[Samba] Enumerate group members
Hello all! Is it possible, using winbind (wbinfo, nss_winbind, etc) to enumare the members of an ADS group, with something other than the id command for each user, or getent group? The id works but then I'd have to enumerate ALL users and build the meber list from there (too slow), whereas getent group will only list those members of a group for which the group is not the primary one. Thanks Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enumerate group members
Thanks, I already knew that getent group wouldn't work (on the original post ;)). Thanks for the quick answer anyway. So, according to AD ACL's, it's possible that a machine in a domain which needs to check group access (i.e. a samba box) may not get accurate information about whether a user is a member of a group? Or just that the ACL's may forbid the enumeration of group members for particular groups? Thanks Diego Volker Lendecke wrote: On Mon, Jun 12, 2006 at 08:19:48AM -0600, Diego Rivera wrote: members of an ADS group, with something other than the id command for each user, or getent group? The id works but then I'd have to getent group groupname should give you what you want. But we do not give *any* guarantees about the correctness of the result. There's a number of reasons for not filling in the members correctly, a number of them being out of our control (AD ACLs). Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind ADS feature request
Hello all! I've been successful at adding ADS authentication to my Samba servers on all fronts, and also get kerberos authentication working. I've managed to overcome some limitations (like, for instance, automatic password changes on password expiration), but am facing one last hurdle before I can honestly say that my system is well prepared for (almost) all scenarios. When the primary ADS goes down (we're taking it offline to do testing when possible), Winbind refuses to go out and look for a backup. We either have to manually bounce the service (it will find the backup appropriately), or use wbinfo -u. So, here's the feature request: would it be possible for Winbind to implement some sort of current DC heartbeat mechanism, such that when that heartbeat fails (or after X heartbeats, whatever...), it automatically goes and looks for an alternate DC? I realize that this can probably be achieved using winbind cache time, however setting this too low would probably result in a lot of unnecessary network traffic. Also, a daemonized, manually implemented heartbeat could also do the job. However, this is a feature that would probably best be included as a standard part of winbind. I think a good way to do the heartbeat is to open an LDAP link for the current ADS, and either checking credentials (or some other no-op operation) or closing the link. I realize TCP timeouts are probably at play here as well, so this is by no means a perfect solution. However, I have no doubt there are smarter people than I reading this message, so I leave this in your already proven capable hands :) Thanks for a great product! Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] More pam_winbind trouble
I've found the problem. As it turns out, it was me suffering from accute cranial rectalitis. Note to interested parties regarding try_first_pass and use_first_pass: I had, for some reason that now escapes my comprehension, assumed they had behavior differen than what they truly have. I had assumed that try_first_pass implied attempting to authenticate with stored credentials, but asking for new ones if old ones weren't found (correct behavior) or if authentication failed (incorrect behavior). try_first_pass simply means obtain credentials if there are none stored, whereas use_first_pass means use whatever is stored ONLY. Thus, if the stored credentials are wrong, neither of these flags will cause pam_winbind to ask the user for new credentials if the stored credentials fail authentication. This is the correct behavior because if the stored credentials are wrong, and we get new credentials, and those are wrong as well, we run into a scenario whereas we have two bad credentials that need to be passed to other modules in the chain, and no objective criterion to select one above the other (we can only pass along one set of credentials). Sorry for the trouble. My setup is now complete (I think :) ). I'll be posting a nice little howto which includes how to set up kerberos (GSSAPI) enabled SSH access, AD-centric authentication (with password change using the unix passwd command), and automatic password changing on expiry (through pam), within the next couple of days. I also came up with a backported patch from Samba 3.0.22 to Samba 3.0.20 allowing for the automatic password change on expiry. I'll post that as well for interested parties. Cheers Diego Diego Rivera wrote: Hello all. Sorry for the re-post, I MUST remember to turn off HTML text and GPG signing... First off, I'm using Samba 3.0.22 and can't risk to use Samba 3.0.23rc1 because I have no valid test environment for it. My problem is this: I'm using pam_winbind to authenticate users against ActiveDirectory, and whenever they enter a bad password, pam_winbind will fail 3 times in a row, but the user is only asked to enter the password once (the first time). This, of course, is resulting in a lot of needlessly locked accounts. I tried substituting with pam_krb5, and it worked fine, which means it's a logic problem with winbind. However, there's other reasons I can't use pam_krb5. I'm trying to figure out where the logic fault is within pam_winbind, but it would help if whoever wrote it could shine a light my way. I'm in the process of comparing the pam_winbind code from 3.0.22 with 3.0.23rc1 to see if I catch anything obvious. The toughest part is filtering out all the new stuff. If I come up with a patch to fix this, I'll submit it for review. This is the last remaining step in getting my environment up and working. Once it's verified to be OK, I'll be posting a small howto for what I've done, as I'm sure others may be interested in doing similar things. Thanks Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] More pam_winbind trouble
signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] More pam_winbind trouble
Hello all. Sorry for the re-post, I MUST remember to turn off HTML text and GPG signing... First off, I'm using Samba 3.0.22 and can't risk to use Samba 3.0.23rc1 because I have no valid test environment for it. My problem is this: I'm using pam_winbind to authenticate users against ActiveDirectory, and whenever they enter a bad password, pam_winbind will fail 3 times in a row, but the user is only asked to enter the password once (the first time). This, of course, is resulting in a lot of needlessly locked accounts. I tried substituting with pam_krb5, and it worked fine, which means it's a logic problem with winbind. However, there's other reasons I can't use pam_krb5. I'm trying to figure out where the logic fault is within pam_winbind, but it would help if whoever wrote it could shine a light my way. I'm in the process of comparing the pam_winbind code from 3.0.22 with 3.0.23rc1 to see if I catch anything obvious. The toughest part is filtering out all the new stuff. If I come up with a patch to fix this, I'll submit it for review. This is the last remaining step in getting my environment up and working. Once it's verified to be OK, I'll be posting a small howto for what I've done, as I'm sure others may be interested in doing similar things. Thanks Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: Samba 3.0.20, pam_winbind broken?
I can confirm that the problem is fixed in 3.0.22. We tested briefly today in a small maintenance window that presented itself out of immediate need, and everything worked as expected. However, I have a feeling that 3.0.23rc1 would work even better (i.e. warnings about expiring passwords before they're gone, etc). Still, since a stable version addressed the immediate need, I'll wait until 3.0.23 is released before upgrading yet again. Thanks for the help tho! :) Gerald (Jerry) Carter wrote: On Sun, 28 May 2006, Diego Rivera wrote: I'll try. However, I'm currently thinking of trying 3.0.22, which (from looking at the code) appears to also be fixed in this respect (at least, it appears to handle expired tokens more smartly). It'll be easier to sell a test that one rather than a beta (or RC). Is there an ETA on the release 3.0.23? Soon hopefully. Another few weeks I expect. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.20, pam_winbind broken?
signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] M$, AD and Samba
Hello all, I have news on the AD front. It seems M$ is going to open-source it's AD implementation. It also seems M$ is going to start development on the Samba code to help bring it up to speed to its codebase, and unify them both in the end. -- Diego Rivera [EMAIL PROTECTED] ;) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] M$, AD and Samba
Beat me to it!!! ;) On Tue, 2003-04-01 at 19:14, [EMAIL PROTECTED] wrote: April Fools' day ;-) -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 5:14 PM To: Diego Rivera Cc: [EMAIL PROTECTED] Subject: Re: [Samba] M$, AD and Samba On Wed, 1 Apr 2003, Diego Rivera wrote: Hello all, I have news on the AD front. It seems M$ is going to open-source it's AD implementation. It also seems M$ is going to start development on the Samba code to help bring it up to speed to its codebase, and unify them both in the end. What is the source of this information please? - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Diego Rivera [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Replication
Hey Vladimir, Right off the bat I can tell you from my experience (unless somebody corrects me) that you're going to have problems keeping ACLs with Domain Group references (i.e. ACLs that include groups in the NT4 Domain sense). Samba 2.2.x doesn't support Domain Groups. Samba 3.0 does, but as you mentioned you can't wait until that, and obviously alpha (beta?) level code would also be unacceptable. By Domain Groups I mean custom-created groups of users within the NT domain such as Managers, Marketing Personnel, etc...these can't be represented in Samba 2.2.x AFAIK - only a few default (read: required) groups exist. I hope I'm wrong, but sadly I don't think I am. Best On Thu, 2003-03-13 at 21:45, Zawalinski, Vladimir wrote: From Google searches, it seems that using SAMBA 2.2.7 + Open LDAP on Linux patched for POSIX ACL support delivers a functional PDC/BDC pair, and that directory replication can take place automatically once set up. Could someone please confirm that this actually works? The background to this issue is that we are moving a large number of NT4 file servers to a LINUX platform, but need to keep security arrangements, particularly file ACLs unchanged, but cannot wait until the production release of Samba V3. -- Diego Rivera [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, AD Server, possibilities?
