Hi,
I'm running a Debian 10 Samba server with winbind and kerberos in a
Active Directory domain.
Domain users can access a unique share, which is then divideded into
different directories, each with different file system permissions,
based on domain users and groups. A single user can only access some of
these directories from a Windows or Linux client (clearly joined to the
domain) without being prompted for credentials, because the user is
already logged in the domain by his client machine.
The problem is that if a user tries to access one directory he's not
allowed to access, the server just blocks the access, without giving
him a chance to authenticate as a different user. This would be most
useful for technicians, who need to access some "private" directories,
containing installation packages and activation keys for many
softwares, from the user client without being forced to logout from the
client and login again with admin credentials, which is very annoying
for them.
Here is smb.conf:
[global]
workgroup = BNCRM
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = "" %d
server role = member server
password server = dc2.bncrm.roma
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
usershare allow guests = yes
kerberos method = system keytab
template homedir = /home/%U
template shell = /bin/bash
security = ads
realm = BNCRM.ROMA
idmap backend = tdb
idmap gid = 10000-2000000
idmap uid = 10000-2000000
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = yes
winbind enum users = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
[dati]
path = /data
valid users = @"domain users", system
browsable = yes
writable = yes
read _only_ = no
-------------------------
Here is nsswitch.conf:
passwd: files systemd winbind
group: files systemd winbind
shadow: files winbind
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files winbind
ethers: db files
rpc: db files
netgroup: nis winbind
sudoers: files winbind
----------------
pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
---------------------------
Finally, krb5.conf:
[libdefaults]
default_realm = BNCRM.ROMA
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
BNCRM = {
kdc = 192.168.0.195
kdc = 192.168.0.190
admin_server = 192.168.0.195 192.168.0.190
}
[domain_realm]
.bncrm.roma = BNCRM.ROMA
bncrm.roma = BNCRM.ROMA
-----------------------
I'm not sure it's enough, feel free to ask anything you need.
Thanks in advance and best regards.