# [SOLVED] Samba + Kerberos (no admin rights)

## devilheart

Hi all,

recently I've been playing with this idea...

I have a "rogue" server in my company's network (it's an unsupported gentoo server, where I'm root, but our IT still allows such hosts) and I wish to run a samba server where all users in the corporate's Active Directory can login.

Essentially it's a mixed windows/linux network.

I don't have the rights to add servers to the domain (no net ads join) and I don't have the rights to run kadmin to add new principals.

Currently, I set up /etc/krb5.conf correctly, since I can run kinit and get a ticket from the corporate KDC.

sys-auth/nss-pam-ldapd and /etc/nsswitch.conf have been set up correctly, since getent passwd gives the entries for all users in my company

/etc/pam.d/system-auth looks so:

```

auth            required        pam_env.so

auth            requisite       pam_faillock.so preauth

auth            sufficient      pam_unix.so nullok  try_first_pass

auth            [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

auth            [default=die]   pam_faillock.so authfail

account         sufficient      pam_unix.so

account         [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

account         required        pam_faillock.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

session         required        pam_limits.so

session         required        pam_env.so

session         sufficient      pam_unix.so

session         [success=1 default=ignore]      pam_krb5.so  ignore_root try_first_pass

```

and /etc/ssh/sshd_config has the lines for interacting with kerberos.

Bottom line: with this setup, corporate users can login via ssh on this server using their corporate credentials (and there are no local users).

Now, I want to configure a samba server, running on this hosts, which authenticates users using the corportate kerberos servers and grants access to some shares.

I looked a bit on the web and found these two pages https://forums.gentoo.org/viewtopic-t-565180-start-0.html and https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperability but both require to run either net ads join or kadmin, so this is a no go.

I would assume that authentication should run through PAM, like ssh, but somewhere else I've read that samba can use PAM only with cleartext passwords.

The problem I'm trying to solve is: how can I allow people to access samba shares without having to create local user accounts on the samba server and storing passwords?

I do this already for ssh, so I'd think it's possible also for samba, but maybe this is a completely different scenario.

Has anyone tried anything like this?Last edited by devilheart on Tue Jan 25, 2022 1:48 pm; edited 1 time in total

----------

## alamahant

I think thios is called kerberized samba share.

You need to add service and host  principals and keytab for cifs like so

```

kadmin.local ank -randkey cifs/<samba-machine-fqdn>

kadmin.local  ktadd  cifs/<samba-machine-fqdn>

kadmin.local ank -randkey cifs/<client-machine-fqdn>

kadmin.local  ktadd  cifs/<client-machine-fqdn>

kadmin.local ank -randkey host/<samba-machine-fqdn>

kadmin.local ktadd  host/<samba-machine-fqdn>

kadmin.local ank -randkey host/<client-machine-fqdn>

kadmin.local  ktadd host/<client-machine-fqdn>

```

Then you should find the way to copy the client keys to the client machine.

kadmin.local does not require a passwd but it should be run on the kdc host itself.

You need also to modify smb.conf.

When mounting the share you should use "sec=krb5"

This applies if your using a linux samba host.

I do not know how AD samba handles kerberos.

Plz see

```

SMB: How to mount a Kerberized share

 SOLUTION VERIFIED - Updated June 23 2021 at 2:47 AM - English 

Environment

Red Hat Enterprise Linux (SMB Client)

6

7

8

SMB

Kerberos

Directory Service (IdM/FreeIPA/AD)

SMB server

sssd or winbind for ticket acquisition and user resolution

Issue

A SMB share needs to be mounted with Kerberos security instead of NTLMSSP.

Attempting to mount the SMB share with sec=krb5 security fails with mount error(126): Required key not available

A service account exists, but a keytab for the user needs to be created.

# kinit has to be run prior to mounting the share instead of a ticket being dynamically acquired at time of mount.

Resolution

Background information

Kerberized SMB/CIFS requires the use of a Kerberos User Principal to mount.

User Principals are used in the Authentication Service, AS, exchange with the Kerberos Key Distribution Center, KDC.

The KDC will provide a Ticket-Granting Ticket, TGT, to the SMB client

The ticket is called krbtgt@/$REALM@$REALM where $REALM is the actual Kerberos Realm.

This ticket is required in order to mount a Kerberized SMB share.

The SMB/CIFS client must authenticate with the KDC prior to mounting.

If the client does not authenticate, the # mount operation will fail with CIFS VFS: Send error in SessSetup = -126 as intended.

The following is assumed of the SMB server

Exporting a file path as a SMB share.

Effective access rights for the user credentials that will be used by the SMB client are read and execute to mount the share. This requires granting the user in question the necessary access at the Share level and NTFS/File level.

Port 445 on the SMB server is accessible.

Client configuration

The userspace tools for SMB mounts is installed as well as tools to create Kerberos keytabs which will be needed later

Raw

# yum install cifs-utils krb5-workstation

Create the desired mount point for the SMB share

Raw

# mkdir /path/to/mountpoint

Join the SMB client to either:

An Active Directory realm using realmd or winbind

NOTE RHEL8 may have additional requirements when joining an AD realm.

An IdM realm as an IPA client

Create a Kerberos keytab for the service account that will be used to mount the SMB share. This is only necessary if the host Principal, or sAMAccountName for AD clients, in /etc/krb5.keytab is not going to be used to mount the SMB share.

Raw

# ktutil

ktutil:  add_entry -password -p svcaccount -k 0 -e aes256-cts-hmac-sha1-96

Password for svcaccount@EXAMPLE.NET: 

ktutil:  wkt /var/kerberos/krb5/user/cifs_service_account.keytab

ktutil:  q

Update /etc/request-key.d/cifs.spnego.conf to leverage the newly created keytab.

Add the -t flag if Kerberized SMB shares are going to be mounted from DNS CNAMEs.

Raw

# cat /etc/request-key.d/cifs.spnego.conf 

create  cifs.spnego    * * /usr/sbin/cifs.upcall -K /var/kerberos/krb5/user/cifs_service_account.keytab -t %k

Mount the share

Raw

# mount //smb.example.net/share /mnt -o sec=krb5,multiuser,username='svcaccount@EXAMPLE.NET'

If users are going to access a Kerberized home directory, additional actions may be required.

To have the share mount at boot time, add an entry to /etc/fstab.

Raw

# mount //smb.example.net/share /mnt cifs defaults,sec=krb5,multiuser,username=svcaccount@EXAMPLE.NET 0 0

Product(s) Red Hat Enterprise LinuxCategory TroubleshootTags kerberos SMB

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

```

for mounting kerberized share

and

https://help.ubuntu.com/community/Samba/Kerberos

for configuring linux samba to use kerberos for its shares.

PLZ note:

whereas kerberized nfs works easily kerberized samba is very very tricky especially in a mixed AD and Linux environment.

Having said all that without the ability to create principals either via kadmin.local or kadmin I think it will be IMPOSSIBLE.

You will not be able to mount the shares.

----------

## devilheart

Hi, thanks!

I just found an internal webpage where each employee can request the creation of a Machine Account in ActiveDirectory.

After that, I can run kinit, get a ticket and then I can successfully run

```
net -k ads join <realm_name>
```

then I get

```
# net ads testjoin

Join is OK
```

and with kvno I can request tickets for host and cifs principal.

Smooth so far... now I just need to properly configure pam_winbind and I should be fine...

I'll update you tomorrow

----------

## devilheart

I found out that I cannot get the passwd database via winbind...

If I have this in /etc/nsswitch.conf

```

group:      files winbind #ldap

passwd:     files winbind #ldap

```

then I see only the local users, but I get the full list if I uncomment ldap.

/etc/pam.d/system-auth looks like this

```

auth       required        pam_env.so

auth       requisite       pam_faillock.so preauth

auth       sufficient      pam_winbind.so

auth       sufficient      pam_unix.so nullok  try_first_pass

auth       [default=die]   pam_faillock.so authfail

 

account    sufficient      pam_winbind.so

account    sufficient      pam_unix.so

account    required        pam_faillock.so

 

password   required        pam_passwdqc.so config=/etc/security/passwdqc.conf

password   sufficient      pam_winbind.so use_authtok

password   sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

 

session    required        pam_limits.so

session    required        pam_env.so

session    sufficient      pam_unix.so

session    optional        pam_winbind.so

```

Then, we have

```

# wbinfo -i posgnach

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Could not get info for user posgnach

# wbinfo -n posgnach

S-1-5-21-2052111302-1275210071-1644491937-1025603 SID_USER (1)

# wbinfo -S S-1-5-21-2052111302-1275210071-1644491937-1025603

11628725

# wbinfo -s S-1-5-21-2052111302-1275210071-1644491937-1025603

GER\posgnach 1

```

All is correct, except for wbinfo -i

With this setup, domain users can login via ssh by using their corporate password if and only if ldap appears in /etc/nsswitch.conf

If I remove ldap from that file, I see this when logging in via ssh

```
Jan 21 10:11:02 vrlabfiler01 sshd[11656]: Invalid user posgnach from 10.217.81.35 port 33436

Jan 21 10:11:03 vrlabfiler01 sshd[11659]: pam_faillock(sshd:auth): User unknown

Jan 21 10:11:03 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): [pamh: 0x55bc6a7aa720] ENTER: pam_sm_authenticate (flags: 0x0001)

Jan 21 10:11:03 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): getting password (0x00000381)

Jan 21 10:11:03 vrlabfiler01 sshd[11656]: Postponed keyboard-interactive for invalid user posgnach from 10.217.81.35 port 33436 ssh2 [preauth]

Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): Verify user 'posgnach'

Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): CONFIG file: krb5_ccache_type 'FILE'

Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_winbind(sshd:auth): [pamh: 0x55bc6a7aa720] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)

Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_unix(sshd:auth): check pass; user unknown

Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.217.81.35

Jan 21 10:11:08 vrlabfiler01 sshd[11659]: pam_faillock(sshd:auth): User unknown

Jan 21 10:11:10 vrlabfiler01 sshd[11656]: error: PAM: Authentication failure for illegal user posgnach from 10.217.81.35

Jan 21 10:11:10 vrlabfiler01 sshd[11656]: Failed keyboard-interactive/pam for invalid user posgnach from 10.217.81.35 port 33436 ssh2

Jan 21 10:11:10 vrlabfiler01 sshd[11660]: pam_faillock(sshd:auth): User unknown

Jan 21 10:11:10 vrlabfiler01 sshd[11660]: pam_winbind(sshd:auth): [pamh: 0x55bc6a7aa720] ENTER: pam_sm_authenticate (flags: 0x0001)

Jan 21 10:11:10 vrlabfiler01 sshd[11660]: pam_winbind(sshd:auth): getting password (0x00000381)

Jan 21 10:11:10 vrlabfiler01 sshd[11656]: Postponed keyboard-interactive for invalid user posgnach from 10.217.81.35 port 33436 ssh2 [preauth]

Jan 21 10:13:02 vrlabfiler01 sshd[11656]: fatal: Timeout before authentication for 10.217.81.35 port 33436
```

When I connect to the shared drive using my domain account, it fails and in log.smbd I see

```

[2022/01/21 10:28:36.630125,  3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)

  Got user=[posgnach] domain=[GER] workstation=[POSGNACH-MOBL] len1=24 len2=328

[2022/01/21 10:28:36.630164, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:544(ntlmssp_server_preauth)

[2022/01/21 10:28:36.630227,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:123(make_user_info_map)

  Mapping user [GER]\[posgnach] from workstation [POSGNACH-MOBL]

[2022/01/21 10:28:36.630236,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:64(make_user_info)

  attempting to make a user_info for posgnach (posgnach)

[2022/01/21 10:28:36.630243,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:72(make_user_info)

  making strings for posgnach's user_info struct

[2022/01/21 10:28:36.630257,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:117(make_user_info)

  making blobs for posgnach's user_info struct

[2022/01/21 10:28:36.630264, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/user_info.c:163(make_user_info)

  made a user_info for posgnach (posgnach)

[2022/01/21 10:28:36.630271,  3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:201(auth_check_ntlm_password)

  check_ntlm_password:  Checking password for unmapped user [GER]\[posgnach]@[POSGNACH-MOBL] with the new password interface

[2022/01/21 10:28:36.630277,  3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:204(auth_check_ntlm_password)

  check_ntlm_password:  mapped user is: [GER]\[posgnach]@[POSGNACH-MOBL]

[2022/01/21 10:28:36.630284, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:214(auth_check_ntlm_password)

  check_ntlm_password: auth_context challenge created by random

[2022/01/21 10:28:36.630290, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:217(auth_check_ntlm_password)

  challenge is: 

[2022/01/21 10:28:36.630296, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_builtin.c:42(check_anonymous_security)

  Check auth for: [posgnach]

[2022/01/21 10:28:36.630302, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:250(auth_check_ntlm_password)

  auth_check_ntlm_password: anonymous had nothing to say

[2022/01/21 10:28:36.630309, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_sam.c:115(auth_samstrict_auth)

  auth_samstrict_auth: Check auth for: [GER]\[posgnach]

[2022/01/21 10:28:36.630317,  6, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_sam.c:137(auth_samstrict_auth)

  check_samstrict_security: GER is not one of my local names (ROLE_DOMAIN_MEMBER)

[2022/01/21 10:28:36.630323, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:250(auth_check_ntlm_password)

  auth_check_ntlm_password: sam had nothing to say

[2022/01/21 10:28:36.630331, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_winbind.c:51(check_winbind_security)

  Check auth for: [posgnach]

[2022/01/21 10:28:37.058442,  3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:1901(check_account)

  Failed to find authenticated user GER\posgnach via getpwnam(), denying access.

[2022/01/21 10:28:37.058479,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:259(auth_check_ntlm_password)

  auth_check_ntlm_password: winbind authentication for user [posgnach] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

[2022/01/21 10:28:37.058496,  2, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:345(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [posgnach] -> [posgnach] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

[2022/01/21 10:28:37.058516, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)

  gensec_update_send: ntlmssp[0x55a73c676f10]: subreq: 0x55a73c668b10

[2022/01/21 10:28:37.058523, 10, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:455(gensec_update_send)

  gensec_update_send: spnego[0x55a73c667fc0]: subreq: 0x55a73c679090

[2022/01/21 10:28:37.058547,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:813(ntlmssp_server_auth_done)

  ntlmssp_server_auth_done: Checking NTLMSSP password for GER\posgnach failed: NT_STATUS_NO_SUCH_USER

[2022/01/21 10:28:37.058558,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:534(gensec_update_done)

  gensec_update_done: ntlmssp[0x55a73c676f10]: NT_STATUS_NO_SUCH_USER tevent_req[0x55a73c668b10/../../auth/ntlmssp/ntlmssp.c:180]: state[3] error[-7963671676338569116 (0x917B5ACDC0000064)]  state[struct gensec_ntlmssp_update_state (0x55a73c668cc0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:239]

[2022/01/21 10:28:37.058573,  3, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)

  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER

[2022/01/21 10:28:37.058583,  5, pid=11840, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:534(gensec_update_done)

  gensec_update_done: spnego[0x55a73c667fc0]: NT_STATUS_NO_SUCH_USER tevent_req[0x55a73c679090/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569116 (0x917B5ACDC0000064)]  state[struct gensec_spnego_update_state (0x55a73c679240)] timer[(nil)] finish[../../auth/gensec/spnego.c:2039]

```

----------

## devilheart

Quick update:

I had the computer account created in AD and then I found out that I can create SPNs with my corporate account on windows with setspn, so I created a host and a cifs principal

```

setspn -S host/vrlabfiler01.dnsdomain.com vrlabfiler01

setspn -S cifs/vrlabfiler01.dnsdomain.com vrlabfiler01

```

then, on server, after getting a TGT from Kerberos, I ran

```

net ads join createupn='host/vrlabfiler01.dnsdomain.com@GER.KERBEROSREALM.COM' dnshostname='vrlabfiler01.dnsdomain.com' -k

```

Joined successfully... then I ran

```

net ads keytab create -k

```

and this populated /etc/krb5.keytab with the necessary keys.

At this point, ssh authentication finally work fine... what a relief.

No password asked and the service ticket is requested automatically after I get a TGT.

Samba from windows still fails and I believe that the relevant entry in log.winbindd is

```
[2022/01/24 19:06:54.276385,  5, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)

  Could not convert sid S-1-5-21-2052111302-1275210071-1644491937-1025603: NT_STATUS_NO_SUCH_USER

[2022/01/24 19:06:54.276396, 10, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:802(process_request_done)

  process_request_done: [nss_winbind(15453):GETPWNAM]: NT_STATUS_NO_SUCH_USER
```

but

```

# wbinfo -S S-1-5-21-2052111302-1275210071-1644491937-1025603

11628725

# wbinfo -U 11628725

S-1-5-21-2052111302-1275210071-1644491937-1025603

```

it seems that I can resolve fine a SID to a unix UID and viceversa.

In my smb.conf I have

```

[global]

   security=ads

   realm=GER.KERBEROSREALM.COM

   workgroup=GER

   winbind cache time = 864000

   winbind enum groups = yes

   winbind enum users = yes

   winbind nss info = rfc2307

   winbind offline logon = yes

   winbind refresh tickets = yes

   winbind use default domain = no

   ;username map = /etc/samba/samba_usermapping

   netbios name = VRLABFILER01

   create krb5 conf = yes

   log level = 0 auth:10 winbind:10

   dedicated keytab file = /etc/krb5.keytab

   kerberos method = secrets and keytab

   idmap config * : backend = tdb

   idmap config * : range = 10-999

   idmap config GER : backend  = nss

   idmap config GER : range = 1000-20000000

   idmap config GER : unix_nss_info = yes

```

I can get samba to work fine if I uncomment username map and I write in the mapping file

```
!posgnach = GER\posgnach
```

Now I can open the shares from windows without entering a password... which is what I needed, but I don't really want to write a mapping line for each of our users... the mapping is always "unix_username = GER\unix_username"

any idea about how to fix the idmap? I don't know if the mapping is provided somehow via LDAP... the passwd database is not available via winbind

it should be noted that so far I never needed an admin account... just my regular unprivileged corporate account

----------

## devilheart

I think I nailed it with samba's "username map script"

tomorrow I'll write all the details

----------

## devilheart

I solved my problem and I reached the desired goal. To summarize, this is the problem: 

 I have a gentoo server which runs sshd and samba

 Server is connected to the corporate network, which has linux and windows subnets. On both, authentication is handled via Active Directory

 On the regular linux hosts, user data (group, netgroup and passwd databases) are handled via LDAP. The service is actually "Safeguard Authentication Services" from oneidentity.com

 I want to fully integrate my server in the corporate network, which means fetch user data from LDAP and authenticate people via Kerberos (both ssh and cifs)

 I am not an admin nor domain admin. I have admin privileges only on this server

 Server's FQDN is vrlabfiler01.dnsdomain.com and kerberos realm is GER.KERBEROSREALM.COM (if you wonder, GER meant Greater Europe Region)

Since I'm not a domain admin, the first step would be to join the AD Domain but normally you can't do it with a regular user. Luckily my company provides an internal webpage where people can register computer assets they "own". When doing so, a Computer accounts gets automatically created in the AD. I did that and the Computer account automatically got two Kerberos SPNs: host/vrlabfiler01 and host/vrlabfiler01.GER.KERBEROSREALM.COM

The one with dnsdomain.com is missing, but you can create the proper ones on Windows with setspn:

```

setspn -S host/vrlabfiler01.dnsdomain.com

setspn -S cifs/vrlabfiler01.dnsdomain.com

```

That's all you need to do on windows... now back on Gentoo.

