[Samba] pam_winbind keytab permissions question
in [Samba]
|
Prev: [Samba] Samba 3.5.2 : root and Domain Admins membership
Next: RE : RE : RE : Domain not found in Samba 4 AD
From: Anton on 11 May 2010 02:10 Question: Should the system keytab need to be world readable to be able to authenticate via winbind as a remote kerberos user? I don't seem to remember this being required in Samba 3.3 or earlier (but I could be wrong about that). And I didn't think it was a recommended configuration. Is this likely to be distro specific? Background info: I've recently had problems logging into an Active Directory domain (SBS 2003 with SFU 3.5 schema extensions) on a new Ubuntu 10.04 which uses winbind 3.4.7. I successfully joined the domain, and created a keytab using the following commands: net ads join -U domainadministrator createupn createcomputer="MyBusiness/Computers/UnixComputers" net ads testjoin net ads keytab create -U domainadministrator I added winbind to nssswitch.conf and ran pam-auth-update to use the winbind profile to configure /etc/pam.d/common*. pam_winbind had the krb5_auth and krb5_ccache_type=FILE options set (by pam-auth-update). With sudo and a dummy local account I could successfully kinit with both my domain user principle and the system keytab service principals and the computers UPN. I could successfully run wbinfo -u and wbinfo -g and well as getent passwd and getent group. The first sign of trouble was that I needed sudo to successfully run wbinfo -K to authenticate my domain account I could not log in with pam_winbind either. It turned out that my domain user account needed read access to the system keytab (/etc/krb5.keytab). By default the system keytab was owned by root:root and had 0600 permissions - which I seem to recall is the recommended permissions for that file, and I vaguely remember working in earlier Samba versions. Once the keytab was world readable, domain accounts could successfully log in. /etc/samba/smb.conf (if relevant) [global] workgroup = EXAMPLE realm = EXAMPLE.COM preferred master = no security = ADS winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind nss info = sfu winbind offline logon = true winbind refresh tickets = true idmap backend = tdb idmap uid = 50000 - 50999 idmap gid = 50000 - 50999 idmap config EXAMPLE:backend = ad idmap config EXAMPLE:readonly = yes idmap config EXAMPLE:default = yes idmap config EXAMPLE:schema_mode = sfu idmap config EXAMPLE:range = 10000 - 19999 template shell = /bin/bash template homedir = /home/%U kerberos method = system keytab Thanks for any insight :) -- Cheers Anton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |