Hi Andrew, thanks for the reply. Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this. Cheers, --Joseph On Nov 4, 2012, at 9:39 PM, Andrew Bartlett <abart...@samba.org> wrote: > On Thu, 2012-11-01 at 15:00 +0000, Rafferty, Joseph wrote: >> Hello, >> >> I'm having some difficulty understanding the best approach to setting up a >> samba fileserver in our environment. We have an active directory domain >> (2008) that has account "stubs" that we use for security and authorization >> (the passwords are unknown/random). This domain has a one-way Kerberos trust >> to an MIT Kerberos realm that we use for authentication. The user accounts >> are name-mapped to the corresponding principal name in the >> kerberos/authentication realm. I had planned to net join the server to the >> active directory realm for user and group resolution, but configure PAM to >> use pam_krb5 for authentication instead of winbind. However, it appears to >> me that, by design, Samba is not able to authenticate and authorize in two >> different realms this way for the following reason: >> >> "Samba always ignores PAM for authentication in the case of encrypt >> passwords = >> yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>" >> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html >> >> Setting "encrypt passwords = no" results in the following testparm error: >> ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must >> always be set to 'true'. >> >> Anyone successfully authenticating this way? >> >> Thanks for the help! >> -Joseph >> >> >> >> smb.conf: >> >> [global] >> log file = /var/log/samba/log.%m >> log level = auth:3 >> max log size = 50 >> security = ads >> netbios name = SERVERNAME >> realm = AD.DOMAIN.EDU<http://ad.domain.edu/> >> password server = dc.ad.domain.edu<http://dc.ad.domain.edu/> >> workgroup = AD >> idmap uid = 10000-5000000 >> idmap gid = 10000-5000000 >> winbind separator = + >> winbind enum users = no >> winbind enum groups = no >> winbind use default domain = yes >> obey pam restrictions = yes > > What error do you get when you use *just* what you have above? > > You should run winbind, and accept kerberos logins from your clients. > We need to be joined to the AD domain. > > As long as the tickets contain a PAC, we really don't mind where they > came from. > > Don't try and involve PAM or turn off encrypted passwords, because we > never get a plaintext password from modern clients anyway. > > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba