and centos can't obtain one automatically, because of the issue already explained before.

So there's that at least


W dniu 2017-11-01 o 23:24, L.P.H. van Belle via samba pisze:
Maybe try something like this, dont know it its right, i cant test it atm, and i never used its so..
But in krb5.conf try to match the failty one with a rule.

auth_to_local = RULE:[1:SAMDOM:$1]
Maybe it works maybe not, but imo, try-able ;-) , just an idee..

Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Kacper Wirski via samba
Verzonden: woensdag 1 november 2017 22:01
Aan: Rowland Penny
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] kerberos + winbind + AD authentication
for samba 4 domain member

Ok, at least I know that it's not the fault of my configuration.

I was hoping that there may be some kerberos/kinit option to modify
systemwide default principal pattern, or maybe something
could be done with
how winbind presents AD users to local OS while still.. Can't have
everything it seems.

In this case there are is my follow-up question:
- how will this work on DC's? I konw that winbind is
integrated into main
"samba" process. I don't have test-dc right now and I can't
test it, but is
at all possible to set "use defaultl domain = yes" on samba DC and not
impair anything? On the DC's it's not as important to me, as only few
actual domain users will ever actually log there (only
admins), but still
I'd rather have as much consistency across all systems, as possible\

Regards,
Kacper

2017-11-01 21:21 GMT+01:00 Rowland Penny via samba
<samba@xxxxxxxxxxxxxxx>:

On Wed, 1 Nov 2017 19:49:32 +0000
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

On Wed, 1 Nov 2017 20:28:05 +0100
Kacper Wirski <kacper.wirski@xxxxxxxxx> wrote:

I'm going to start with clean centos install, so I
might as well use
some additional guidelines, thank You.

When You run kinit, does Your user have ticket already? What I
noticed is that when user has a ticket already, kinit
works fine,
uses as default principal the one from ticket.
Can you do kdestroy - then kinit?

Also, on Fedora, did You install samba from source or
from repo's
RPM?

And last question - for PAM did You manually edit
system-auth, or
with authconfig?
After I do some tests later on, I will update with
whatever I manage
to find/debug.

I realised I had a Centos 7 VM, so I started this,
updated it to 7.4
set 'winbind use default domain = no' then logged in and ran
'kinit', I finally get your problem!!!

Let me get back to you

Rowland

OK, I am back ;-)

I understand it now, sigh
This is what I think is happening;
When you kinit as the user, it uses whatever is returned by
nsswitch,
but, as a single '\' is treated as an escape character and is
removed, you get DOMAINusername. If you use something else as the
winbind separator e.g. ':' you will get DOMAIN:username, but this
still will not not get you anywhere. You will get this:

kinit: Client 'SAMDOM:rowland@xxxxxxxxxxxxxxxxxx' not found in
Kerberos database while getting initial credentials

It was this that pointed me in the right direction.
If you check the users object in AD, you will find the
userPrincipalName attribute, this will contain something like:

rowland@xxxxxxxxxxxxxxxxxx

This is what kinit is looking for and if you run 'kinit
rowland', this
will work and if you run 'klist' you will find that the 'Default
principal' is rowland@xxxxxxxxxxxxxxxxxx

Net result, you will have to use 'winbind use default domain = yes'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba