|Main Archive Page > Month Archives > samba-users archives|
Should the system keytab need to be world readable to be able to
authenticate via winbind as a remote kerberos user?
I don't seem to remember this being required in Samba 3.3 or earlier
(but I could be wrong about that). And I didn't think it was a
Is this likely to be distro specific?
I've recently had problems logging into an Active Directory domain
(SBS 2003 with SFU 3.5 schema extensions) on a new Ubuntu 10.04 which
uses winbind 3.4.7.
I successfully joined the domain, and created a keytab using the
net ads join -U domainadministrator createupn
net ads testjoin
net ads keytab create -U domainadministrator
I added winbind to nssswitch.conf and ran pam-auth-update to use the
winbind profile to configure /etc/pam.d/common*. pam_winbind had the
krb5_auth and krb5_ccache_type=FILE options set (by pam-auth-update).
With sudo and a dummy local account I could successfully kinit with
both my domain user principle and the system keytab service principals
and the computers UPN.
I could successfully run wbinfo -u and wbinfo -g and well as getent
passwd and getent group.
The first sign of trouble was that I needed sudo to successfully run
wbinfo -K to authenticate my domain account
I could not log in with pam_winbind either.
It turned out that my domain user account needed read access to the
system keytab (/etc/krb5.keytab). By default the system keytab was
owned by root:root and had 0600 permissions - which I seem to recall
is the recommended permissions for that file, and I vaguely remember
working in earlier Samba versions.
Once the keytab was world readable, domain accounts could successfully log in.
/etc/samba/smb.conf (if relevant)
workgroup = EXAMPLE
realm = EXAMPLE.COM
preferred master = no
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind nss info = sfu
winbind offline logon = true
winbind refresh tickets = true
idmap backend = tdb
idmap uid = 50000 - 50999
idmap gid = 50000 - 50999
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:readonly = yes
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:schema_mode = sfu
idmap config EXAMPLE:range = 10000 - 19999
template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab
Thanks for any insight :)
-- Cheers Anton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba