-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
windows domain(ads) support #187
Comments
when build without --enable-krb5, it is OK to access from a windows 10 client. ksmbd support krb5 and local user/passwd at the same time?
os: rocky linux 9.1
|
We already have a build option to enable/disable krb5, we also need a configure option to enable/disable krb5? a dirty patch to skip krb5 init.
|
@atheik Could you please help review this change ? |
@atheik Ping? |
I apologize for the delay.
(Edit: Revisiting this and reading the posted log, I don't understand how I came to this conclusion.) Just to make sure, since you built ksmbd-tools with Kerberos 5 authentication in the first place, do you have some other client (e.g. cifs-utils on Linux) where Kerberos 5 authentication works with your current setup? Your |
In fact, there are two problems 2, whether the krb5/ads support works as expected. |
Sorry, I am not sure I understand what you mean by "support krb5 and ksmbd.adduser at the same time". Even with Kerberos 5 support, there is still the requirement that all users are present in ksmbdpwd.db |
Can we 'yum/dnf install' just once, and then change the configure file to switch krb5 and ksmbd.adduser support? |
As I said earlier, with Kerberos 5 enabled, you still need to use ksmbd.adduser to add users to ksmbdpwd.db |
@atheik |
Please see #187 (comment) for one potential problem. |
Should ksmbd allow more than ssh(SSSD/realm)? or Should ksmbd allow less than ssh(SSSD/realm)? SSSD/realm already has 'PERMIT/DENY' feature. for ksmbd.adduser, we may add 'PERMIT/DENY' feature for krb5 support to use a different database? |
Do you mean that?
Let sssd internally handle krb5 auth, id mapping and etc. |
If a user can login with ssh(SSSD/krb5), then In most case he should be allowed to access ksmbd? ksmbd may allow more user than ssh(SSSD/krb5) too? |
About ssh + krb5, you can check here In my understanding, ksmbd with windows ad support needs more features than krb5. I guess this approach may work also (i don't familiar with sssd and Linux PAM)
If sssd can do all related things with Windows AD, I'm still investigating it. |
uid/gid mapping is very complex for smb support 2, samba/winbind support more, but yet able to find one that match sssd well. mapped gid/uid is saved in every file attr of linux filesystem. for ksmbd, better to select the best known one, rather than an new one? and what is the recommand mapping rule that is easy to reproduce? |
windows ads server is ready here. and linux is joined into ads with sssd.
/etc/ksmbd/ksmbd.conf
any advice for /etc/ksmbd/ksmbd.conf 'kerberos keytab file'? |
Maybe need a KCM? |
|
basic sssd(ad, ldap_id_mapping = False) and winbind(idmap ad) works here now, sssd(ad, ldap_id_mapping = False) seems a good option for ksmbd id mapping. but Single sign-on configure (https://wiki.samba.org/index.php/OpenSSH_Single_sign-on) is still yet able to work here. we need some Single sign-on support for ksmbd too? |
Kerberos would be a single-sign-on mechanism.
Then I added another SPN:
Modified ksmbd.conf: However, I got the same error:
still investigate that how ksmbd works with krb5. |
still figure out how krb5 works. modify the code:
Got different error
|
https://learn.microsoft.com/zh-cn/windows-server/administration/windows-commands/ktpass this info maybe helpful. |
after more tests:
Then modify the ksmbd.conf to use the keytab directly ksmbd can start!!
|
ksmbd can start here too. Thanks a lot. the next step maybe the auth and id mapping. a segment fault happen when wrong 'kerberos service name =' |
I suppose we can setup a windows client which has been In my understanding, when a user logins into the client, According to the above discussion, ksmbd still needs a local user database. So we can create the accounts in Windows AD and local database with the same user name first. Then the authentication part maybe work For id mapping, the ksmbd server has been joined to the domain by sssd/realm. Ksmbd may adapt to it by setuid? For ACL, ldap or kerbose may query the information. |
for windows client, if it already joined the domain, then it can access ksmbd service without password input. windows SID is 128bit, and it is not used since small value. sssd-ad have 2 id mapping policies
winbind have many policies. such as idmap_ad, idmap_rid. the id mapping is not an part of krb5, it is a part of sssd/winbind. If the user direcly ssh login, the he can direct access the filesystem behind ksmb. so we need to make the id mapping of ksmb and sssd-ad/ssh to be same? |
I suppose the windows client will fallback to use NTLM, but I have no idea how ksmbd/ssd authenticate it with windows AD. About ID mapping, I'm not familiar with this area.
sssd can translate SID to UID. I think ksmbd can create files on the locale filesystem with the mapped "UID/GID" In the other hand, how ksmbd/SMB represents "file and ID mapping" to the windows client? |
'/usr/bin/id' can translate SID to UID when login in as local user. The real job will be done by sssd/winbind, we just call like /usr/bin/id. when sssd, we call id as 'id u2001@e16-tech' |
one question about krb5_keytab_file, why kpasswd don't need krb5_keytab_file? but ksmbd-tools need it? |
after joining the domain:
|
sssd-ad can be used for 'Windows SID to linux uid/gid mapping'. |
About ksmbd KRB5 authentication with windows AD,, I have figured out more details: Windows system have two different account types: Computer and User. Thus, it needs to use a " a dollar sign ($)" for ktpass to specify a Computer account: |
So far, krb5 authentication is still not working. If I use IP to connect the ksmbd server, it can fallback NTLM authentication with local database.
|
'mount.nfs -o seck=krb5' works with 'setspn.exe -S nfs/T3610.e16-tech.com T3610' instead of 'ktpass.exe'. |
ksmbd server with krb5 authentication needs a "keytab" to decrypt the ticket which comes from a client. currently, krb5 authentication can work in my environment:
the ksmbd.mountd with KRB5_TRACE:
Note:
|
When diag 'mount.nfs -o seck=krb5' , I noticed that there are some design in windows ad maby different from other krb5. so many documents are based on ktpass. but failed to works here. and another point from hcbwiz is very important too. "kinit -k 'nfs/[email protected]'" check is in so many documents.
default /etc/krb5.keytab should be OK. we don't need another krb5.keytab. CONFIG_SMB_SERVER_KERBEROS5 is defined here. |
I suppose ktpass also implies "set service principal name". krb5 authentication is also one kind of single-sign-on mechanism. |
windows ad
linux client
|
How did you create such SPNs?
Is it okay to do "kinit -k 'nfs/T3610.e16-tech.com'"? As I know, realm uses "adcli join" to create a "computer account". There are two alternative tools can work as "AD clients" in Linux : samba-tool and mkutils, but I never try it. The other issue is that: |
How did you create such SPNs? Is it okay to do "kinit -k 'nfs/T3610.e16-tech.com'"? |
failed to access Now still re-joining domain to flush SPN to client /etc/krb5.keytab. |
'setspn' just binds a service principal name (SPN) to the user account. Note: You need not perform setspn separately since ktpass does it automatically when creating a keytab file. I guess the keytab in your linux client is generated by "realm join". "realm join" calls adcli (an AD client tool) to create a Computer counts and do related thing for "host/xxxx". In brief, "binding a SPN to an account" and "add it into the Kerberos database of Windows AD" are necessary. |
About id mapping API, there are two libraries: libsss-idmap and libsss-nss-idmap I try libsss-nss-idmap:
output: |
thanks a lot for the info 'libsss-idmap and libsss-nss-idmap'. I movded the uid to windows SID mapping to #189 |
a patch try to auto config krb5 |
@wangyugui-e16 Thanks for your patch:) @atheik Atte, Do you have the time to review this patch(0002-krb5-auto-config.patch) ? |
You bypass Comments #187 (comment) and #187 (comment) still apply to this patch. |
it seems that nfs-utils-2.6.2/utils/gssd/krb5_util.c is a good example to auto config principal_name and realm. krb5_appdefault_string() |
Hi,
I successed to build ksmbd-tools 3.4.6 with
LIBKRB5_CFLAGS="$(/usr/bin/krb5-config krb5 --cflags)"
LIBKRB5_LIBS="$(/usr/bin/krb5-config krb5 --libs)"
--enable-krb5
do we have a test command inside ksmbd-tools to test krb5 user/password, and then output
the user/group id assigned by windows ads/linux?
Best regards
The text was updated successfully, but these errors were encountered: