Samba Authentication

active-directoryauthenticationkerberossambawindows 7

I know it's going to seem like I haven't done the research here, because I have done it, and I know how many related questions and tutorials there are. I have read every tutorial I can find online for this. I have gone through the complete list of Samba/Kerberos/AD/authentication topics on serverfault.

Actually, the tutorial that got me the farthest, just because I was able to verify success at each stage, was Alas, it still didn't work. Without further ado, my issue:

I have a KVM guest running CentOS 6.5. I have installed Samba 3.6.9. I want to use Samba to share users' home directories so that they can map them as network drives on Windows 7 machines. I have successfully done this using smbpasswd with local accounts. The problem is that I want to authenticate these users using Kerberos (Active Directory, over which I have no control). I do not need or want any sort of user, group, or policy information from Kerberos/AD/LDAP. I only want to authenticate the user's password as provided by the user to the Windows drive mapping GUI and sent to Samba.

It's also worth noting that I already have configured Kerberos for SSH access on the same KVM guest for the same users. With entries in /etc/passwd and no password set in /etc/shadow, the users enter their Kerberos password at SSH login and are authenticated. This is exactly what I want for Samba. I want the users to "Map Network Drive", enter the FQDN of the Samba server, enter their username and password, and have Samba authenticate them with that password in the same way that SSH authenticates them with the password at which point the share would successfully be mapped.

I have done:

service winbind start
service smb start
service nmb start

The krb5.conf, which works great for the SSH authentication is:

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = MYDOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

  kdc =
  admin_server =

[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM

In /etc/samba/smb.conf, I have tried many things, but the configuration that seems most logical based on all the tutorials involves, most relevantly:

workgroup = MYDOMAIN
security = ads
encrypt passwords = yes
kerberos method = secrets only
password server =

It's worth noting that is the FQDN of my server and MYDOMAIN.COM is the Kerberos realm, so that's not a typo.

The problem is, first, most tutorials talk about generating a keytab and a principal for the host. I do not understand this, because I am not authenticating the host but only the users. Also, SSH password authentication with Kerberos does not require such a step as far as I know (I didn't have to do it). They suggest setting accordingly "kerberos method = secrets and keytab". Second, many tutorials seem centered on either getting information about users and groups that are stored in Active Directory or authenticating users against Samba for some other purpose using Kerberos. I only want to use Samba for file sharing and I only want to use Kerberos to authenticate passwords just like my SSH configuration.

Every attempt and every tutorial I have followed results in failure. I check /var/log/samba/* for logs and find files with a name including the IP address of the connecting machine but no information about the connection attempt. Those log files are empty.

It's worth noting that while I can join my server to the domain, I do not have administrative privileges, so I think that I cannot generate a keytab (though I do not understand why Samba needs one if SSH does not).

Could anybody please give me some help on accomplishing this? Or, if somehow it cannot be done, let me know that and explain why? I don't mind being pointed to a tutorial, but I have honestly scoured every tutorial I can find, so please be willing to accept follow-up questions if you provide a tutorial link.

Thanks much.

Best Answer

The problem is, first, most tutorials talk about generating a keytab and a principal for the host. I do not understand this, because I am not authenticating the host but only the users.

I know this answer is a few years after the question was asked, but, from Centrify's centrifydc.conf file:

By default, a user's TGT will be verified by retrieving and verifying a service ticket for the local system. This check is done in order to prevent a well-known attack (Zanarotti aka screen-saver attack) whereby a rogue KDC could respond to our request to get the user's TGT. If set to false, the spoofing check will be disabled and will significantly improve the authentication performance. krb5.verify.credentials: true

And, from MIT's website: Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attack”: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC.