| View previous topic :: View next topic |
| Author |
Message |
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
 Posted: Tue Jan 18, 2022 2:51 pm Post subject: [SOLVED] Samba + Kerberos (no admin rights) |
 |
|
Hi all,
recently I've been playing with this idea...
I have a "rogue" server in my company's network (it's an unsupported gentoo server, where I'm root, but our IT still allows such hosts) and I wish to run a samba server where all users in the corporate's Active Directory can login.
Essentially it's a mixed windows/linux network.
I don't have the rights to add servers to the domain (no net ads join) and I don't have the rights to run kadmin to add new principals.
Currently, I set up /etc/krb5.conf correctly, since I can run kinit and get a ticket from the corporate KDC.
sys-auth/nss-pam-ldapd and /etc/nsswitch.conf have been set up correctly, since getent passwd gives the entries for all users in my company
/etc/pam.d/system-auth looks so:
| Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth sufficient pam_unix.so nullok try_first_pass
auth [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass
auth [default=die] pam_faillock.so authfail
account sufficient pam_unix.so
account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass
session required pam_limits.so
session required pam_env.so
session sufficient pam_unix.so
session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass
|
and /etc/ssh/sshd_config has the lines for interacting with kerberos.
Bottom line: with this setup, corporate users can login via ssh on this server using their corporate credentials (and there are no local users).
Now, I want to configure a samba server, running on this hosts, which authenticates users using the corportate kerberos servers and grants access to some shares.
I looked a bit on the web and found these two pages https://forums.gentoo.org/viewtopic-t-565180-start-0.html and https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperability but both require to run either net ads join or kadmin, so this is a no go.
I would assume that authentication should run through PAM, like ssh, but somewhere else I've read that samba can use PAM only with cleartext passwords.
The problem I'm trying to solve is: how can I allow people to access samba shares without having to create local user accounts on the samba server and storing passwords?
I do this already for ssh, so I'd think it's possible also for samba, but maybe this is a completely different scenario.
Has anyone tried anything like this?
Last edited by devilheart on Tue Jan 25, 2022 1:48 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Tue Jan 18, 2022 4:02 pm Post subject: |
|
|
I think thios is called kerberized samba share.
You need to add service and host principals and keytab for cifs like so
| Code: |
kadmin.local ank -randkey cifs/<samba-machine-fqdn>
kadmin.local ktadd cifs/<samba-machine-fqdn>
kadmin.local ank -randkey cifs/<client-machine-fqdn>
kadmin.local ktadd cifs/<client-machine-fqdn>
kadmin.local ank -randkey host/<samba-machine-fqdn>
kadmin.local ktadd host/<samba-machine-fqdn>
kadmin.local ank -randkey host/<client-machine-fqdn>
kadmin.local ktadd host/<client-machine-fqdn>
|
Then you should find the way to copy the client keys to the client machine.
kadmin.local does not require a passwd but it should be run on the kdc host itself.
You need also to modify smb.conf.
When mounting the share you should use "sec=krb5"
This applies if your using a linux samba host.
I do not know how AD samba handles kerberos.
Plz see
| Code: |
SMB: How to mount a Kerberized share
SOLUTION VERIFIED - Updated June 23 2021 at 2:47 AM - English
Environment
Red Hat Enterprise Linux (SMB Client)
6
7
8
SMB
Kerberos
Directory Service (IdM/FreeIPA/AD)
SMB server
sssd or winbind for ticket acquisition and user resolution
Issue
A SMB share needs to be mounted with Kerberos security instead of NTLMSSP.
Attempting to mount the SMB share with sec=krb5 security fails with mount error(126): Required key not available
A service account exists, but a keytab for the user needs to be created.
# kinit has to be run prior to mounting the share instead of a ticket being dynamically acquired at time of mount.
Resolution
Background information
Kerberized SMB/CIFS requires the use of a Kerberos User Principal to mount.
User Principals are used in the Authentication Service, AS, exchange with the Kerberos Key Distribution Center, KDC.
The KDC will provide a Ticket-Granting Ticket, TGT, to the SMB client
The ticket is called krbtgt@/$REALM@$REALM where $REALM is the actual Kerberos Realm.
This ticket is required in order to mount a Kerberized SMB share.
The SMB/CIFS client must authenticate with the KDC prior to mounting.
If the client does not authenticate, the # mount operation will fail with CIFS VFS: Send error in SessSetup = -126 as intended.
The following is assumed of the SMB server
Exporting a file path as a SMB share.
Effective access rights for the user credentials that will be used by the SMB client are read and execute to mount the share. This requires granting the user in question the necessary access at the Share level and NTFS/File level.
Port 445 on the SMB server is accessible.
Client configuration
The userspace tools for SMB mounts is installed as well as tools to create Kerberos keytabs which will be needed later
Raw
# yum install cifs-utils krb5-workstation
Create the desired mount point for the SMB share
Raw
# mkdir /path/to/mountpoint
Join the SMB client to either:
An Active Directory realm using realmd or winbind
NOTE RHEL8 may have additional requirements when joining an AD realm.
An IdM realm as an IPA client
Create a Kerberos keytab for the service account that will be used to mount the SMB share. This is only necessary if the host Principal, or sAMAccountName for AD clients, in /etc/krb5.keytab is not going to be used to mount the SMB share.
Raw
# ktutil
ktutil: add_entry -password -p svcaccount -k 0 -e aes256-cts-hmac-sha1-96
Password for svcaccount@EXAMPLE.NET:
ktutil: wkt /var/kerberos/krb5/user/cifs_service_account.keytab
ktutil: q
Update /etc/request-key.d/cifs.spnego.conf to leverage the newly created keytab.
Add the -t flag if Kerberized SMB shares are going to be mounted from DNS CNAMEs.
Raw
# cat /etc/request-key.d/cifs.spnego.conf
create cifs.spnego * * /usr/sbin/cifs.upcall -K /var/kerberos/krb5/user/cifs_service_account.keytab -t %k
Mount the share
Raw
# mount //smb.example.net/share /mnt -o sec=krb5,multiuser,username='svcaccount@EXAMPLE.NET'
If users are going to access a Kerberized home directory, additional actions may be required.
To have the share mount at boot time, add an entry to /etc/fstab.
Raw
# mount //smb.example.net/share /mnt cifs defaults,sec=krb5,multiuser,username=svcaccount@EXAMPLE.NET 0 0
Product(s) Red Hat Enterprise LinuxCategory TroubleshootTags kerberos SMB
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
|
for mounting kerberized share
and
https://help.ubuntu.com/community/Samba/Kerberos
for configuring linux samba to use kerberos for its shares.
PLZ note:
whereas kerberized nfs works easily kerberized samba is very very tricky especially in a mixed AD and Linux environment.
Having said all that without the ability to create principals either via kadmin.local or kadmin I think it will be IMPOSSIBLE.
You will not be able to mount the shares.
_________________
Last edited by alamahant on Tue Jan 18, 2022 9:30 pm; edited 4 times in total |
|
| Back to top |
|
|
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
| Posted: Tue Jan 18, 2022 8:55 pm Post subject: |
|
|
Hi, thanks!
I just found an internal webpage where each employee can request the creation of a Machine Account in ActiveDirectory.
After that, I can run kinit, get a ticket and then I can successfully run
| Code: | | net -k ads join <realm_name> |
then I get
| Code: | # net ads testjoin
Join is OK |
and with kvno I can request tickets for host and cifs principal.
Smooth so far... now I just need to properly configure pam_winbind and I should be fine...
I'll update you tomorrow |
|
| Back to top |
|
|
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
| Posted: Fri Jan 21, 2022 9:33 am Post subject: |
|
|
I found out that I cannot get the passwd database via winbind...
If I have this in /etc/nsswitch.conf
| Code: |
group: files winbind #ldap
passwd: files winbind #ldap
|
then I see only the local users, but I get the full list if I uncomment ldap.
/etc/pam.d/system-auth looks like this
| Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
account sufficient pam_winbind.so
account sufficient pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_winbind.so use_authtok
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session sufficient pam_unix.so
session optional pam_winbind.so
|
Then, we have
| Code: |
# wbinfo -i posgnach
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user posgnach
# wbinfo -n posgnach
S-1-5-21-2052111302-1275210071-1644491937-1025603 SID_USER (1)
# wbinfo -S S-1-5-21-2052111302-1275210071-1644491937-1025603
11628725
# wbinfo -s S-1-5-21-2052111302-1275210071-1644491937-1025603
GER\posgnach 1
|
All is correct, except for wbinfo -i
With this setup, domain users can login via ssh by using their corporate password if and only if ldap appears in /etc/nsswitch.conf
If I remove ldap from that file, I see this when logging in via ssh
| Code: | Jan 21 10:11:02 vrlabfiler01 sshd[11656]: Invalid user posgnach from 10.217.81.35 port 33436
Jan 21 10:11:03 vrlabfiler01 sshd[11659]: pam_faillock(sshd:auth): User unknown
Jan 21 10:11:03 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): [pamh: 0x55bc6a7aa720] ENTER: pam_sm_authenticate (flags: 0x0001)
Jan 21 10:11:03 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): getting password (0x00000381)
Jan 21 10:11:03 vrlabfiler01 sshd[11656]: Postponed keyboard-interactive for invalid user posgnach from 10.217.81.35 port 33436 ssh2 [preauth]
Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): Verify user 'posgnach'
Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): CONFIG file: krb5_ccache_type 'FILE'
Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): [pamh: 0x55bc6a7aa720] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_unix(sshd:auth): check pass; user unknown
Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.217.81.35
Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_faillock(sshd:auth): User unknown
Jan 21 10:11:10 vrlabfiler01 sshd[11656]: error: PAM: Authentication failure for illegal user posgnach from 10.217.81.35
Jan 21 10:11:10 vrlabfiler01 sshd[11656]: Failed keyboard-interactive/pam for invalid user posgnach from 10.217.81.35 port 33436 ssh2
Jan 21 10:11:10 vrlabfiler01 sshd[11660]: pam_faillock(sshd:auth): User unknown
Jan 21 10:11:10 vrlabfiler01 sshd[11660]: pam_winbind(sshd:auth): [pamh: 0x55bc6a7aa720] ENTER: pam_sm_authenticate (flags: 0x0001)
Jan 21 10:11:10 vrlabfiler01 sshd[11660]: pam_winbind(sshd:auth): getting password (0x00000381)
Jan 21 10:11:10 vrlabfiler01 sshd[11656]: Postponed keyboard-interactive for invalid user posgnach from 10.217.81.35 port 33436 ssh2 [preauth]
Jan 21 10:13:02 vrlabfiler01 sshd[11656]: fatal: Timeout before authentication for 10.217.81.35 port 33436 |
When I connect to the shared drive using my domain account, it fails and in log.smbd I see
| Code: |
[2022/01/21 10:28:36.630125, 3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
Got user=[posgnach] domain=[GER] workstation=[POSGNACH-MOBL] len1=24 len2=328
[2022/01/21 10:28:36.630164, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:544(ntlmssp_server_preauth)
[2022/01/21 10:28:36.630227, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:123(make_user_info_map)
Mapping user [GER]\[posgnach] from workstation [POSGNACH-MOBL]
[2022/01/21 10:28:36.630236, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:64(make_user_info)
attempting to make a user_info for posgnach (posgnach)
[2022/01/21 10:28:36.630243, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:72(make_user_info)
making strings for posgnach's user_info struct
[2022/01/21 10:28:36.630257, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:117(make_user_info)
making blobs for posgnach's user_info struct
[2022/01/21 10:28:36.630264, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:163(make_user_info)
made a user_info for posgnach (posgnach)
[2022/01/21 10:28:36.630271, 3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [GER]\[posgnach]@[POSGNACH-MOBL] with the new password interface
[2022/01/21 10:28:36.630277, 3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [GER]\[posgnach]@[POSGNACH-MOBL]
[2022/01/21 10:28:36.630284, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:214(auth_check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2022/01/21 10:28:36.630290, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:217(auth_check_ntlm_password)
challenge is:
[2022/01/21 10:28:36.630296, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_builtin.c:42(check_anonymous_security)
Check auth for: [posgnach]
[2022/01/21 10:28:36.630302, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:250(auth_check_ntlm_password)
auth_check_ntlm_password: anonymous had nothing to say
[2022/01/21 10:28:36.630309, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_sam.c:115(auth_samstrict_auth)
auth_samstrict_auth: Check auth for: [GER]\[posgnach]
[2022/01/21 10:28:36.630317, 6, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_sam.c:137(auth_samstrict_auth)
check_samstrict_security: GER is not one of my local names (ROLE_DOMAIN_MEMBER)
[2022/01/21 10:28:36.630323, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:250(auth_check_ntlm_password)
auth_check_ntlm_password: sam had nothing to say
[2022/01/21 10:28:36.630331, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_winbind.c:51(check_winbind_security)
Check auth for: [posgnach]
[2022/01/21 10:28:37.058442, 3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:1901(check_account)
Failed to find authenticated user GER\posgnach via getpwnam(), denying access.
[2022/01/21 10:28:37.058479, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:259(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [posgnach] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/01/21 10:28:37.058496, 2, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:345(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [posgnach] -> [posgnach] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/01/21 10:28:37.058516, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: ntlmssp[0x55a73c676f10]: subreq: 0x55a73c668b10
[2022/01/21 10:28:37.058523, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)
gensec_update_send: spnego[0x55a73c667fc0]: subreq: 0x55a73c679090
[2022/01/21 10:28:37.058547, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done)
ntlmssp_server_auth_done: Checking NTLMSSP password for GER\posgnach failed: NT_STATUS_NO_SUCH_USER
[2022/01/21 10:28:37.058558, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:534(gensec_update_done)
gensec_update_done: ntlmssp[0x55a73c676f10]: NT_STATUS_NO_SUCH_USER tevent_req[0x55a73c668b10/../../auth/ntlmssp/ntlmssp.c:180]: state[3] error[-7963671676338569116 (0x917B5ACDC0000064)] state[struct gensec_ntlmssp_update_state (0x55a73c668cc0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:239]
[2022/01/21 10:28:37.058573, 3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2022/01/21 10:28:37.058583, 5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:534(gensec_update_done)
gensec_update_done: spnego[0x55a73c667fc0]: NT_STATUS_NO_SUCH_USER tevent_req[0x55a73c679090/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569116 (0x917B5ACDC0000064)] state[struct gensec_spnego_update_state (0x55a73c679240)] timer[(nil)] finish[../../auth/gensec/spnego.c:2039]
|
|
|
| Back to top |
|
|
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
| Posted: Mon Jan 24, 2022 6:47 pm Post subject: |
|
|
Quick update:
I had the computer account created in AD and then I found out that I can create SPNs with my corporate account on windows with setspn, so I created a host and a cifs principal
| Code: |
setspn -S host/vrlabfiler01.dnsdomain.com vrlabfiler01
setspn -S cifs/vrlabfiler01.dnsdomain.com vrlabfiler01
|
then, on server, after getting a TGT from Kerberos, I ran
| Code: |
net ads join createupn='host/vrlabfiler01.dnsdomain.com@GER.KERBEROSREALM.COM' dnshostname='vrlabfiler01.dnsdomain.com' -k
|
Joined successfully... then I ran
| Code: |
net ads keytab create -k
|
and this populated /etc/krb5.keytab with the necessary keys.
At this point, ssh authentication finally work fine... what a relief.
No password asked and the service ticket is requested automatically after I get a TGT.
Samba from windows still fails and I believe that the relevant entry in log.winbindd is
| Code: | [2022/01/24 19:06:54.276385, 5, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2052111302-1275210071-1644491937-1025603: NT_STATUS_NO_SUCH_USER
[2022/01/24 19:06:54.276396, 10, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:802(process_request_done)
process_request_done: [nss_winbind(15453):GETPWNAM]: NT_STATUS_NO_SUCH_USER |
but
| Code: |
# wbinfo -S S-1-5-21-2052111302-1275210071-1644491937-1025603
11628725
# wbinfo -U 11628725
S-1-5-21-2052111302-1275210071-1644491937-1025603
|
it seems that I can resolve fine a SID to a unix UID and viceversa.