Hello all! It's been asked several times whether Samba can act as an ActiveDirectory server, and the answer has always been a categorical NO. However, I don't recall seeing any thread dealing with the question of whether such functionality COULD be developed. Obviously, it WOULD be *possible* to develop this functionality (in the strict sense of the word possible), but would doing it cause legal problems for anyone? Mostly, I'm not sure whether M$-held patent issues would come into play, and thus I'd like to see comments from the development team leads to see what their thoughts on this are (I'm sure they have many). AFAIK ActiveDirectory's authentication/access control core is a modified MIT-Kerberos V authentication ticket mechanism, coupled with an (I think modified) LDAP directory, and I'm not sure what other aspects are in there. The former two can already be provided by Linux, but I don't know about the additional stuff... Anybody care to help educate me a little more on the subject? Or at least direct me to relevant docs that explore ActiveDirectory's techincal aspects with some depth? Thus, the question is not only can it be done, but also will it be done eventually, and what functionality is required to achieve it? Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] TDB to text
I seem to recall the existence of a utility to convert (dump?) TDB files into text format so one could peruse the contents. I also seem to recall that one could do the reverse - build a TDB from a text file. Is this true? Does this utility exist? Would I have to hack my own out of the TDB code in Samba? Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a machine; I think I am onto something
On Sun, 2003-01-19 at 02:35, Jim C wrote: What's actually needed is full separation of the search for users and computers, and that's not worth it (IMHO) in 2.2.7a if 3.0alpha has it already (I believe it does). I'd rather contribute to 3.0alpha and help get it out the door quicker than try to expand functionality on 2.2.7a. Certainly and I agree, however until 3.0 comes out of beta and gets the official stability nod I am stuck with 2.2.7a. Besides there has to be a way to get this going. I have to assume that the fact that I am the only one gripeing about it indicates that most others have it figured out and it therefore follows that it *can* be figured out. :-) I also agree that it sucks that we're stuck with 2.2.7a for production use and can't add stuff like this easily, but that's just how it is. I also agree that others may have figured it out. However, I see two possible camps: 1) Those who figured they could live with it as is, because making the mods is much more trouble than it's worth to them, and adds functionality not fully tested by the official team, and thus the community support is hampered because of the (extensive, as I saw them at least) modifications with respect to the original, tested codebase. 2) Those who chose to go ahead and implement it in their own way and can live with not having as much support available as with the stock code (even with light modifications). The mods I made allowed specification of the branch where machine accounts were kept, but as I said: I ran into a brick wall because getpwent() gets used in several non-SAM-database related places to get machine account info, and that is an issue. The solution is to have ldap.conf search for users in several locations, but that may add overhead that could cause problems - especially with OpenLDAP's reduced performance when combined with Samba and high loads. I may look into it again, but I don't think I'll find a solution to it that doesn't require me modifying the code extensively. HOWEVER: if you do choose to implement it, share the code and perhaps we can come up with 2.2.8 including those mods. I'll definitely sign up for that! Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a machine; I think I am onto something
I meditated long and hard on how to do this separation on 2.2.7a, even going so far as to code most of the patch, but ran into the stone wall that the search for the computer account is ALWAYS done as a search for a user account (just with a different name - meaning the trailing $), so I'd have to recode a lot of the stuff that searches for user accounts to handle that. Also, the way the user account is searched for is spread throughout, and calls to getpwent() are made as well to find it, and THAT I definitely could not change, since it is the correct behavior. What's actually needed is full separation of the search for users and computers, and that's not worth it (IMHO) in 2.2.7a if 3.0alpha has it already (I believe it does). I'd rather contribute to 3.0alpha and help get it out the door quicker than try to expand functionality on 2.2.7a. Just my 2 cent's worth! :) Best Diego On Sat, 