Re: [Samba] Samba & Active Directory w/ Kerberos Trust

Mon, 05 Nov 2012 13:40:07 -0800 

For the user "continuum\jrafferty" (continuum is the AD realm):

        http://pastebin.com/DJ3xShTr

Using the user principal name, "[email protected]"

        http://pastebin.com/34VXJuAc

Using just "jrafferty"

        http://pastebin.com/ZF7EE2n7

Interestingly, I emailed our AD admins on the status of that AD trust, and was 
told that it is in place and in production (realm is AUTH). If I try a 
different user, "auth\jrafferty":

        http://pastebin.com/aZX6zxGY


---------------


So, it seems now I just need to research how to modify smb.conf to make AUTH my 
primary domain, since it seems 'winbind use default domain' isn't working 
correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples).

-Joseph

On Nov 5, 2012, at 2:09 PM, Andrew Bartlett <[email protected]>
 wrote:

> On Mon, 2012-11-05 at 19:58 +0000, Rafferty, Joseph wrote:
>> Hi Andrew, thanks for the reply.
>> 
>> Presently, my configuration (as shown) works great for user accounts with 
>> known passwords within the active directory domain (very few of these - 
>> mostly admin, service, & test accounts). The issue lies when trying to use 
>> upn-mapped user accounts. Active directory is not supposed to be the 
>> authentication authority for those accounts, so when they're created (via 
>> some script - not in my control), the passwords are long randomly-generated 
>> strings. However, because of the Kerberos trust and UPN mapping, a user can 
>> masq as that AD user with a valid TGT from the trusted realm.
>> 
>> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
>> 
>> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are 
>> plans to mirror this in an AD domain somewhere, but I haven't heard anything 
>> more on this.
> 
> I *think* the idea with this kind of trust/mapping thing is that 'AD'
> servers (like Samba) get a ticket that includes the PAC, even if the
> initial user came from MIT. 
> 
> That's pretty much the only way we can work, if we are to get the
> windows groups etc.  You will need to dig in further into why we return
> LOGON_FAILURE with a higher log level and our debug logs.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to