In my smb.conf I have
| Code: |
[global]
security=ads
realm=GER.KERBEROSREALM.COM
workgroup=GER
winbind cache time = 864000
winbind enum groups = yes
winbind enum users = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind refresh tickets = yes
winbind use default domain = no
;username map = /etc/samba/samba_usermapping
netbios name = VRLABFILER01
create krb5 conf = yes
log level = 0 auth:10 winbind:10
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 10-999
idmap config GER : backend = nss
idmap config GER : range = 1000-20000000
idmap config GER : unix_nss_info = yes
|
I can get samba to work fine if I uncomment username map and I write in the mapping file
| Code: | | !posgnach = GER\posgnach |
Now I can open the shares from windows without entering a password... which is what I needed, but I don't really want to write a mapping line for each of our users... the mapping is always "unix_username = GER\unix_username"
any idea about how to fix the idmap? I don't know if the mapping is provided somehow via LDAP... the passwd database is not available via winbind
it should be noted that so far I never needed an admin account... just my regular unprivileged corporate account |
|
| Back to top |
|
|
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
| Posted: Mon Jan 24, 2022 9:13 pm Post subject: |
|
|
I think I nailed it with samba's "username map script"
tomorrow I'll write all the details |
|
| Back to top |
|
|
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
| Posted: Tue Jan 25, 2022 1:46 pm Post subject: |
|
|
I solved my problem and I reached the desired goal. To summarize, this is the problem:
- I have a gentoo server which runs sshd and samba
- Server is connected to the corporate network, which has linux and windows subnets. On both, authentication is handled via Active Directory
- On the regular linux hosts, user data (group, netgroup and passwd databases) are handled via LDAP. The service is actually "Safeguard Authentication Services" from oneidentity.com
- I want to fully integrate my server in the corporate network, which means fetch user data from LDAP and authenticate people via Kerberos (both ssh and cifs)
- I am not an admin nor domain admin. I have admin privileges only on this server
- Server's FQDN is vrlabfiler01.dnsdomain.com and kerberos realm is GER.KERBEROSREALM.COM (if you wonder, GER meant Greater Europe Region)
Since I'm not a domain admin, the first step would be to join the AD Domain but normally you can't do it with a regular user. Luckily my company provides an internal webpage where people can register computer assets they "own". When doing so, a Computer accounts gets automatically created in the AD. I did that and the Computer account automatically got two Kerberos SPNs: host/vrlabfiler01 and host/vrlabfiler01.GER.KERBEROSREALM.COM
The one with dnsdomain.com is missing, but you can create the proper ones on Windows with setspn:
| Code: |
setspn -S host/vrlabfiler01.dnsdomain.com
setspn -S cifs/vrlabfiler01.dnsdomain.com
|
That's all you need to do on windows... now back on Gentoo.
For LDAP integration I use sys-auth/nss-pam-ldapd and for kerberos I use app-crypt/mit-krb5
/etc/krb5.conf was copied from another linux host. kinit ran fine and it gave me a TGT.
/etc/nsswitch.conf reads as follows (at least the relevant part)
| Code: |
group: files ldap
netgroup: files ldap
passwd: files ldap
|
and /etc/pam.d/system-auth
| Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
account sufficient pam_winbind.so
account sufficient pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_winbind.so use_authtok
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session optional pam_mkhomedir.so skel=/etc/skel/
session required pam_limits.so
session required pam_env.so
session sufficient pam_unix.so
session optional pam_winbind.so
|
finally, /etc/samba/smb.conf
| Code: |
[global]
security=ads
realm=GER.KERBEROSREALM.COM
workgroup=GER
winbind cache time = 864000
winbind offline logon = yes
winbind refresh tickets = yes
winbind use default domain = no
username map script = /etc/samba/usermapper.sh
netbios name = VRLABFILER01
create krb5 conf = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
|
now start the samba and ssh services. For ssh, look on the wiki how to enable kerberos authentication
once you have a TGT, use this to join the domain
| Code: |
net ads join createupn='host/vrlabfiler01.dnsdomain.com@GER.KERBEROSREALM.COM' dnshostname='vrlabfiler01.dnsdomain.com' -k
|
and then get the kerberos keytab with
| Code: |
net ads keytab create -k
|
This will fill the local table with keys for both host and cifs service classes
At this point ssh via kerberos is already working. Get a TGT on a client and then you can immediately login on the server.
Samba proved to be harder to configure... when opening a share on windows, samba denied access with there messages in log.winbindd
| Code: |
[2022/01/24 19:06:54.276385, 5, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2052111302-1275210071-1644491937-1025603: NT_STATUS_NO_SUCH_USER
[2022/01/24 19:06:54.276396, 10, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:802(process_request_done)
process_request_done: [nss_winbind(15453):GETPWNAM]: NT_STATUS_NO_SUCH_USER
|
something was wrong in SID<->unix names mapping and I couldn't understand why, even is commands like wbinfo -S and wbinfo -U can correctly map the SID to the unix UID and viceversa.
It seemed that it could not map the domain username it got from windows (GER\username) to the unix username (just username) and I wasn't able to find idmap settings that worked. Also I didn't know if any idmap was provided via LDAP, AD, nss (actually, how can nss provide such mapping?).
The solution was to use a script to perform the mapping, since the unix username is the windows username without the domain part. The script essentially removes the \ and everything that precedes it.
Now passwordless authentication works both for samba and for ssh.
Mission accomplished and no need to use an admin account, but you need a mechanism for creating Computer accounts and a windows host that's part of the domain on which you can then run setspn |
|
| Back to top |
|
|
devilheart
l33t
Joined: 17 Mar 2005
Posts: 848
Location: Villach, Austria
|
| Posted: Wed Mar 15, 2023 12:06 pm Post subject: |
|
|
Sorry to up this thread, but I have some new information I need to share...
I noticed that with this setup, users can login via SSH but not locally. I never noticed this since the server stays in a server room, but I recently tried to replicate the same setup on a desktop PC and I noticed this anomaly... anomaly I can't fully explain.
By enabling the debug setting in /etc/security/pam_winbind.conf I could see these messages in the logs
| Code: |
login[113594]: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty2 ruser= rhost= user=posgnach
login[113594]: pam_winbind(login:auth): [pamh: 0x562be23d8680] ENTER: pam_sm_authenticate (flags: 0x0000)
login[113594]: pam_winbind(login:auth): getting password (0x00000091)
login[113594]: pam_winbind(login:auth): pam_get_item returned a password
login[113594]: pam_winbind(login:auth): Verify user 'posgnach'
login[113594]: pam_winbind(login:auth): enabling krb5 login flag
login[113594]: pam_winbind(login:auth): request wbcLogonUser succeeded
login[113594]: pam_winbind(login:auth): user 'posgnach' granted access
login[113594]: pam_winbind(login:auth): Returned user was 'GER\posgnach'
login[113594]: pam_winbind(login:auth): [pamh: 0x562be23d8680] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
login[113594]: pam_unix(login:account): could not identify user (from getpwnam(GER\posgnach))
login[113594]: pam_winbind(login:account): [pamh: 0x562be23d8680] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
login[113594]: pam_winbind(login:account): user 'GER\posgnach' not found
login[113594]: pam_winbind(login:account): [pamh: 0x562be23d8680] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
login[113594]: User not known to the underlying authentication module
|
I'd say that the AD Kerberos was giving back an username in "windows" format, with the domain name, but the linux LDAP has plain usernames...
Samba has the "username map script" parameter, but I'm not sure if anything similar exists for pam_winbind.so
Anyway, to solve the issue for the local logins, I replaced pam_winbind.so with pam_krb5.so in /etc/pam.d/system-auth. The rest of the configuration stays the same and now everything works fine.
The host must still be joined to the domain and you need the keytab (all done with the net ads command above).
I found out that you can add a host to an AD domain even if you're not a domain admin if:
- there is already a computer account in the domain for that host
- the computer account is owned/managed by you
- you have a valid kerberos ticket or you use your AD credentials when you run the net ads commands
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