2003-01-18 at 16:56, Jim wrote: Parameters are: Samba 2.2.7a PDC setup with LDAP includeing posix authentication for Linux. OK, the tutorial I've based my setup on is the Mandrake tutorial found at http://www.mandrakesecure.net/en/docs/ldap-auth.php Works great for autenticateing Linux from LDAP but it is really sparse on the Samba side of things. Esepcially when it comes to adding machine trust accounts. So anyway I have some theories I would like verified. I've found that I can add a posix based machine name and that works fine BUT it only works in ou=People. The system cannot find a machine account in ou=Computers. Seems to me that several things have occured: Jan 18 14:08:42 enigma smbd[12254]: [2003/01/18 14:08:42, 0] passdb/pdb_ldap.c:pdb_getsampwnam(859) Jan 18 14:08:42 enigma smbd[12254]: LDAP search ((uid=spartack_)(objectclass=sambaAccount)) returned 0 entries. 1. Search for a uid=spartack$ which also has objectclass=sambaAccount. Jan 18 14:08:42 enigma smbd[12254]: [2003/01/18 14:08:42, 0] rpc_server/srv_netlog_nt.c:get_md4pw(176) 2. Get the password. Jan 18 14:08:42 enigma smbd[12254]: get_md4pw: Workstation spartack$: no account in domain 3. Can't find the account.(of course because the user has not been added by the 'add user script' setting in smb.conf yet.) Jan 18 14:08:49 enigma smbd[12255]: [2003/01/18 14:08:49, 0] passdb/pdb_ldap.c:pdb_getsampwnam(859) Jan 18 14:08:49 enigma smbd[12255]: LDAP search ((uid=spartack_)(objectclass=sambaAccount)) returned 0 entries. Jan 18 14:08:50 enigma smbd[12255]: [2003/01/18 14:08:50, 0] rpc_server/srv_samr_nt.c:_api_samr_create_user(1929) Jan 18 14:08:50 enigma smbd[12255]: User spartack$ does not exist in system password file (usually /etc/passwd). Cannot add account without a valid local system user. 4. Try again only execute the 'add user script' first. Theoretically, it did not find one because there is no objectClass sambaAccount in the entry HOWEVER, I know from previous attempts it does find the posix only Computer account when it is placed in ou=People. Is there perhaps a different search performed the fist time around despite the log entry or is my understanding of ((uid=spartack_)(objectclass=sambaAccount)) flawed? So am I on target here? I can solve the problem if I can understand it. :-) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PAM, PDC and Winbind
Here are my configs for RedHat 7.2.
I also have them for Mandrake 8.2.
If you want, read them and we can later discuss portions you don't
understand. There's a bunch of howto's out there on doing this.
Look for:
Samba+LDAP-Howto:
(Samba docs)
Winbind-Howto:
(Samba docs)
LDAP-Auth-Howto
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html
There may (likely, are) others, but this is one off the top of my head
PAM-Docs
It works like this:
1) Configure your Linux to do LDAP authentication (using nss_ldap,
pam_ldap from http://www.padl.com). Configuration files
(/etc/ldap.conf) are enclosed.
2) Configure Samba (at compile time) to have LDAPSAM backend, to use PAM
for password synchronization, and unix password sync = yes, pam
password change = yes in smb.conf
3) Configure Samba to share the user database with the Linux user
database. This achieves storing user information in the same LDAP
record for both Samba stuff and Linux (posix) stuff
4) Configure Samba as a PDC
5) set up the PAM module config for samba to do password changes using
all necessary modules EXCEPT the Samba modules (obviously, since samba
itself would take care of this)
6) Set up the regular password change mechanisms (non-samba) to synch
with all the necessary modules including the samba module.
7) Set up SSL certificates as necessary.
8) Gloat to your friends about your setup! ;)
Key files to look at:
init.ldif - Used to initialize the LDAP tree (if not already done)
etc/ldap.conf
etc/nsswitch.conf
etc/smb-{pdc,client}.conf
etc/openldap/slapd.conf
etc/pam.d/password
etc/pam.d/samba
etc/pam.d/system-auth-{pdc,client}
This is a cookie-cutter config, and I'm very interested to see if you
can succeed in using it as such. I have done no documentation on it, so
I'm very interested in your feedback to see what needs to be fixed, or
addressed.
The end result for me has been: Only one password per user for any
service, and password changes in one enviroment affects all others (some
concurrency limitations from my previous post apply).
Notes on client Linux machines: Winbind requires your machine to be
joined into a domain, so it's important you understand how to do that
(smbpasswd -j), and configure Samba for clients. A file called
smb-client.conf is included for this purpose. Feel free to use it as
a guideline. For PDC, a file called smb-pdc.conf is also included.
Please don't pass these around just yet, as I want to get feedback
before I post these on a website accompanied by a HOWTO.
I used:
Samba 2.2.7
OpenLDAP 2.0.25
nss_ldap-202
pam_ldap-153
Best
Diego
PS/ One detail - the PAM configurations need to be optimized to provide
full failover, and other safety precautions. Right now, it's very
basic, but it should allow you to: change passwords directly from
windows using the Change Password command, change passwords from the
Linux PDC using passwd, change password from other linux clients using
passwd as well, and any other common password-change mechanisms from
Linux.
redhat-distr-auth.tar.gz
Description: GNU Zip compressed data
Re: [Samba] FW: Samba and Windows 2000 Password Authentication -Here is the Answer.
Comments below On Tue, 2002-12-10 at 09:17, Gabriel Matthews wrote: This last reply has helped me figure out quite a few things, but I'm still getting stuck on the 'adding server to domain' part. Here is what I am seeing. [root@yavin gabriel]# smbpasswd -j CT01 -r ANAKIN -U gabriel Make sure the user 'gabriel' has NT administrator rights in samba. What you're doing here is in effect creating a machine account, and only domain admins (or people with sufficient privileges) can do that. Try adding 'gabriel' to the list at smb.conf in the parameter 'domain admin group' (look for it in man smb.conf for more details). Either that, or add a username for administrators. Personally, I add a root user account to Samba, and create a username map from administrator to root. snip the rest Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba as PDC, and password cached??
Hi all, I've run into what I believe to be a funky bug in Samba 2.2.7. Here's the scenario description (all Linux, all Samba 2.2.7, all same versions of LDAP software, etc.): Environment: 1 Samba PDC w/LDAP backend 2 Samba Clients joined to the PDC w/valid mach. accounts, etc. Clients are configured as follows: - PAM auth and password changes are done using winbind through PDC (thus affecting SSH, login, etc.) - account info is fetched through LDAP (getent goes through LDAP) (to avoid winbind non-deterministic uid assignments) PDC Server is configured as follows: - PAM auth is done through LDAP - account info is fetched through LDAP (getent goes through LDAP) - Samba syncs passwords through PAM, which in turn updates LDAP and /etc/shadow if applicable (pam_ldap, pam_unix) - All non-Samba password changes change LDAP (pam_ldap), /etc/shadow if applicable (pam_unix) and Samba (pam_smbpass) (can't use pam_winbind from the same machine which is a PDC) Here's the test Scenario: 1) All machines are up, passwords are reset (to initial, known and controlled values) 2) Log in to both clients as a regular user using PASSWORD-1 3) use passwd to change the password on Client-1 - Authenticate using the active password (PASSWORD-1) when asked to, and change to PASSWORD-2 4) use passwd to change the password on Client-2 - Authenticate using the active password (PASSWORD-2) when asked to, and change to PASSWORD-3 (this one takes a while, but is successful in the end) 5) logon to either client with PASSWORD-3 fails (this is WRONG, as this is the last value set for the password in the PDC) 6) logon to either client with PASSWORD-2 succeeds (this is WRONG, as the last password value set in the PDC is PASSWORD-3) BUT 7) Do one of: - Re-start WINBIND on both clients - Re-start Samba on the PDC 8) logon to either client now works with PASSWORD-3 (the correct behavior) So, is WINBIND caching passwords? Maybe the Samba processed @ PDC? Maybe this is LDAP-related? Anybody want to track this down? Do you want me to produce logs? What settings should I use to produce logs that would be useful? I realize this is a kind of extreme example (i.e., in the real world, users will likely NOT be logged in to multiple machines AND changing their passwords in this manner). But still, we should kill bugs as they appear! Best Diego PS/ The PDC/PDC-client related conf's I've come up with are pretty much cookie-cutter by now, so I'm probably going to post them as an RPM somewhere with instructions. Using this, it's possible to achieve transparent password sync between Unix (LDAP) and Samba passwords (thus affecting Windows clients as well). I'll keep interested parties posted on this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba as PDC, and password cached??
Sorry to self reply, but I ommitted an important detail: winbind cache time is configured to be 0. Thus, I think the caching must likely be happening in the smbd side. BTW: If you're interested, you can visit http://briefcase.yahoo.com/ldrivera in the My Documents folder you should find two files whose names are kinda-self explanatory: one for RH 7.2, one for Mandrake 8.2. These files contain all the configs I use to achieve password sync. An explanatory document is there as well (README), so give that a read as well. Best Diego On Wed, 2002-11-27 at 13:31, Diego Rivera wrote: Hi all, I've run into what I believe to be a funky bug in Samba 2.2.7. Here's the scenario description (all Linux, all Samba 2.2.7, all same versions of LDAP software, etc.): Environment: 1 Samba PDC w/LDAP backend 2 Samba Clients joined to the PDC w/valid mach. accounts, etc. Clients are configured as follows: - PAM auth and password changes are done using winbind through PDC (thus affecting SSH, login, etc.) - account info is fetched through LDAP (getent goes through LDAP) (to avoid winbind non-deterministic uid assignments) PDC Server is configured as follows: - PAM auth is done through LDAP - account info is fetched through LDAP (getent goes through LDAP) - Samba syncs passwords through PAM, which in turn updates LDAP and /etc/shadow if applicable (pam_ldap, pam_unix) - All non-Samba password changes change LDAP (pam_ldap), /etc/shadow if applicable (pam_unix) and Samba (pam_smbpass) (can't use pam_winbind from the same machine which is a PDC) Here's the test Scenario: 1) All machines are up, passwords are reset (to initial, known and controlled values) 2) Log in to both clients as a regular user using PASSWORD-1 3) use passwd to change the password on Client-1 - Authenticate using the active password (PASSWORD-1) when asked to, and change to PASSWORD-2 4) use passwd to change the password on Client-2 - Authenticate using the active password (PASSWORD-2) when asked to, and change to PASSWORD-3 (this one takes a while, but is successful in the end) 5) logon to either client with PASSWORD-3 fails (this is WRONG, as this is the last value set for the password in the PDC) 6) logon to either client with PASSWORD-2 succeeds (this is WRONG, as the last password value set in the PDC is PASSWORD-3) BUT 7) Do one of: - Re-start WINBIND on both clients - Re-start Samba on the PDC 8) logon to either client now works with PASSWORD-3 (the correct behavior) So, is WINBIND caching passwords? Maybe the Samba processed @ PDC? Maybe this is LDAP-related? Anybody want to track this down? Do you want me to produce logs? What settings should I use to produce logs that would be useful? I realize this is a kind of extreme example (i.e., in the real world, users will likely NOT be logged in to multiple machines AND changing their passwords in this manner). But still, we should kill bugs as they appear! Best Diego PS/ The PDC/PDC-client related conf's I've come up with are pretty much cookie-cutter by now, so I'm probably going to post them as an RPM somewhere with instructions. Using this, it's possible to achieve transparent password sync between Unix (LDAP) and Samba passwords (thus affecting Windows clients as well). I'll keep interested parties posted on this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Dropped connections with Win98
Hi all. I have recently installed a Samba-2.2.7 as a PDC with LDAP backend. All works as expected, with three exceptions: 1) Sometimes, the Win98/ME clients drop connections to the server (persistent mapped shares cease to work). This happens when the computer has been left idle for a few minutes. the deadtime parameter is NOT set (i.e., it's at its default of 0, to disable the idle connection closing by samba). 2) Printing is slow - it takes a while for a print job that has been submitted to actually be produced (using CUPS as the printing mechanism, the printer is connected to the PDC). No real clue on this one, maybe changing printing systems? Maybe this is just normal behavior? 3) Sometimes, saving documents is slow (I'm guessing this is related to #1). I remember the dropped connections had something to do with LDAP timing out the connections, thus killing the SMB process, but the idletimeout setting in OpenLDAP is set to 0, which disables connection timeouts. Anybody care to comment? Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Possible PDC security hole re/machine accounts
Hey all! I was fiddling with some LDAP stuff for fun's sake, and I ran into this strange situation. The situation occurred with both my stock Samba and my modifications applied. I had a Win2000 Advanced Server machine already joined into the domain and working perfectly with PDC logons through the Samba server (v2.2.7, LDAP-SAM backend, OpenLDAP 2.0.25). While testing if the searches were being done as my new code specified, I explicitly removed the machine account for the W2K server expecting future logons to fail due to a missing/invalid machine account. I would then add the entry back to test if my code was finding stuff where it needed to be found. The strange thing is that even after the machine account was gone (and the samba processes had been restarted multiple times), I was still able to log in through the domain into that machine (W2K) - apparently through the PDC as I was able to access shares on other machines that should only be available to domain members. I rebooted the computer (W2K) just in case, and restarted samba in the process and I was still able to log in. Just in case, I changed back to stock LDAP Samba (in case it was a bug in my code), and the behavior was still the same. This seems to me like a HUGE PDC security hole, unless I'm misinterpreting the way PDC machine accounts are handled, and what's supposed to happen when a machine account is removed. It's my understanding that no NT-class machine (NT,2K,XP) can utilize resources within a PDC-protected domain if they haven't been joined into it and have a valid machine account in the PDC. If this is the case, then this is clearly a BIG hole that needs to be plugged ASAP. Anybody care to comment? Am I way out of whack here? Do I need to quit programming and try my luck as a janitor? ;) Best Diego PS/ The mods I was working on is adding add machine script and ldap machine suffix functionality to Samba, to allow for better handling of machine accounts from an admin level. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, LDAP, PDC and udding users
Hi all! I've had a lot of success setting up Samba PDC's using the LDAP-SAM backend, and got password sync working between Unix (LDAP) passwords and Samba passwords. I can also have other Linux boxes use Winbind to auth vrs. the PDC and thus achieve the same password sync functionality (i.e., Samba changes both PAM and Samba passwords, as well as checking them). Naturally, this also works for Windows machines (i.e., user changes his windows password and his Unix password is likewise synched). This all works fine, but I have a couple of questions regarding stuff I've seen around here, but have not seen in stable versions yet: 1) I remember seeing something like add machine script similar to the add user script - or a mention to it - to allow separate mechanics for Machine account adding and User account adding. How hard does anybody think it would be to add this config file parameter and the corresponding implementation? Would it be worth it seeing as this is likely to be included in 3.0? 2) Is it currently possible to have Samba check for machine accounts under a different LDAP branch than user accounts? This would ease admin and maintenance of the machine account set, for obvious reasons. Is this planned for 3.0? How hard does anybody think it would be to add two config parameters: ldap user suffix and ldap machine suffix to allow Samba to do this? Again - is this worth it seeing as this could be postponed to 3.0? 3) Are there any plans for calculating the user/machine SID based on the Unix uid? i.e., so that when Winbind gets the user list from a PDC, it can use PDC-provided Userid's (eliminating the first-come first-served UID assignment currently being used)? I'd like to contribute to these - but I need a couple of pointers: 1) Where do I find the implementation of the call to add user script and the corresponding reading of the config value? 2) Where do I find the implementation of the LDAP code which uses ldap suffix, and the code which finds user/machine accounts in LDAP? 3) Any additional advice/tips? Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC and BDC
You can achieve this using LDAP as a samba and unix password backend. I've done this and it works quite nicely Best Diego On Wed, 2002-10-30 at 11:46, Gurnish Anand wrote: Hello, How can I make two linux servers sync passwords. Is it something I do with Samba?? I want both the unix accounts and samba accounts be sync'ed. Please help!! Thanks, Gurnish -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Use of pam_smbpass
Hi, The way it works is something like this: PAM uses either a global configuration file which specifies the module configuration for each service (i.e., httpd, samba, login, xauth, pop, imap, etc...the OLD way), or individual files within a directory - one per service. The directory is usually /etc/pam.d. This is the new and preferred (by me, at least! :) ) way of doing PAM configurations. You would use pam_smbpass wherever needed to allow particular services to sync /etc/shadow with samba passwords as needed. See the configuration examples below to get an idea. Also, you would activate the pam password change and unix password sync options in smb.conf. You would also add a configuration file for the service samba, such that Samba knows what passwords to sync with its own (thanks to the aforementioned parameters). My setup is as follows: - All PAM service configurations (exception noted below) use pam_stack.so to forward operation to the passwd service (i.e., when the httpd service requests a password change, the request is actually done using the configuration for the passwd service). - Only the passwd service configuration has the actual rules for changing passwords (i.e, change it in ldap, samba, shadow, etc.). I use only ldap, not shadow, but I list them both here to illustrate. - The only other module that has password configuration is (you guessed it!) the samba module. Its configuration excludes the config for pam_smbpass, since Samba already does that for us - we just need to cover the areas Samba doesn't cover by itself (i.e., ldap and shadow, for example). Here's an example with three config files (irrelevant areas ommitted for brevety): /etc/pam.d/httpd == auth ... account ... session ... # This next line causes the service config to include the # config from the passwd service and execute it as part of its own passwd required /lib/security/pam_stack.so service=passwd == /etc/pam.d/passwd == auth ... account ... session ... # enforce strong passwords password required pam_cracklib.so . # change the LDAP password password required pam_ldap.so ... # change the /etc/shadow password password required pam_unix.so ... # change the Samba password password required pam_smbpass.so ... # Add others as needed password ... == /etc/pam.d/samba == auth ... account ... session ... # change the LDAP password password required pam_ldap.so ... # change the /etc/shadow password password required pam_unix.so ... # Add others as needed password required ... # Note the absence of pam_smbpass.so!!! Samba already does this == This causes the following (note that all other PAM services use pam_stack in the same fashion as the first config file, this avoids having to configure password changes all over the place): - When any service executes a password change outside Samba, the samba password will be updated with the new value, along with all the other named services like LDAP, Shadow, etc. This is the case for any and all services which do NOT rely on Samba for password maintenance (like, for example, the /usr/bin/passwd program). - When any service executes a password change THROUGH Samba, all the *other* password repositories will also be kept in sync (thanks to the third PAM configuration file and the smb.conf parameters I mentioned before). This is the case if your Samba box is doing password maitenance, and a Samba client requests a password change going through Samba. I hope this is specific enough to help you find your answer. I would refer you to the PAM Admin documentation for more details on PAM operation (it's quite simple, really), and also to the Samba docs pertaining to PAM operation. If you're going to be messing with stuff like this, you should read as much of both docs as you can - I did and it paid off in the end! Best Diego Rivera Nomadic Solutions Taking Linux to the Next Level Cell: (506) 393-0772 E-mail: [EMAIL PROTECTED] On Thu, 2002-10-24 at 20:39, fred pasteck wrote: Hi all. I've spent the last several days trying to get pam_smbpass working on my RH62 box with samba-2.2.x unsuccessfully, and hoped someone could help. I've tried versions 2.2.2 and 2.2.6, but I suspect it's perhaps a misunderstanding of what exactly pam_smbpass is used for. There are a few things I'm trying to do: - sync /etc/shadow with /etc/samba/smbpasswd - sync /etc/samba/smbpasswd with /etc/shadow So, if someone uses passwd to change their password it will automatically also update the samba password. If a windows user changes their password, it should also update /etc/shadow. Is this correct? There are several examples in the sample/ directory included with the samba source, but it is unclear where these files actually go. I'm not terribly familiar with PAM. Can someone forward me their working copies of the PAM config files that apply
[Samba] Wishlist for libsmbclient.so
I saw the header for libsmbclient.so, and it looks pretty basic - file access, print job access, share access, but no password modification. Is there a chance this will be modularized into the library in the future? i.e.: add this call to the library: int smbc_change_passwd( char* un, char* wg, char* oldpw, char* newpw ); Or at least something with a callback a-la smbc_init()? This would facilitate the pam_smbpass module to do remote password updates and authentication, looking for a semi-single-sign-on solution. Currently, I can do this and keep unix and smb passwords (mostly) in sync and authenticate through a centralized server. However there are some limitations which could be addressed by this such as doing all passwords on Samba. This of course is NOT preferable to Kerberos, but since no production Samba can do Kerberos V yet, I see few other options. Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba NSS_LDAP
Hi all! A while ago I caught a discussion re Samba and LDAP SAM backend, with OpenLDAP and nss_ldap. It seems that the reason the smbd process keeps crashing (and thus losing connections) has something to do with the fact that the LDAP standard allows connections to be unilaterally closed by the directory server, and this was causing Samba to crash. Again - this is my hazy recollection of the thread. I'm seeing this behavior in my setup (Samba LDAP-based PDC). Is my summary above (mostly) correct? Is there a fix for this? Is it included as part of 2.2.6 or is it a problem with OpenLDAP/nss_ldap? We plan to do a rather large Samba install soon, and I'd like to know in advance if I'm going to have to handle the Samba PDC account storage differently. Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Off-topic tcpdump/samba
Hello all I've been doing some TCP dumps of Samba among other things, to try to fish out a slight communications glitch that I suspect has to do with a bad IP stack on an older machine, and I'm wondering if any of you could help make my life a bit easier: When doing the dump, I used the '-C' flag which causes capture files to be rotated when they reach a certain size. I made the mistake of making this size too small, and now need to recombine all those files so I can avoid having to analyze file upon file of dump data separately. Using cat did NOT work, as analysis would never go beyond the equivalent of the first dump file. Any advice would be greatly appreciated. Another question: I have set up SSL to work for Samba clients, have 2 clients plus Samba PDC all using the same CA, all have their cert's signed by this CA, and a local copy of the CA cert (NOT the private key) and all have the required parameters set, BUT: the clients can only talk to the PDC, not each other!! Do I need to publish the CA's private key to the client machines to make this happen (hope NOT!!), or what am I missing? Best Diego -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
