Re: [Samba] Samba & Active Directory w/ Kerberos Trust

2012-11-05 Thread Rafferty, Joseph 
For the user "continuum\jrafferty" (continuum is the AD realm):

http://pastebin.com/DJ3xShTr

Using the user principal name, "jraffe...@tamu.edu"

http://pastebin.com/34VXJuAc

Using just "jrafferty"

http://pastebin.com/ZF7EE2n7

Interestingly, I emailed our AD admins on the status of that AD trust, and was 
told that it is in place and in production (realm is AUTH). If I try a 
different user, "auth\jrafferty":

http://pastebin.com/aZX6zxGY


---


So, it seems now I just need to research how to modify smb.conf to make AUTH my 
primary domain, since it seems 'winbind use default domain' isn't working 
correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples).

-Joseph

On Nov 5, 2012, at 2:09 PM, Andrew Bartlett 
 wrote:

> On Mon, 2012-11-05 at 19:58 +, Rafferty, Joseph wrote:
>> Hi Andrew, thanks for the reply.
>> 
>> Presently, my configuration (as shown) works great for user accounts with 
>> known passwords within the active directory domain (very few of these - 
>> mostly admin, service, & test accounts). The issue lies when trying to use 
>> upn-mapped user accounts. Active directory is not supposed to be the 
>> authentication authority for those accounts, so when they're created (via 
>> some script - not in my control), the passwords are long randomly-generated 
>> strings. However, because of the Kerberos trust and UPN mapping, a user can 
>> masq as that AD user with a valid TGT from the trusted realm.
>> 
>> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
>> 
>> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are 
>> plans to mirror this in an AD domain somewhere, but I haven't heard anything 
>> more on this.
> 
> I *think* the idea with this kind of trust/mapping thing is that 'AD'
> servers (like Samba) get a ticket that includes the PAC, even if the
> initial user came from MIT. 
> 
> That's pretty much the only way we can work, if we are to get the
> windows groups etc.  You will need to dig in further into why we return
> LOGON_FAILURE with a higher log level and our debug logs.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & Active Directory w/ Kerberos Trust

2012-11-05 Thread Rafferty, Joseph 
Hi Andrew, thanks for the reply.

Presently, my configuration (as shown) works great for user accounts with known 
passwords within the active directory domain (very few of these - mostly admin, 
service, & test accounts). The issue lies when trying to use upn-mapped user 
accounts. Active directory is not supposed to be the authentication authority 
for those accounts, so when they're created (via some script - not in my 
control), the passwords are long randomly-generated strings. However, because 
of the Kerberos trust and UPN mapping, a user can masq as that AD user with a 
valid TGT from the trusted realm.

Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE

Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans 
to mirror this in an AD domain somewhere, but I haven't heard anything more on 
this.

Cheers,

--Joseph


On Nov 4, 2012, at 9:39 PM, Andrew Bartlett  wrote:

> On Thu, 2012-11-01 at 15:00 +, Rafferty, Joseph wrote:
>> Hello,
>> 
>> I'm having some difficulty understanding the best approach to setting up a 
>> samba fileserver in our environment. We have an active directory domain 
>> (2008) that has account "stubs" that we use for security and authorization 
>> (the passwords are unknown/random). This domain has a one-way Kerberos trust 
>> to an MIT Kerberos realm that we use for authentication. The user accounts 
>> are name-mapped to the corresponding principal name in the 
>> kerberos/authentication realm. I had planned to net join the server to the 
>> active directory realm for user and group resolution, but configure PAM to 
>> use pam_krb5 for authentication instead of winbind. However, it appears to 
>> me that, by design, Samba is not able to authenticate and authorize in two 
>> different realms this way for the following reason:
>> 
>> "Samba always ignores PAM for authentication in the case of encrypt 
>> passwords = 
>> yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html
>> 
>> Setting "encrypt passwords = no" results in the following testparm error:
>> ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must 
>> always be set to 'true'.
>> 
>> Anyone successfully authenticating this way?
>> 
>> Thanks for the help!
>> -Joseph
>> 
>> 
>> 
>> smb.conf:
>> 
>> [global]
>> log file = /var/log/samba/log.%m
>> log level = auth:3
>> max log size = 50
>> security = ads
>> netbios name = SERVERNAME
>> realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
>> password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
>> workgroup = AD
>> idmap uid = 1-500
>> idmap gid = 1-500
>> winbind separator = +
>> winbind enum users = no
>> winbind enum groups = no
>> winbind use default domain = yes
>> obey pam restrictions = yes
> 
> What error do you get when you use *just* what you have above?
> 
> You should run winbind, and accept kerberos logins from your clients.
> We need to be joined to the AD domain.
> 
> As long as the tickets contain a PAC, we really don't mind where they
> came from. 
> 
> Don't try and involve PAM or turn off encrypted passwords, because we
> never get a plaintext password from modern clients anyway.
> 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba & Active Directory w/ Kerberos Trust

2012-11-01 Thread Rafferty, Joseph 
Hello,

I'm having some difficulty understanding the best approach to setting up a 
samba fileserver in our environment. We have an active directory domain (2008) 
that has account "stubs" that we use for security and authorization (the 
passwords are unknown/random). This domain has a one-way Kerberos trust to an 
MIT Kerberos realm that we use for authentication. The user accounts are 
name-mapped to the corresponding principal name in the kerberos/authentication 
realm. I had planned to net join the server to the active directory realm for 
user and group resolution, but configure PAM to use pam_krb5 for authentication 
instead of winbind. However, it appears to me that, by design, Samba is not 
able to authenticate and authorize in two different realms this way for the 
following reason:

"Samba always ignores PAM for authentication in the case of encrypt passwords = 
yes"
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html

Setting "encrypt passwords = no" results in the following testparm error:
ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always 
be set to 'true'.

Anyone successfully authenticating this way?

Thanks for the help!
-Joseph



smb.conf:

[global]
log file = /var/log/samba/log.%m
log level = auth:3
max log size = 50
security = ads
netbios name = SERVERNAME
realm = AD.DOMAIN.EDU
password server = dc.ad.domain.edu
workgroup = AD
idmap uid = 1-500
idmap gid = 1-500
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
obey pam restrictions = yes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba