[Freeipa-users] Re: Configuring Samba share with Kerberos authentication without ipa-adtrust-install

[Данила Скачедубов via FreeIPA-users]

Hello,

We have an integrated FreeIPA environment with Active Directory trust (adtrust) enabled. Access to a Samba share using Kerberos authentication works properly when connecting as a regular user. For example:

# tail -f /var/log/samba/* Kerberos ticket principal name is [u...@ipatest.dom]

However, when I try to access the share using a machine's SPN, the behavior is different:

[root@ws2 ~]# kinit -k host/ws2.ipatest.dom
root@ws2 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal:
host/ws2.ipatest....@ipatest.dom
Valid starting Expires Service principal 10.04.2025 14:58:12 11.04.2025 14:34:39 krbtgt/ipatest....@ipatest.dom
[root@ws2 ~]
# kvno cifs/dc3.ipatest....@ipatest.dom cifs/dc3.ipatest....@ipatest.dom: kvno = 2

At this point, I receive the following error:

check_account: Failed to convert SID S-1-5-21-2945447910-933896115-1716290591-515 to a UID (dom_user[IPATEST\ws2.ipatest.dom])

Based on the FreeIPA SID documentation, I understand this may be caused by the fact that host and host group entries do not receive a SID by default, and therefore cannot be resolved to a valid UID. This seems to block authorization when attempting to access the Samba resource via a machine SPN.

I would like to clarify:

1. Is my understanding correct that the lack of a SID on the machine account prevents successful Kerberos-based access using its SPN?

2. Are there recommended steps to assign a SID to a machine entry (or group of machines) in FreeIPA, or a workaround for this behavior?

3. Is there a supported (or clean) way to configure access control to a Samba share not based on the Kerberos ticket of the logged-in user, but rather based on the machine identity (SPN) itself?

Any suggestions, documentation references, or configuration examples would be greatly appreciated.

Best regards, Daniel

 

----------------

Кому: FreeIPA users list (freeipa-users@lists.fedorahosted.org);

Копия: Alexander Bokovoy (aboko...@redhat.com);

Тема: [Freeipa-users] Re: Configuring Samba share with Kerberos authentication without ipa-adtrust-install;

04.04.2025, 15:59, "Alexander Bokovoy via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>:

On Пят, 04 кра 2025, Данила Скачедубов via FreeIPA-users wrote:

   Hello,
                                                                                
   Is it possible to create a Samba network share on an FreeIPA domain
   controller that would allow domain users to authenticate via their
   Kerberos tickets without running ipa-adtrust-install?
                                                                                
   Since I don't plan to establish any trust relationship with Windows
   domains:
                                                                                
    1. Can winbind properly map user SIDs to UIDs without the AD trust
       components installed?
                                                                                
    2. Or is there an alternative way to configure smb.conf to make this work
       with pure FreeIPA/Kerberos authentication?
                                                                                
   My understanding is that ipa-adtrust-install generates the necessary ID
   mapping structures for Samba, but I'm wondering if there's a
   lighter-weight solution when Windows trusts aren't required.

No, it isn't.

Domain network has specific assumptions and there is one important:
there must be a domain controller configured. All `ipa-adtrust-install`
does is to configure that domain controller. Regardless whether you want
to use 'AD trust' or not, you have to have a domain controller if you
want to use domain-wide authentication.

`ipa-adtrust-install` simply configures Samba DC to use a special mode
that is valid for IPA domain controller. This is needed because other
supported Samba modes cannot be used with FreeIPA domain controller (we
do not implement Active Directory DC, so we cannot use ADDC mode). It is
a hybrid mode described in https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html

While Samba is configured in a standalone mode, it is typically not
expected to work with Kerberos in that mode. We had to fix a lot of
issues in Samba code to make it possible to use Kerberos with local KDC
(when Samba is not enrolled into any domain).

 

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue