Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba & Active Directory w/ Kerberos Trust
252 views
Skip to first unread message
Rafferty, Joseph
Nov 1, 2012, 11:10:02 AM11/1/12
to
Hello,
I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason:
"Samba always ignores PAM for authentication in the case of encrypt passwords = yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html
Setting "encrypt passwords = no" results in the following testparm error:
ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'.
Anyone successfully authenticating this way?
Thanks for the help!
-Joseph
smb.conf:
[global]
log file = /var/log/samba/log.%m
log level = auth:3
max log size = 50
security = ads
netbios name = SERVERNAME
realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
workgroup = AD
idmap uid = 10000-5000000
idmap gid = 10000-5000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
obey pam restrictions = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason:
"Samba always ignores PAM for authentication in the case of encrypt passwords = yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html
Setting "encrypt passwords = no" results in the following testparm error:
ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'.
Anyone successfully authenticating this way?
Thanks for the help!
-Joseph
smb.conf:
[global]
log file = /var/log/samba/log.%m
log level = auth:3
max log size = 50
security = ads
netbios name = SERVERNAME
realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
workgroup = AD
idmap uid = 10000-5000000
idmap gid = 10000-5000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
obey pam restrictions = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Nov 4, 2012, 10:40:01 PM11/4/12
to
You should run winbind, and accept kerberos logins from your clients.
We need to be joined to the AD domain.
As long as the tickets contain a PAC, we really don't mind where they
came from.
Don't try and involve PAM or turn off encrypted passwords, because we
never get a plaintext password from modern clients anyway.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Rafferty, Joseph
Nov 5, 2012, 3:00:03 PM11/5/12
to
Hi Andrew, thanks for the reply.
Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
Cheers,
--Joseph
Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
Cheers,
--Joseph
Andrew Bartlett
Nov 5, 2012, 3:10:02 PM11/5/12
to
On Mon, 2012-11-05 at 19:58 +0000, Rafferty, Joseph wrote:
> Hi Andrew, thanks for the reply.
>
> Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
>
> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
>
> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
I *think* the idea with this kind of trust/mapping thing is that 'AD'
> Hi Andrew, thanks for the reply.
>
> Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
>
> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
>
> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.
servers (like Samba) get a ticket that includes the PAC, even if the
initial user came from MIT.
That's pretty much the only way we can work, if we are to get the
windows groups etc. You will need to dig in further into why we return
LOGON_FAILURE with a higher log level and our debug logs.
Andrew Bartlett
Nov 5, 2012, 4:50:02 PM11/5/12
to
On Mon, 2012-11-05 at 21:39 +0000, Rafferty, Joseph wrote:
> For the user "continuum\jrafferty" (continuum is the AD realm):
>
> http://pastebin.com/DJ3xShTr
OK, now I see the issue. Your setup is deliberately incompatible with
NTLM authentication (as you only have random passwords recorded on the
AD DC). You must log in with kerberos - ie kinit first, then sun
smbclient -k (for example) or use a windows client already logged in
with kerberos credentials.
> For the user "continuum\jrafferty" (continuum is the AD realm):
>
> http://pastebin.com/DJ3xShTr
OK, now I see the issue. Your setup is deliberately incompatible with
NTLM authentication (as you only have random passwords recorded on the
AD DC). You must log in with kerberos - ie kinit first, then sun
smbclient -k (for example) or use a windows client already logged in
with kerberos credentials.
Rafferty, Joseph
Nov 5, 2012, 4:50:03 PM11/5/12
to
Using the user principal name, "jraf...@TAMU.EDU"
http://pastebin.com/34VXJuAc
Using just "jrafferty"
http://pastebin.com/ZF7EE2n7
Interestingly, I emailed our AD admins on the status of that AD trust, and was told that it is in place and in production (realm is AUTH). If I try a different user, "auth\jrafferty":
http://pastebin.com/aZX6zxGY
---------------
So, it seems now I just need to research how to modify smb.conf to make AUTH my primary domain, since it seems 'winbind use default domain' isn't working correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples).
-Joseph
On Nov 5, 2012, at 2:09 PM, Andrew Bartlett <abar...@samba.org>
wrote:
http://pastebin.com/34VXJuAc
Using just "jrafferty"
http://pastebin.com/ZF7EE2n7
Interestingly, I emailed our AD admins on the status of that AD trust, and was told that it is in place and in production (realm is AUTH). If I try a different user, "auth\jrafferty":
http://pastebin.com/aZX6zxGY
---------------
So, it seems now I just need to research how to modify smb.conf to make AUTH my primary domain, since it seems 'winbind use default domain' isn't working correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples).
-Joseph
On Nov 5, 2012, at 2:09 PM, Andrew Bartlett <abar...@samba.org>
wrote:
0 new messages