Q: Samba3-server with security=ADS and NFS4/kerberos userdata and cross realm auth

Robert Wehn robert.wehn at rz.uni-augsburg.de
Thu Apr 2 04:18:45 EDT 2015 

Hello Rainer,

what you try ist let the SAMBA Server access the NFS mount in the name
of the user. This isn't as easy as one might thinkt.

The SAMBA Server never get's the password (or HASH) of the user when
accesed via AD/Kerberos but needs an NFS Service Ticket to acces NFS via
Kerberos.

Example:
user rainer at AD.DOM.DE logs in to machine rainerpc. There he gets a TGT
and ticket for the pc:
krbtgt/AD.DOM.DE at AD.DOM.DE
  (inside is written the user is
   rainer at AD.DOM.DE)
host/rainerpc.ad.dom.de at AD.DOM.DE
and several tickets of the DC

When connecting to the SMB Server "sambasrv1" he needs and gets the ticket
cifs/sambasrv1.ad.dom.de at AD.DOM.DE
  (inside is written the user is
   rainer at AD.DOM.DE)

If the Samba Server mounts NFS4 on server nfssrv1 via Kerberos it uses
it's keytab for host/sambasrv1.ad.dom.de at AD.DOM.DE to obtain a ticket
nfs/nfssrv1.ad.dom.de at AD.DOM.DE
  (inside is written the user is
   sambasrv1.ad.dom.de at AD.DOM.DE)

If the SAMBA Server wants to access files on the NFS Server belonging to
rainer, he needs a ticket of rainer for nfs
nfs/nfssrv1.ad.dom.de at AD.DOM.DE
  (inside is written the user is
   rainer at AD.DOM.DE)
But as he has no Password or TGT for the User rainer at AD.DOM.DE thie
can't be done.

The only ways to get this are:

a) Rainer(its logon process) needs to know that he has to obtain such a
ticket, using his tgt, and to give it to the SAMBA Server when trying to
connect (but how shuould he guess what NFS Mounts the SAMBA server needs?

b) Rainer(its logon process) needs to forward his (forwardable?) TGT to
the SAMBA Server, so the Server can ask the Kerberos Server for the ticket.

c) Rainer(its logon process) sends his clear text password to the SAMBA
Servers and they ise this to kinit as rainer at AD.DOM.DE if they need his
files.

In any of these possibylities you have to change things how Windows
Computers log on (i.e writing an additional logon provider).


### How getting out of this? ###

If your goal is to
a) let Linux user access their files via nfs4 (sec=krb5p)
b) let Windows User acces the Same files via SAMBA

you need to
a) find a way to configure different nfs shares for the Linux
Worstations (nfs4,sec=krb5p or krb5i enforced) an the SAMBA Servers
(nfs4 os 3, no krb5 security) and let only the SAMBA Server IPs access
the 2nd
b) Install SAMBA on the NFS Servers so they can access the Files locally

Robert.




Am 18.03.2015 um 15:57 schrieb Rainer Krienke:
> Hallo to everybody,
> 
> I want to configure a samba3 server that authenticates users via our
> Windows ADS server (secutrity=ADS) in smb.conf. The whole setup works
> fine when I use NFS version3 to mount the user directories from our NFS
> server. The samba server is joined into our Windows ADS domain
> "ADSREALM.UNI-KOBLENZ.DE".
> 
> Now I want to replace NFS3 by NFS4/kerberos with a MIT kerberos Server
> running on a linux machine serving a "LINUXREALM.UNI-KOBLENZ.DE" realm
> that is different from the ADS server realm "ADSREALM.UNI-KOBLENZ.DE".
> The basic setup also works fine, ie on the samba server I can mount the
> user directories with sec=krb5 and access the data if I am root on the
> samba server. When I try to access a users file located on NFS as a
> particular user I get a permission denied, since I did not authenticate
> as this user and this user has no tgt.
> 
> Whats missing is how to marry the MIT kerberos server holding the
> machine keytab for nfs, with the windows ADS server managing the user
> authentication. So how can I tell the MIT kerberos server to "ask" the
> ADS server if  a smb process wants to access a user directory?
> 
> My idea was to create a realm trust between the ADSREALM.UNI-KOBLENZ.DE
> and LINUXREALM.UNI-KOBLENZ.DE. So our Windows admin created
> a (two way) realm trust for my linux kerberos server and on this machine
>  I created a principal
> "krbtgt/LINUXREALM.UNI-KOBLENZ.DE at ADSREALM.UNI-KOBLENZ.DE" with the same
> password that was used on the windows side. Additionally I added
> auto_to_local rules to map principal names to simple account names
> (remove all after the "@").
> 
> Now on the samba server I can run a kinit user at ADSREALM.UNI-KOBLENZ.DE
> and authenticate with the password of "user".
> Now if I try to connect a network drive from a windows machine using my
> samba server, the network drive can be connected but Windows immedeately
> reports an "access denied" error, and I cannot access
> the attached network drive at all.
> 
> At the moment I do not understand whats going wrong. I guess that the
> trust does not work as expected but how can I find out more, debug whats
> happening?
> 
> I also do not knnow if my basic idea of using a realm trust is well
> suited for my problem or if perhaps another solution would be much better.
> 
> Does anyone already have a running setup of my kind where samba
> authenticates users via ADS and NFS4 access is granted via another
> kerberos server? Anyone an idea what might go wrong with my setup.
> 
> Thanks a lot in advance for any help
> Rainer
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

More information about the Kerberos mailing list