Hi,
On Чцв, 10 кра 2025, Данила Скачедубов wrote:
Hello,
We have an integrated FreeIPA environment with Active Directory trust
(adtrust) enabled. Access to a Samba share using Kerberos authentication
works properly when connecting as a regular user. For example:
# tail -f /var/log/samba/* Kerberos ticket principal name is
[[email protected]]
However, when I try to access the share using a machine's SPN, the
behavior is different:
[root@ws2 ~]# kinit -k host/ws2.ipatest.dom
root@ws2 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal:
host/[email protected]
Valid starting Expires Service principal 10.04.2025 14:58:12 11.04.2025
14:34:39 krbtgt/[email protected]
[root@ws2 ~]
# kvno cifs/[email protected] cifs/[email protected]:
kvno = 2
At this point, I receive the following error:
check_account: Failed to convert SID
S-1-5-21-2945447910-933896115-1716290591-515 to a UID
(dom_user[IPATEST\ws2.ipatest.dom])
Based on the [1]FreeIPA SID documentation, I understand this may be caused
by the fact that host and host group entries do not receive a SID by
default, and therefore cannot be resolved to a valid UID. This seems to
block authorization when attempting to access the Samba resource via a
machine SPN.
I would like to clarify:
1. Is my understanding correct that the lack of a SID on the machine
account prevents successful Kerberos-based access using its SPN?
No. The SID is present in the Kebreros ticket, as you can see. It is the
fact that all IPA hosts aren't POSIX accounts is what prevents you from
running smbd under their identities. No POSIX account -> no way for
Samba processes to switch to that identity and use it.
2. Are there recommended steps to assign a SID to a machine entry (or
group of machines) in FreeIPA, or a workaround for this behavior?
A machine can be configured to have POSIX account by running
`ipa-client-samba` on it. This implies that the machine would be a
domain member running Samba server.
Alternatively, you can run
# ipa-client-install
# kinit -k
# ipa service-add-smb `hostname`
# ipa-getkeytab -k ./some.keytab -p cifs/`hostname`
Either of this will create its cifs/`hostname` service in a special
way to make sure it has POSIX identity and will retrieve a keytab to
use. This is described in
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html
3. Is there a supported (or clean) way to configure access control to a
Samba share not based on the Kerberos ticket of the logged-in user,
but rather based on the machine identity (SPN) itself?
"Machine identity" in FreeIPA is the Kerberos principal for
cifs/`hostname` principal and nothing else. It will have a POSIX
identity of 'NETBIOSNAME$' aliased for that machine.
For example, on the enrolled client:
[root@fedoravm03 ~]# kinit -k
[root@fedoravm03 ~]# ipa service-add-smb `hostname`
-------------------------------------------
Added service "fedoravm03.example.test"
-------------------------------------------
Principal name: cifs/[email protected]
Principal alias: cifs/[email protected],
[email protected]
Managed by: fedoravm03.example.test
[root@fedoravm03 ~]# ipa service-show --all cifs/`hostname`
dn:
krbprincipalname=cifs/[email protected],cn=services,cn=accounts,dc=example,dc=test
Principal name: cifs/[email protected]
Principal alias: cifs/[email protected],
[email protected]
Requires pre-authentication: True
Trusted for delegation: False
Trusted to authenticate as user: False
Keytab: False
Managed by: fedoravm03.example.test
cn: FEDORAVM03
gidnumber: 808800009
homedirectory: /dev/null
ipakrbprincipalalias: cifs/[email protected]
ipantsecurityidentifier: S-1-5-21-3525893987-1657413332-3507543860-1009
ipauniqueid: c1ddee5c-160d-11f0-aa4f-7c1e5287c662
objectclass: krbprincipal, krbprincipalaux, krbticketpolicyaux, ipaobject,
ipaservice, pkiuser, ipakrbprincipal, ipaidobject, posixaccount, top,
ipantuserattrs
uid: cifs/fedoravm03.example.test, FEDORAVM03$
uidnumber: 808800009
[root@fedoravm03 ~]# ipa-getkeytab -k ./fedoravm03.keytab -p cifs/`hostname`
Keytab successfully retrieved and stored in: ./fedoravm03.keytab
[root@fedoravm03 ~]# kinit -kt ./fedoravm03.keytab cifs/`hostname`
[root@fedoravm03 ~]# smbclient -L master.example.test --use-krb5-ccache=KCM:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.22.0)
SMB1 disabled -- no workgroup available
[root@fedoravm03 ~]# klist
Ticket cache: KCM:0:22398
Default principal: cifs/[email protected]
Valid starting Expires Service principal
04/10/2025 13:15:57 04/11/2025 12:37:30 krbtgt/[email protected]
04/10/2025 13:16:21 04/11/2025 12:37:30 cifs/[email protected]
And on the master after the smbclient command was run:
[root@master ~]# grep AuthZ /var/log/samba/log.192.168.120.8
Successful AuthZ: [SMB2,krb5] user [EXAMPLE]\[cifs/fedoravm03.example.test] [S-1-5-21-3525893987-1657413332-3507543860-1009] at [Thu, 10 Apr 2025 13:16:21.944729 UTC] Remote host [ipv4:X.X.X.X:58556] local host [ipv4:Y.Y.Y.Y:445]
[root@master ~]# id 'FEDORAVM03$'
uid=808800009(cifs/fedoravm03.example.test) gid=808800009 groups=808800009
So now this name can be used in POSIX ACLs as any other name.
Any suggestions, documentation references, or configuration examples would
be greatly appreciated.
Best regards, Daniel
----------------
Кому: FreeIPA users list ([email protected]);
Копия: Alexander Bokovoy ([email protected]);
Тема: [Freeipa-users] Re: Configuring Samba share with Kerberos
authentication without ipa-adtrust-install;
04.04.2025, 15:59, "Alexander Bokovoy via FreeIPA-users"
<[email protected]>:
> On Пят, 04 кра 2025, Данила Скачедубов via FreeIPA-users wrote:
>> Hello,
>>
>> Is it possible to create a Samba network share on an FreeIPA domain
>> controller that would allow domain users to authenticate via their
>> Kerberos tickets without running ipa-adtrust-install?
>>
>> Since I don't plan to establish any trust relationship with Windows
>> domains:
>>
>> 1. Can winbind properly map user SIDs to UIDs without the AD trust
>> components installed?
>>
>> 2. Or is there an alternative way to configure smb.conf to make
>> this work
>> with pure FreeIPA/Kerberos authentication?
>>
>> My understanding is that ipa-adtrust-install generates the necessary
>> ID
>> mapping structures for Samba, but I'm wondering if there's a
>> lighter-weight solution when Windows trusts aren't required.
> No, it isn't.
> Domain network has specific assumptions and there is one important:
> there must be a domain controller configured. All `ipa-adtrust-install`
> does is to configure that domain controller. Regardless whether you want
> to use 'AD trust' or not, you have to have a domain controller if you
> want to use domain-wide authentication.
> `ipa-adtrust-install` simply configures Samba DC to use a special mode
> that is valid for IPA domain controller. This is needed because other
> supported Samba modes cannot be used with FreeIPA domain controller (we
> do not implement Active Directory DC, so we cannot use ADDC mode). It is
> a hybrid mode described in
> [2]https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html
> While Samba is configured in a standalone mode, it is typically not
> expected to work with Kerberos in that mode. We had to fix a lot of
> issues in Samba code to make it possible to use Kerberos with local KDC
> (when Samba is not enrolled into any domain).
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> --
> _______________________________________________
> FreeIPA-users mailing list -- [3][email protected]
> To unsubscribe send an email to
> [4][email protected]
> Fedora Code of Conduct:
> [5]https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> [6]https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> [7]https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> [8]https://pagure.io/fedora-infrastructure/new_issue
References
Visible links
1. https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html
2.
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html
3. mailto:[email protected]
4. mailto:[email protected]
5. https://docs.fedoraproject.org/en-US/project/code-of-conduct/
6. https://fedoraproject.org/wiki/Mailing_list_guidelines
7.
https://lists.fedorahosted.org/archives/list/[email protected]
8. https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
