Re: [OmniOS-discuss] LDAP external auth for CIFS service
27 августа 2016 г. 15:00:38 CEST, Tobi Oetiker пишет: >Gordon > >from your explanation it is not quite clear to me if one colud use an >openldap server, and how one would have to go about telling illumos to >use it. > >cheers >tobi > >> On 26.08.2016, at 18:14, Gordon Ross wrote: >> >> Sorry for the delay -- been quite busy. I do look at this list, but >> only occasionally. >> >> The way LDAP auth. works in SMB servers like Samba is that the server >> allows SMB clients (i.e. Windows) to logon using accounts that work >> the same as "local" accounts (what Windows would call "local" >> accounts, meaning they are NOT domain accounts). However, while the >> SMB clients think these are "local" accounts, the server uses >> something akin to the name service switch functions for LDAP to get >> the details of these accounts needed for SMB. >> >> Such accounts are not really "local", but are defined in your LDAP >> service. The SMB server needs a way to get some Windows-specific >> details about those accounts from LDAP, including the "NT password >> hash" (for authentication) and some other Windows-ish details. >> >> The current LDAP libraries in illumos are sufficient for this (though >> for other reasons, it would be nice if we could update them some >day). >> What's missing is some "glue" in the name service switch design, and >> perhaps a new lookup method for the "NT password hash", which is >> similar conceptually to the "shadow password" back-end functions. >One >> can probably pretty much copy/paste the LDAP back-end function for >> shadow passwd. to make the "ntpass" or whatever we call this new >> nsswitch method. The current /var/smb/smbpasswd stuff, currently >> accessed directly from libsmb should really go through the "files" >> back-end, and we might want to consider taking the opportunity to >> change the format of that file (though that means doing some format >> conversion work during upgrades). Once a new nsswitch method for >> "ntpass" (or whatever) is in place, the parts of this in the SMB >> server (mostly libsmb) are fairly easy. >> >> Requests for this feature have come up from time to time over the >last >> few years, but (so far) not from anyone who wanted it badly enough to >> pay for the work. >> >> Gordon >> >> >>> On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald >wrote: >>> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: *bump* anyone ? >>> >>> I'm going to forward your note to someone I know who works on CIFS. >He's not on this list. >>> >>> Stay tuned, >>> Dan >>> >>> ___ >>> OmniOS-discuss mailing list >>> OmniOS-discuss@lists.omniti.com >>> http://lists.omniti.com/mailman/listinfo/omnios-discuss >> ___ >> OmniOS-discuss mailing list >> OmniOS-discuss@lists.omniti.com >> http://lists.omniti.com/mailman/listinfo/omnios-discuss >> > >___ >OmniOS-discuss mailing list >OmniOS-discuss@lists.omniti.com >http://lists.omniti.com/mailman/listinfo/omnios-discuss From my fiddling with LDAP (DSEE) for Solaris/OI/Linux accounts with Sol/OI kCIFS server vs. a separate AD domain a few years back, and Gordon's explanations, I think you are asking about several slightly related subsystems in one sentence ;) Yes, you can use an(y?) LDAP service with NIS-equivalent schema with the Solarish ldap-client. DSEE and AD+MS Unix Extensions can do it. Probably OpenLDAP can do it - you might need to port DSEE schema dialect to be recognised by that service though. This regards recognition of Unix accounts for file ownership, ssh, etc. You can also fiddle with netgroups to limit which groups and accounts from LDAP are at all "defined" for a particular client (e.g. a zone might only know about admins or devs for its services, not all organization). Separate from that is kCIFS auth that may rely on a password file (with NTLM hashes, or so they say) which Gordon suggests might be re-coded separately to be an nsswitch service so it can also come from an LDAP backend or from the file. This authorizes the users to enter the server via CIFS. Separate from that is ephemeral mapping (and SMF service for that) to connect AD UUIDs to local (or ldap) Unix id numbers. This part requires an AD service connection so probably a special AD account for the server and perhaps a kerberos login setup. Hope this rant helps ;) Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
Gordon from your explanation it is not quite clear to me if one colud use an openldap server, and how one would have to go about telling illumos to use it. cheers tobi > On 26.08.2016, at 18:14, Gordon Ross wrote: > > Sorry for the delay -- been quite busy. I do look at this list, but > only occasionally. > > The way LDAP auth. works in SMB servers like Samba is that the server > allows SMB clients (i.e. Windows) to logon using accounts that work > the same as "local" accounts (what Windows would call "local" > accounts, meaning they are NOT domain accounts). However, while the > SMB clients think these are "local" accounts, the server uses > something akin to the name service switch functions for LDAP to get > the details of these accounts needed for SMB. > > Such accounts are not really "local", but are defined in your LDAP > service. The SMB server needs a way to get some Windows-specific > details about those accounts from