Dear David,
below is what you asked for, I hope it's enough, thanks.
On Fri, 2022-10-21 at 17:26 -0700, David Christensen wrote:
> On 10/21/22 05:40, nimrod wrote:
> > Hi,
> >
> > I'm running a Debian 10 Samba server with winbind and kerberos in a
> > Active Directory domain.
> >
> > Domain users can access a unique share, which is then divideded
> > into
> > different directories, each with different file system permissions,
> > based on domain users and groups. A single user can only access
> > some of
> > these directories from a Windows or Linux client (clearly joined to
> > the
> > domain) without being prompted for credentials, because the user is
> > already logged in the domain by his client machine.
> >
> > The problem is that if a user tries to access one directory he's
> > not
> > allowed to access, the server just blocks the access, without
> > giving
> > him a chance to authenticate as a different user. This would be
> > most
> > useful for technicians, who need to access some "private"
> > directories,
> > containing installation packages and activation keys for many
> > softwares, from the user client without being forced to logout from
> > the
> > client and login again with admin credentials, which is very
> > annoying
> > for them.
> >
> > Here is smb.conf:
> >
> > [global]
> > workgroup = BNCRM
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > logging = file
> > panic action = /usr/share/samba/panic-action %d
> > server role = member server
> > password server = dc2.bncrm.roma
> > obey pam restrictions = yes
> > unix password sync = yes
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> > .
> > pam password change = yes
> > usershare allow guests = yes
> > kerberos method = system keytab
> > template homedir = /home/%U
> > template shell = /bin/bash
> > security = ads
> > realm = BNCRM.ROMA
> > idmap backend = tdb
> > idmap gid = 10000-2000000
> > idmap uid = 10000-2000000
> > winbind use default domain = yes
> > winbind refresh tickets = yes
> > winbind offline logon = yes
> > winbind enum groups = yes
> > winbind enum users = yes
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > username map = /etc/samba/user.map
> >
> > [dati]
> > path = /data
> > valid users = @"domain users", system
> > browsable = yes
> > writable = yes
> > read only = no
> > -------------------------
> > Here is nsswitch.conf:
> >
> > passwd: files systemd winbind
> > group: files systemd winbind
> > shadow: files winbind
> > gshadow: files
> > hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> > networks: files
> > protocols: db files
> > services: db files winbind
> > ethers: db files
> > rpc: db files
> > netgroup: nis winbind
> > sudoers: files winbind
> > ----------------
> > pam.d/common-auth
> >
> > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > auth [success=1 default=ignore] pam_winbind.so krb5_auth
> > krb5_ccache_type=FILE cached_login try_first_pass
> > auth requisite pam_deny.so
> > auth required pam_permit.so
> > ---------------------------
> > Finally, krb5.conf:
> >
> > [libdefaults]
> > default_realm = BNCRM.ROMA
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > BNCRM = {
> > kdc = 192.168.0.195
> > kdc = 192.168.0.190
> > admin_server = 192.168.0.195 192.168.0.190
> > }
> >
> > [domain_realm]
> > .bncrm.roma = BNCRM.ROMA
> > bncrm.roma = BNCRM.ROMA
> > -----------------------
> > I'm not sure it's enough, feel free to ask anything you need.
> >
> > Thanks in advance and best regards.
>
>
> Please run the following command and post your complete console
> session
> (prompts, commands entered, output displayed):
>
> # cat /etc/debian_version ; uname -a
11.5
Linux PC-GIULIANO.BNCRM.ROMA 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1
(2022-09-02) x86_64 GNU/Linux
> Please run the following command and post your complete console
> session
> for any Samba, winbind, Kerberos, and/or other relevant packages you
> have installed:
>
> # dpkg-query -W <package>
samba 2:4.13.13+dfsg-1~deb11u5
winbind
krb5-config 2.6+nmu1
krb5-doc
krb5-k5tls
krb5-kdc
krb5-locales 1.18.3-6+deb11u2
krb5-user 1.18.3-6+deb11u2
>
>
> David
>
