[Samba] User password change
I have a beginner doubt in Samba4. I managed to make my SSH users authenticate against Samba4 AD DC without joining the SSH server in the domain, with the great help of you guys from this list. Is there a way for users to change the password via the passwd? When I try to change the password, I get a success message, but actually does not work. Is this possible? I followed the instructions from https://wiki.samba.org/index.php/Samba4/beyond bruno.vane@ldap:~$ passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information changed for bruno.vane passwd: password updated successfully -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Thank you Steve, I had this mapping in nslcd.conf map passwd gidNumber primaryGroupID I need the gidNumber to be 100 because this is gidnumber of group users in my Ubuntu servers. I will disable this mapping and test if everything is OK. 2013/8/28 steve st...@steve-ss.com On Tue, 2013-08-27 at 16:07 -0300, Bruno Vane wrote: Hi Steve, Seems that this attribute does not matter, see my user bruno.vane: primaryGroupID: 513 gidNumber: 100 Hi How are you obtaining the infromation from AD? If you set: gidNumber: 100 in the DN of a user, then that is what will be returned when e.g. nss-ldapd is used. It will not return primaryGroupID unless you have mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not a rfc2307 atribute. HTH -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Thank you Marc! 2013/8/29 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Bruno, Am 29.08.2013 16:11, schrieb Bruno Vane: I had this mapping in nslcd.conf map passwd gidNumber primaryGroupID I need the gidNumber to be 100 because this is gidnumber of group users in my Ubuntu servers. I will disable this mapping and test if everything is OK. The mapping is not just for mapping one field to an other. You can replace values, too or do other things (see manpage for more). You can hardcode the mapping: map passwd gidNumber 666 # getent passwd ... Administrator:*:1:666::/**home/Administrator:/bin/bash technik:*:10001:666:Technik:/**home/technik:/bin/false demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh And all your domain accounts have primary group 666 :-) Regards, Marc -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hi Luca, If you provisioned your domain with --use-rfc2307, then in Win7 ADUC you can see the posixAccount (UNIX Attributes) of the users. 2013/8/27 Luca Olivetti l...@wetron.es Al 27/08/13 10:45, En/na Marc Muehlfeld ha escrit: Am 27.08.2013 10:38, schrieb Luca Olivetti: http://support.microsoft.com/kb/921913/en Thank you, I was missing idmu.exe Now I can see the unix tab, but, whenever I click accept, it tells me Unable to modify the object property values. Check your credentials. There could be a network problem. Active Directory could be down. Contact your system administrator. However, when I open the user again I can see the modified unix attributes *but* the added user still doesn't show, unsurprisingly since it's missing the posixAccount class: I only used a very short time XP together with Samba AD. But I remember, that I got a message about something there too. Do you have a chance to try it on W7? Not right now, but I'll try when I manage to setup a W7 VM. Does windows 7 ADUC add the posixAccount class? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Change default GID of users
Hi all, I'm using samba4 as DC and using ssh/nslcd/pam in some machines to lookup ldap base in samba4 to allow access for users. My question is, how can I set the default GID os users to 100, to match the GID of groupusers in my linux machines? All users I create with ADUC is getting UID 513. This machines are joined in the domain. This is my groups: root@samba:~# wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy This is GID's: CORPORATIVO\Domain Admins:*:308: CORPORATIVO\Domain Users:*:100: CORPORATIVO\Domain Guests:*:312: CORPORATIVO\Domain Computers:*:318: CORPORATIVO\Domain Controllers:*:319: CORPORATIVO\Schema Admins:*:307: CORPORATIVO\Enterprise Admins:*:306: CORPORATIVO\Group Policy Creator Owners:*:304: CORPORATIVO\Read-Only Domain Controllers:*:320: CORPORATIVO\DnsUpdateProxy:*:321: CORPORATIVO\InternetLiberada:*:322: -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Hi Steve, Seems that this attribute does not matter, see my user bruno.vane: primaryGroupID: 513 gidNumber: 100 If I try to change the value of primaryGroupID I get an error: Using: root@samba:~# ldbedit -e vim --url=/usr/local/samba/private/sam.ldb samaccountname=bruno.vane failed to modify CN=Bruno Vane,CN=Users,DC=corporativo,DC=mydomain,DC=net - error in module samldb: Unwilling to perform (53) root@samba:~# ldbedit -e vim --url=/usr/local/samba/private/sam.ldb samaccountname=bruno.vane # 0 adds 0 modifies 0 deletes 2013/8/27 steve st...@steve-ss.com On Tue, 2013-08-27 at 14:33 -0300, Bruno Vane wrote: Hi Steve, I did what you said, and when create the user, nothing changes: Hi Sorry, you have to add: gidNumber: 100 to the DN of each user too. Make sure that you clear the nscd cache after making any change to AD. Steve -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Thank you Marc, I will try this configuration. For this to work I need openLDAP proxy? 2013/8/26 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Bruno, Am 25.08.2013 22:26, schrieb Bruno Vane: Yes I read these sections, but I want something different. Users will join on AD domain (Samba 4) and will connect to an entry SSH server, and from this server they can access other SSH servers on the network. All SSH servers are configured with /etc/hosts.allow to allow SSH connections only from this entry SSH server. This Ubuntu servers running SSH will not join in the AD domain, only users of the network. Is this possible? I think this shouldn't matter. You can configure the entry host with nslcd to retrieve the account information via LDAP from AD and pam_ldap to authenticate against AD (without necessity to join the machine to the domain). Then you have the other hosts. These you can authenticate on the same way, if they are not joined to the domain, or you join them and the authentication is done through winbind. For the nslcd you can use the following config (you must create an bind account in your domain for that first): #Mappings for Active Directory pagesize 1000 referrals off # Passwd filter passwd ((objectClass=user)(!(**objectClass=computer))(** uidNumber=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID # Shadow filter shadow ((objectClass=user)(!(**objectClass=computer))(** uidNumber=*)) map shadow uid sAMAccountName map shadow shadowLastChangepwdLastSet # Groups filter group ((objectClass=group)(**objectClass=posixGroup)(** gidNumber=*)) map group uniqueMembermember # Local account, nslcd runs under uid nslcd gid ldap # LDAP server settings uri ldap://127.0.0.1:389/ base dc=SAMDOM,dc=example,dc=com # Account in AD that is used from Nslcd to bind to the directory binddn CN=nslcd-connect,cn=Users,dc=**SAMDOM,dc=example,dc=com bindpw x pam_ldap config you find here: https://wiki.samba.org/index.**php/Authenticating_other_** services_against_AD#**Authentication_against_ADhttps://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD Regards, Marc -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Marc, sorry to bother you with this, but I can not access a SSH server using these settings. Could you take a look if you have time to find out if my settings are wrong? When I do a ssh -l nslcd-connect (or any other user) to the server, i got this in /var/log/auth.log: Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user nslcd-connect [preauth] Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user unknown Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact LDAP server Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server... Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact LDAP server Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user nslcd-connect from MY_MACHINE port 51004 ssh2 Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth] This is my samba4 server LDAP test: root@samba:~# ldapsearch -U nslcd-connect -h localhost -b DC=corporativo,DC=mydomain,DC=net cn=nslcd-connect distinguishedName SASL/NTLM authentication started Please enter your password: SASL username: nslcd-connect SASL SSF: 0 # extended LDIF # # LDAPv3 # base DC=corporativo,DC=mydomain,DC=net with scope subtree # filter: cn=nslcd-connect # requesting: distinguishedName # # nslcd-connect, Users, corporativo.sodobrasil.net.br dn: CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net distinguishedName: CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net # search reference ref: ldap:// corporativo.sodobrasil.net.br/CN=Configuration,DC=corporativo,DC=mydomain,DC=net # search reference ref: ldap:// corporativo.sodobrasil.net.br/DC=DomainDnsZones,DC=corporativo,DC=mydomain,DC=net # search reference ref: ldap:// corporativo.sodobrasil.net.br/DC=ForestDnsZones,DC=corporativo,DC=mydomain,DC=net # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 === This is /etc/nslcd.conf #Mappings for Active Directory pagesize 1000 referrals off # Passwd filter passwd ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID # Shadow filter shadow ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map shadow uid sAMAccountName map shadow shadowLastChangepwdLastSet # Groups filter group ((objectClass=group)(objectClass=posixGroup)(gidNumber=*)) #map group uniqueMembermember # Local account, nslcd runs under uid nslcd gid nslcd # LDAP server settings uri ldap://IP_OF_SAMBA_SERVER base dc=corporativo,dc=mydomain,dc=net # Account in AD that is used from Nslcd to bind to the directory #binddn cn=teste,cn=Users,dc=corporativo,dc=mydomain,dc=net binddn CN=nslcd-connect,CN=Users,DC=corporativo,dc=mydomain,dc=net bindpw nslcd-connect_password = This is /usr/share/libpam-ldap/ldap.conf base DC=corporativo,dc=mydomain,dc=net binddn cn=nslcd-connect,cn=Users,DC=corporativo,dc=mydomain,dc=net bindpw mudar123 bind_policy soft pam_login_attribute sAMAccountName uri ldap://IP_OF_SAMBA_SERVER ssl no 2013/8/26 Marc Muehlfeld sa...@marc-muehlfeld.de Am 26.08.2013 14:10, schrieb Bruno Vane: I will try this configuration. For this to work I need openLDAP proxy? No. You can access AD via LDAP direclty. -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Marc, it seems that the problem was actually that the posix information were blank and I could not edit them. Made domain provision again with the option --use RFC2307. After creating the user in AD (via RSAT in Win7) I need to manually enable NIS domain info for that user. After this, I got to access via SSH using the Samba4 LDAP. Now i have to research how to auto-create the home dir and change the shell to /bin/bash. Very thank you for your help! root@samba:~# getent passwd bruno.vane bruno.vane:*:1:513:Bruno Vane:/home/bruno.vane:/bin/sh bruno.vane@Suporte-VR:~$ ssh -l bruno.vane 177.84.70.200 bruno.vane@177.84.70.200's password: Could not chdir to home directory /home/bruno.vane: No such file or directory $ 2013/8/26 Marc Muehlfeld sa...@marc-muehlfeld.de Am 26.08.2013 20:12, schrieb Luca Olivetti: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Of course this would only work if you have posix information in your directory. If you don't want to manage them in AD, you can use winbind or sssd. But there you have other requirements (machine joined to domain, kerberos, ...). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hi Ricky, I'm not using winbind. To auto create home dir I added: session required pam_mkhomedir.so skel=/etc/skel umask=0022 in /etc/pam.d/common-session file. I'm using Marc instructions to log in via SSH whithout join the machine in the domain. Can I also use winbind with this setup? 2013/8/26 Ricky Nance ricky.na...@gmail.com If you are using winbind, you can use template home directory = and template shell = in your smb.conf (man smb.conf for a more accurate description).. Ricky On Mon, Aug 26, 2013 at 2:58 PM, Bruno Vane bro...@gmail.com wrote: Marc, it seems that the problem was actually that the posix information were blank and I could not edit them. Made domain provision again with the option --use RFC2307. After creating the user in AD (via RSAT in Win7) I need to manually enable NIS domain info for that user. After this, I got to access via SSH using the Samba4 LDAP. Now i have to research how to auto-create the home dir and change the shell to /bin/bash. Very thank you for your help! root@samba:~# getent passwd bruno.vane bruno.vane:*:1:513:Bruno Vane:/home/bruno.vane:/bin/sh bruno.vane@Suporte-VR:~$ ssh -l bruno.vane 177.84.70.200 bruno.vane@177.84.70.200's password: Could not chdir to home directory /home/bruno.vane: No such file or directory $ 2013/8/26 Marc Muehlfeld sa...@marc-muehlfeld.de Am 26.08.2013 20:12, schrieb Luca Olivetti: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Of course this would only work if you have posix information in your directory. If you don't want to manage them in AD, you can use winbind or sssd. But there you have other requirements (machine joined to domain, kerberos, ...). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/samba https://lists.samba.org/mailman/options/samba -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hi Steve, I'm adding users through ADUC, in Remote Server Administration Tool. Thank you. 2013/8/26 steve st...@steve-ss.com On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote: Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Hi You add the attributes yourself when you create the user: samba-tool user add luca --uid-number=1234567 --gid-number=45678 --home-directory=/some/place --login-shell=/bin/bash HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] OpenSSH auth in SAMBA4 LDAP
Hi, I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hello Marc, Yes I read these sections, but I want something different. Users will join on AD domain (Samba 4) and will connect to an entry SSH server, and from this server they can access other SSH servers on the network. All SSH servers are configured with /etc/hosts.allow to allow SSH connections only from this entry SSH server. This Ubuntu servers running SSH will not join in the AD domain, only users of the network. Is this possible? 2013/8/25 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Bruno, Am 25.08.2013 09:27, schrieb Bruno Vane: I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap? Have you already looked here: http://wiki.samba.org/index.**php/Authenticating_other_** services_against_AD#**Authentication_against_ADhttp://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD http://wiki.samba.org/index.**php/Authenticating_other_** services_against_AD#Secure_**passwordless_SSHhttp://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH Regards, Marc -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba