Q: Samba3-server with security=ADS and NFS4/kerberos userdata and cross realm auth

Rainer Krienke krienke at uni-koblenz.de
Wed Mar 18 10:57:30 EDT 2015 

Hallo to everybody,

I want to configure a samba3 server that authenticates users via our
Windows ADS server (secutrity=ADS) in smb.conf. The whole setup works
fine when I use NFS version3 to mount the user directories from our NFS
server. The samba server is joined into our Windows ADS domain
"ADSREALM.UNI-KOBLENZ.DE".

Now I want to replace NFS3 by NFS4/kerberos with a MIT kerberos Server
running on a linux machine serving a "LINUXREALM.UNI-KOBLENZ.DE" realm
that is different from the ADS server realm "ADSREALM.UNI-KOBLENZ.DE".
The basic setup also works fine, ie on the samba server I can mount the
user directories with sec=krb5 and access the data if I am root on the
samba server. When I try to access a users file located on NFS as a
particular user I get a permission denied, since I did not authenticate
as this user and this user has no tgt.

Whats missing is how to marry the MIT kerberos server holding the
machine keytab for nfs, with the windows ADS server managing the user
authentication. So how can I tell the MIT kerberos server to "ask" the
ADS server if  a smb process wants to access a user directory?

My idea was to create a realm trust between the ADSREALM.UNI-KOBLENZ.DE
and LINUXREALM.UNI-KOBLENZ.DE. So our Windows admin created
a (two way) realm trust for my linux kerberos server and on this machine
 I created a principal
"krbtgt/LINUXREALM.UNI-KOBLENZ.DE at ADSREALM.UNI-KOBLENZ.DE" with the same
password that was used on the windows side. Additionally I added
auto_to_local rules to map principal names to simple account names
(remove all after the "@").

Now on the samba server I can run a kinit user at ADSREALM.UNI-KOBLENZ.DE
and authenticate with the password of "user".
Now if I try to connect a network drive from a windows machine using my
samba server, the network drive can be connected but Windows immedeately
reports an "access denied" error, and I cannot access
the attached network drive at all.

At the moment I do not understand whats going wrong. I guess that the
trust does not work as expected but how can I find out more, debug whats
happening?

I also do not knnow if my basic idea of using a realm trust is well
suited for my problem or if perhaps another solution would be much better.

Does anyone already have a running setup of my kind where samba
authenticates users via ADS and NFS4 access is granted via another
kerberos server? Anyone an idea what might go wrong with my setup.

Thanks a lot in advance for any help
Rainer
-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150318/8d6d0151/attachment.bin

More information about the Kerberos mailing list