Samba use freeipa auth for windows clients accessing cifs share

freeipanetwork-sharessamba

TL;DR

I want a Windows client to be able to access a samba share by using a freeipa credential.

Problem

This is on superuser and not serverfault because it's not a work production environment; this is my home network.
There are many guides for using GNU/Linux samba for interoperability with Windows. But I don't want to have cross-domain trust (my Windows AD domain is going away eventually).

Can I configure samba to point to freeipa (ipasam? ldapsam?) so that on my Windows client (I keep around for games) I can use "bgstack15@myfreeipadomain.example.com" to connect to the \linuxserver\sharename?

I know how to configure samba to use an existing AD domain for a domain-joined GNU/Linux host but that's not what I'm doing here. My host this time is the freeipa domain controller, but I might make a freeipa client my file server.
I have nfs for the other Linux hosts, but my quick search on "nfs windows" didn't show anything that would be any better/easier than my desired goal here.

Possibilities

Could I use ipasam or ldapsam backends?
Could I use samba as a "Windows domain controller" and have it trust the ipa domain and map the users?

update on Sept 7

I found https://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ and followed its steps which show how to modify freeipa's schema to include samba properties. But I am still getting errors: NT_STATUS_WRONG_PASSWORD.

Best Answer

After 8 months, I finally solved the problem!

Samba share with freeipa auth

The complete set of information is at https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/.

On the freeipa controller:

yum -y install ipa-server-trust-ad
ipa-adtrust-install --add-sids

After running the --add-sids, users need to reset their passwords, in order for freeipa to generate the ipaNTHash value of their passwords.

On the samba server:

yum -y install ipa-server-trust-ad

Open the firewall ports it asks for (TCP 135,138,139,445,1024-1300; UDP 138,139,389,445)

Allow samba to read passwords

ipa permission-add "CIFS server can read user passwords" \
   --attrs={ipaNTHash,ipaNTSecurityIdentifier} \
   --type=user --right={read,search,compare} --bindtype=permission
ipa privilege-add "CIFS server privilege"
ipa privilege-add-permission "CIFS server privilege" \
   --permission="CIFS server can read user passwords"
ipa role-add "CIFS server"
ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
ipa role-add-member "CIFS server" --services=cifs/host2.vm.example.com

Prepare samba conf and restart samba.

tf=/etc/samba/smb.conf
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat < "${tf}"
[global]
    debug pid = yes
    realm = VM.EXAMPLE.COM
    workgroup = VM
    domain master = Yes
    ldap group suffix = cn=groups,cn=accounts
    ldap machine suffix = cn=computers,cn=accounts
    ldap ssl = off
    ldap suffix = dc=vm,dc=example,dc=com
    ldap user suffix = cn=users,cn=accounts
    log file = /var/log/samba/log
    max log size = 100000
    domain logons = Yes
    registry shares = Yes
    disable spoolss = Yes
    dedicated keytab file = FILE:/etc/samba/samba.keytab
    kerberos method = dedicated keytab
    #passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
    #passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
    passdb backend = ipasam:ldap://host2.vm.example.com ldap://host1.vm.example.com
    security = USER
    create krb5 conf = No
    rpc_daemon:lsasd = fork
    rpc_daemon:epmd = fork
    rpc_server:tcpip = yes
    rpc_server:netlogon = external
    rpc_server:samr = external
    rpc_server:lsasd = external
    rpc_server:lsass = external
    rpc_server:lsarpc = external
    rpc_server:epmapper = external
    ldapsam:trusted = yes
    idmap config * : backend = tdb

    ldap admin dn = cn=Directory Manager

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes
EOFCONF
systemctl restart smb.service

Related Solutions

Windows 10 64 domain computer cannot access Linux (Raspberry Pi3) samba share

It could be that your Windows 10 client is now trying to implicitly authenticate using DOMAIN\username when you try to access the share.

Does the Raspberry Pi3 have a hostname/NETBIOS name in the samba configuration (under the global config section)? If so, you could try specifying SAMBA_NETBIOSNAME\username when you try to authenticate to access the share.

UPDATE:
Based on the config you provided I would suggest adding netbios name = pi3 or something to that effect and then trying to sign in with pi3\username.

You might also try playing with some of the other authentication settings found in the documentation for SAMBA. Note that you'll probably have to restart the samba daemon after making changes to the config.

For example, you might try adding auth methods = guest sam winbind noting that guest allows anonymous access. That way you could isolate the problem between a configuration problem and an authentication problem (assuming anonymous access would be used when you can't authenticate - I'm rusty on my SAMBA skills).

In other words, as long as you can get in with guest enabled then we know at least the v1,2,3 piece is working and you can focus on the authentication settings. Once you've finally got the settings working for non-guest access you should remove the guest access to prevent unauthorized access to your share(s).

I'd also consider adding settings to force the ntlm auth, lanman auth, server schannel, and server signing settings to mirror the settings in your Windows client.

To check the equivalent Windows settings, run "secpol.msc" and check the settings under:

Security Settings
  Local Polices
    Security Options
      - Microsoft network client: *
      - Network security: *

Microsoft network client: Digitally encrypt or sign secure channel data (always)
Microsoft network client: Digitally encrypt secure channel data (when possible)
Microsoft network client: Digitally sign secure channel data (when possible)

These settings dictate what the server schannel and server signing settings should be in your samba config.

Network security: LAN Manager authentication level

This setting dictates what the ntlm auth and lanman auth settings should be in your samba config.

For example, Send NTLMv2 response only. Refuse LM & NTLM in your Windows settings is equivalent to ntlm auth = no and lanman auth = no in your samba config.

NOTE: I don't recommend changing your Windows settings unless you're comfortable troubleshooting authentication issues with the domain afterwards.

Linux – Windows 10 cannot connect to Linux Samba shares, except from SMB1/CIFS

In my case (Windows 10, ancient Samba 4.2.10 on CentOS 6) what helped was setting the min protocol to SMB2, max protocol to SMB3:

[global]

min protocol = SMB2
max protocol = SMB3

client min protocol = SMB2
client max protocol = SMB3

client ipc min protocol = SMB2
client ipc max protocol = SMB3

server min protocol = SMB2
server max protocol = SMB3

And then connecting the share as a network drive (Explorer -> Home -> Easy access -> Map as drive), putting in the share name (\\1.2.3.4\ShareName), ticking "Connect using different credentials", then Other, and put in username in the format DOMAIN\username.

When trying to get to the share in Explorer, it would never ask for credentials, nor was I able to specify the username with net use \\shareserver\data /user:testuser (got System Error 58).