LDAP, including the "NT password > hash" (for authentication) and some other Windows-ish details. > > The current LDAP libraries in illumos are sufficient for this (though > for other reasons, it would be nice if we could update them some day). > What's missing is some "glue" in the name service switch design, and > perhaps a new lookup method for the "NT password hash", which is > similar conceptually to the "shadow password" back-end functions. One > can probably pretty much copy/paste the LDAP back-end function for > shadow passwd. to make the "ntpass" or whatever we call this new > nsswitch method. The current /var/smb/smbpasswd stuff, currently > accessed directly from libsmb should really go through the "files" > back-end, and we might want to consider taking the opportunity to > change the format of that file (though that means doing some format > conversion work during upgrades). Once a new nsswitch method for > "ntpass" (or whatever) is in place, the parts of this in the SMB > server (mostly libsmb) are fairly easy. > > Requests for this feature have come up from time to time over the last > few years, but (so far) not from anyone who wanted it badly enough to > pay for the work. > > Gordon > > >> On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald wrote: >> >>> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: >>> >>> *bump* >>> anyone ? >> >> I'm going to forward your note to someone I know who works on CIFS. He's >> not on this list. >> >> Stay tuned, >> Dan >> >> ___ >> OmniOS-discuss mailing list >> OmniOS-discuss@lists.omniti.com >> http://lists.omniti.com/mailman/listinfo/omnios-discuss > ___ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss > ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
I should also mention: The other solution for the problem of "centralized Windows accounts in a Unix shop" is to run a Samba AD server somewhere, and point your other clients that want LDAP to that. That way you can just tell the Windows clients to use domain accounts. On Fri, Aug 26, 2016 at 12:14 PM, Gordon Ross wrote: > Sorry for the delay -- been quite busy. I do look at this list, but > only occasionally. > > The way LDAP auth. works in SMB servers like Samba is that the server > allows SMB clients (i.e. Windows) to logon using accounts that work > the same as "local" accounts (what Windows would call "local" > accounts, meaning they are NOT domain accounts). However, while the > SMB clients think these are "local" accounts, the server uses > something akin to the name service switch functions for LDAP to get > the details of these accounts needed for SMB. > > Such accounts are not really "local", but are defined in your LDAP > service. The SMB server needs a way to get some Windows-specific > details about those accounts from LDAP, including the "NT password > hash" (for authentication) and some other Windows-ish details. > > The current LDAP libraries in illumos are sufficient for this (though > for other reasons, it would be nice if we could update them some day). > What's missing is some "glue" in the name service switch design, and > perhaps a new lookup method for the "NT password hash", which is > similar conceptually to the "shadow password" back-end functions. One > can probably pretty much copy/paste the LDAP back-end function for > shadow passwd. to make the "ntpass" or whatever we call this new > nsswitch method. The current /var/smb/smbpasswd stuff, currently > accessed directly from libsmb should really go through the "files" > back-end, and we might want to consider taking the opportunity to > change the format of that file (though that means doing some format > conversion work during upgrades). Once a new nsswitch method for > "ntpass" (or whatever) is in place, the parts of this in the SMB > server (mostly libsmb) are fairly easy. > > Requests for this feature have come up from time to time over the last > few years, but (so far) not from anyone who wanted it badly enough to > pay for the work. > > Gordon > > > On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald wrote: >> >>> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: >>> >>> *bump* >>> anyone ? >> >> I'm going to forward your note to someone I know who works on CIFS. He's >> not on this list. >> >> Stay tuned, >> Dan >> >> ___ >> OmniOS-discuss mailing list >> OmniOS-discuss@lists.omniti.com >> http://lists.omniti.com/mailman/listinfo/omnios-discuss ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
Sorry for the delay -- been quite busy. I do look at this list, but only occasionally. The way LDAP auth. works in SMB servers like Samba is that the server allows SMB clients (i.e. Windows) to logon using accounts that work the same as "local" accounts (what Windows would call "local" accounts, meaning they are NOT domain accounts). However, while the SMB clients think these are "local" accounts, the server uses something akin to the name service switch functions for LDAP to get the details of these accounts needed for SMB. Such accounts are not really "local", but are defined in your LDAP service. The SMB server needs a way to get some Windows-specific details about those accounts from LDAP, including the "NT password hash" (for authentication) and some other Windows-ish details. The current LDAP libraries in illumos are sufficient