Raison D'ĂȘtre
I am attempting, so far unsuccessfully, to house roaming profiles for an Active Directory domain on a realm trusted Ubuntu 12.04LTS ZFS-on-Linux file server. The end goal is to have an inter-operable file server to house autofs nfs home directories for Linux and roaming profiles for Windows. It is politically difficult for me to do this purely with Windows Servers or joining Linux servers into Active Directory. As such, I am looking for technical solutions or proof that such technical solutions are less tenable than fighting political battles.
I suspect my current difficulty has something to do with the windows client to samba interactions rather than zfs, but I'm a bit out of my depth, so I'm not ruling it completely out. Could you, dear reader, point out why what I'm doing is incorrect and explain the correct procedure?
What I think I know
- The user can successfully log onto the client machine from the kerberos realm. However, the user is logged in with a temporary profile.
- A profile folder is created (presumably by login process) on the file server, but no other files are made in that newly created profile folder.
- The profile folder is created automatically with the proper owner/group.
- Given that, it seems unlikely the the profile is loaded before the credential cache is instantiated or the krbtgt is granted.
- While logged into the temporary profile, the user can create files on the file server without having to supply the file server with any (additional) credentials. That is there is no prompt. These files are also created with the proper owner/group.
Additional Information
This is all the configuration I think you'll want to know about, but I could be wrong.
I apologize for not finding a way to have it be collapsible.
A Brief Overview of Systems and Machines Involved
AD domain: ad.example.com (Functional Level 2012)
domain controllers: dc1.ad.example.com, dc2.ad.example.com (OS: Windows Server 2012 Std)
mit-krb5 realm: EXAMPLE.COM
mit-krb5 kdcs: kdc1.example.com, kdc2.example.com (mit-krb5: 1.9.4)
smb/cifs server: zfs.example.com (OS: Ubuntu 12.04LTS)
client: client.ad.example.com (OS: Windows 8 Enterprise)
The Samba Log
root@zfs:~# cat /var/log/samba/client.log
[2013/06/14 14:37:26.194496, 0] param/loadparm.c:9114(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:37:26.460344, 0] param/loadparm.c:9114(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
[2013/06/14 14:44:04.352344, 0] param/loadparm.c:9114(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/tank_test failed. Permission denied
Not sure what it's complaining about…
root@zfs:~# ls -l /var/lib/samba/usershares/tank_test
-rw-r--r-- 1 root root 110 Jun 14 12:57 /var/lib/samba/usershares/tank_test
The File Server Share Pre-login
root@zfs:~# ls -la /tank/test/
total 38
drwxrwxrwt 2 root root 2 Jun 14 09:12 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..
File Server Share Post-login:
root@zfs:~# ls -la /tank/test/
total 57
drwxrwxrwt 3 root root 3 Jun 14 09:16 .
drwxr-xr-x 5 root root 5 Jun 13 15:52 ..
drwxr-xr-x 2 user user 2 Jun 14 09:16 user.V2
root@zfs:~# find /tank/test
/tank/test
/tank/test/user.V2/
User's Credential Cache upon Login
Current LogonId is 0:0x6c79e3
Cached Tickets: (7)
#0> Client: user @ EXAMPLE.COM
Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a90000 -> forwardable forwarded renewable pre_authent name_canonicalize 0x80000
Start Time: 6/14/2013 14:44:24 (local)
End Time: 6/15/2013 2:44:24 (local)
Renew Time: 6/21/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: kdc2.example.com
#1> Client: user @ EXAMPLE.COM
Server: krbtgt/AD.EXAMPLE.COM @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
Start Time: 6/14/2013 14:44:24 (local)
End Time: 6/15/2013 2:44:24 (local)
Renew Time: 6/14/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: kdc2.example.com
#2> Client: user @ EXAMPLE.COM
Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 6/14/2013 14:44:24 (local)
End Time: 6/15/2013 2:44:24 (local)
Renew Time: 6/21/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: kdc2.example.com
#3> Client: user @ EXAMPLE.COM
Server: ldap/dc1.ad.example.com @ AD.EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 6/14/2013 14:44:31 (local)
End Time: 6/15/2013 0:44:31 (local)
Renew Time: 6/14/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dc1.ad.example.com
#4> Client: user @ EXAMPLE.COM
Server: LDAP/dc1.ad.example.com/ad.example.com @ AD.EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 6/14/2013 14:44:25 (local)
End Time: 6/15/2013 0:44:25 (local)
Renew Time: 6/14/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dc1.ad.example.com
#5> Client: user @ EXAMPLE.COM
Server: cifs/dc1.ad.example.com @ AD.EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 6/14/2013 14:44:24 (local)
End Time: 6/15/2013 0:44:24 (local)
Renew Time: 6/14/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dc1.ad.example.com
#6> Client: user @ EXAMPLE.COM
Server: cifs/zfs.example.com @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
Start Time: 6/14/2013 14:44:24 (local)
End Time: 6/15/2013 2:44:24 (local)
Renew Time: 6/14/2013 14:44:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: kdc2.example.com
The REALM Trust
ldapsearch -h ad.example.com -LLL cn=EXAMPLE.COM objectClass trustPartner instancetype trustDirection trustAttributes
SASL/GSSAPI authentication started
SASL username: user@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: CN=EXAMPLE.COM,CN=System,DC=ad,DC=example,DC=com
objectClass: top
objectClass: leaf
objectClass: trustedDomain
instanceType: 4
trustDirection: 3
trustPartner: EXAMPLE.COM
trustAttributes: 1
The Active Directory User
ldapsearch -h ad.example.com -LLL samaccountname=user profilePath altSecurityIdentities
SASL/GSSAPI authentication started
SASL username: user@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: CN=Test User,OU=managed users,DC=ad,DC=example,DC=com
profilePath: \\zfs.example.com\tank_test\user
altSecurityIdentities: Kerberos:user@EXAMPLE.COM
The Basic ZFS information
root@zfs:~# zfs get mountpoint,casesensitivity,sharesmb,available tank/test
NAME PROPERTY VALUE SOURCE
tank/test mountpoint /tank/test default
tank/test casesensitivity mixed -
tank/test sharesmb on local
tank/test available 26.1T -
ZFS created smb share
root@zfs:~# cat /var/lib/samba/usershares/tank_test
#VERSION 2
path=/tank/test
comment=Comment: /tank/test
usershare_acl=S-1-1-0:F
guest_ok=n
sharename=tank_test
The Samba Configuration
root@zfs:~# grep -v -e ^$ -e ^\; -e ^# /etc/samba/smb.conf
[global]
workgroup = EXAMPLE.COM
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/%M.log
max log size = 1000
syslog = 3
panic action = /usr/share/samba/panic-action %d
security = ADS
realm = EXAMPLE.COM
kerberos method = system keytab
map to guest = bad user
The File Server's Keytab
root@zfs:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/zfs.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 2 host/zfs.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
3 2 host/zfs.example.com@EXAMPLE.COM (arcfour-hmac)
4 2 nfs/zfs.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
5 2 nfs/zfs.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 2 nfs/zfs.example.com@EXAMPLE.COM (arcfour-hmac)
7 2 cifs/zfs.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
8 2 cifs/zfs.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
9 2 cifs/zfs.example.com@EXAMPLE.COM (arcfour-hmac)
The Server's Identity Mapping (via sssd)
root@zfs:~# cat /etc/sssd/sssd.conf
# SSSD configuration generated using /usr/lib/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com]
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
krb5_kdcip = kerberos.example.com
krb5_realm = EXAMPLE.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
The Server's (Relavent) Packages
root@zfs:~# uname -a
Linux zfs 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
root@zfs:~# dpkg --get-selections | grep -e samba -e zfs -e krb -e sssd
krb5-config install
krb5-locales install
krb5-user install
libgssapi-krb5-2 install
libkrb5-26-heimdal install
libkrb5-3 install
libkrb5support0 install
libpam-krb5 install
libzfs1 install
samba install
samba-common install
samba-common-bin install
samba-tools install
sssd install
ubuntu-zfs install
zfs-dkms install
zfsutils install
Best Answer
By default Windows clients must verify a roaming profile folders
ACLs
by using useSIDs
when loading the roaming profiles. Even having theActive Directory
user with the sameuid
,uidNumber
,gidNumber
and a properaltSecurityIdentites
attribute is insufficient.While the SID requirement cannot be disabled. The
ACL
check itself can be. The folder must still be readable by either the user or the Administrators group.Under Server 2012 this policy is called
Do not check for user ownership of Roaming Profile Folders
and is found at
Computuer Configuration \ Administrative Templates \ System \ User Profiles
I should have looked at the Windows client logs earlier; I've not no excuse for that.
Windows log:
Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.