For LDAP integration I use sys-auth/nss-pam-ldapd and for kerberos I use app-crypt/mit-krb5

/etc/krb5.conf was copied from another linux host. kinit ran fine and it gave me a TGT.

/etc/nsswitch.conf reads as follows (at least the relevant part)

```

group:      files ldap

netgroup:   files ldap

passwd:     files ldap

```

and /etc/pam.d/system-auth

```

auth       required        pam_env.so

auth       requisite       pam_faillock.so preauth

auth       sufficient      pam_winbind.so

auth       sufficient      pam_unix.so nullok  try_first_pass

auth       [default=die]   pam_faillock.so authfail

 

account    sufficient      pam_winbind.so

account    sufficient      pam_unix.so

account    required        pam_faillock.so

 

password   required        pam_passwdqc.so config=/etc/security/passwdqc.conf

password   sufficient      pam_winbind.so use_authtok

password   sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

 

session    optional        pam_mkhomedir.so skel=/etc/skel/

session    required        pam_limits.so

session    required        pam_env.so

session    sufficient      pam_unix.so

session    optional        pam_winbind.so

```

finally, /etc/samba/smb.conf

```

[global]

   security=ads

   realm=GER.KERBEROSREALM.COM

   workgroup=GER

   winbind cache time = 864000

   winbind offline logon = yes

   winbind refresh tickets = yes

   winbind use default domain = no

   username map script = /etc/samba/usermapper.sh

   netbios name = VRLABFILER01

   create krb5 conf = yes

   dedicated keytab file = /etc/krb5.keytab

   kerberos method = secrets and keytab

```

now start the samba and ssh services. For ssh, look on the wiki how to enable kerberos authentication

once you have a TGT, use this to join the domain

```

net ads join createupn='host/vrlabfiler01.dnsdomain.com@GER.KERBEROSREALM.COM' dnshostname='vrlabfiler01.dnsdomain.com' -k

```

and then get the kerberos keytab with

```

net ads keytab create -k

```

This will fill the local table with keys for both host and cifs service classes

At this point ssh via kerberos is already working. Get a TGT on a client and then you can immediately login on the server.

Samba proved to be harder to configure... when opening a share on windows, samba denied access with there messages in log.winbindd

```

[2022/01/24 19:06:54.276385,  5, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)

  Could not convert sid S-1-5-21-2052111302-1275210071-1644491937-1025603: NT_STATUS_NO_SUCH_USER

[2022/01/24 19:06:54.276396, 10, pid=15433, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:802(process_request_done)

  process_request_done: [nss_winbind(15453):GETPWNAM]: NT_STATUS_NO_SUCH_USER

```

something was wrong in SID<->unix names mapping and I couldn't understand why, even is commands like wbinfo -S and wbinfo -U can correctly map the SID to the unix UID and viceversa.

It seemed that it could not map the domain username it got from windows (GER\username) to the unix username (just username) and I wasn't able to find idmap settings that worked. Also I didn't know if any idmap was provided via LDAP, AD, nss (actually, how can nss provide such mapping?).

The solution was to use a script to perform the mapping, since the unix username is the windows username without the domain part. The script essentially removes the \ and everything that precedes it.

Now passwordless authentication works both for samba and for ssh.

Mission accomplished and no need to use an admin account, but you need a mechanism for creating Computer accounts and a windows host that's part of the domain on which you can then run setspn

----------