for this (though for other reasons, it would be nice if we could update them some day). What's missing is some "glue" in the name service switch design, and perhaps a new lookup method for the "NT password hash", which is similar conceptually to the "shadow password" back-end functions. One can probably pretty much copy/paste the LDAP back-end function for shadow passwd. to make the "ntpass" or whatever we call this new nsswitch method. The current /var/smb/smbpasswd stuff, currently accessed directly from libsmb should really go through the "files" back-end, and we might want to consider taking the opportunity to change the format of that file (though that means doing some format conversion work during upgrades). Once a new nsswitch method for "ntpass" (or whatever) is in place, the parts of this in the SMB server (mostly libsmb) are fairly easy. Requests for this feature have come up from time to time over the last few years, but (so far) not from anyone who wanted it badly enough to pay for the work. Gordon On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald wrote: > >> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: >> >> *bump* >> anyone ? > > I'm going to forward your note to someone I know who works on CIFS. He's not > on this list. > > Stay tuned, > Dan > > ___ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
In all honesty, the native Solaris LDAP client sucks. I would investigate installing an OpenLDAP client, or make the system an OpenLDAP slave to your 389 DS, and have the local client talk to the local OpenLDAP slave via loopback. That's how we were able to successfully set things up on our Thors so that they could talk to our OpenLDAP servers. Ian On Thu, Aug 18, 2016 at 11:28 AM, Andries Annema wrote: > *raises hand* > Here's another one interested in this matter. > > Researched the possibilities about two years ago myself, but eventually > gave > up; it didn't seem to be possible. > Would be awesome if it would be one day, though. > > Regards, > Andries > > > -Original Message- > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] On > Behalf Of Tobias Oetiker > Sent: donderdag 18 augustus 2016 17:33 > To: Dan McDonald > Cc: omnios-discuss > Subject: Re: [OmniOS-discuss] LDAP external auth for CIFS service > > - On 18 Aug, 2016, at 17:15, Dan McDonald dan...@omniti.com wrote: > > >> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: > >> > >> *bump* > >> anyone ? > > > > I'm going to forward your note to someone I know who works on CIFS. He's > not on > > this list. > > looking forward to the answer ... :) I have always used an AD for this but > openldap would be so much cooler. > > cheers > tobi > ___ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss > > ___ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss > -- Ian Kaufman Research Systems Administrator UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
*raises hand* Here's another one interested in this matter. Researched the possibilities about two years ago myself, but eventually gave up; it didn't seem to be possible. Would be awesome if it would be one day, though. Regards, Andries -Original Message- From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] On Behalf Of Tobias Oetiker Sent: donderdag 18 augustus 2016 17:33 To: Dan McDonald Cc: omnios-discuss Subject: Re: [OmniOS-discuss] LDAP external auth for CIFS service - On 18 Aug, 2016, at 17:15, Dan McDonald dan...@omniti.com wrote: >> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: >> >> *bump* >> anyone ? > > I'm going to forward your note to someone I know who works on CIFS. He's not on > this list. looking forward to the answer ... :) I have always used an AD for this but openldap would be so much cooler. cheers tobi ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
- On 18 Aug, 2016, at 17:15, Dan McDonald dan...@omniti.com wrote: >> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: >> >> *bump* >> anyone ? > > I'm going to forward your note to someone I know who works on CIFS. He's not > on > this list. looking forward to the answer ... :) I have always used an AD for this but openldap would be so much cooler. cheers tobi ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
> On Aug 18, 2016, at 11:04 AM, Mick Burns wrote: > > *bump* > anyone ? I'm going to forward your note to someone I know who works on CIFS. He's not on this list. Stay tuned, Dan ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] LDAP external auth for CIFS service
*bump* anyone ? On Fri, Aug 12, 2016 at 4:58 PM, Mick Burns wrote: > Hello. > > I cannot get the CIFS service to use an external LDAP server for > authentication to users connecting to smb-configured shares. > Local LDAP authentication for OmniOS itself works fine for local login > (console or ssh). > > Note that this setup is not using AD domain servers but standalone 389 > directory servers. So no AD auth / kerberos involved at all. > > Followed many examples but when monitoring packets on the LDAP server > there is nothing coming from OmniOS when trying to bind to a share. > > i.e. : > https://docs.oracle.com/cd/E36784_01/html/E36832/configuredirbasedmapping.html > > Hoping for some kind of walk-through from a kind soul who got that all > worked out. > > Thank you. > Mick ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss