Re: [Samba] Feedback to getting to samba 4 blog
Le 14/01/2010 15:07, Andreas Moroder a écrit : Hello, I did not find a way tu put my opinion to the blog so I answer here. I hope this is ok. We ( a public hospital ) are one of the few that have no AD, because I wanted to wait that samba has this functionality. Every solution that give us the stability of samba and also AD is ok for us, but please this year, otherwise I will be force to start with MS AD. You can use AD, while still delegating autentication to a unix-based kerberos realm. And use samba for print and file services. -- BOFH excuse #357: I'd love to help you -- it's just that the Boss won't let me near the computer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] strange issue with xerox printer: unable to configure driver
Le 23/12/2009 18:23, Ryan Suarez a écrit : Hi, Still working this out with the vendor. Could you guys try this driver with the Xerox 7xxx model and let me know if it plays nicer with samba? http://www.support.xerox.com/go/getfile.asp?Xlang=fr_FR&XCntry=FRA&objid=55425&EULA=1&prodID=WC7228_WC7235_WC7245&Family=WorkCentre&ripId=&langs=English%20(US)&plats=Windows%20XP&Xtype=download&uType= Their thoughts is the device mode issue which we're all familiar with: "Be aware that a valid device mode can only be initiated by a _printer admin_ <http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html> or root (the reason should be obvious). Device modes can be correctly set only by executing the printer driver program itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL (which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the printer driver data that is needed when they are uploaded to the/ [print$]/ share with the help of the APW or rpcclient. " I just tried. I can assign any driver, and correctly set default printing properties (which I can't with current driver). However, I can't print. I guess this is because my specific printer model (7435) is not supported by this old driver version: it's not listed, and I tried all included models without success. So far, I've got the choice between a printing-but-not-configurable driver, and a non-printing-but-configurable one :) -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Île-de-France Parc Orsay Université, 4 rue J. Monod 91893 Orsay Cedex France Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] strange issue with xerox printer: unable to configure driver
Hello list. I've a strange issue with a samba 3.4.3 print server. Everything is fine with most printers, meaning drivers are assigned on server side and automatically distributed to the clients as expected. However, I fail to configure a Xerox document center 7435 the same way. When I attempt to assign a driver to the printer, from a windows client with admin privileges, I get an 'unexpected error occured in the print driver, close this windows and retry' error message, twice. More precisely, I can see initial renaming of the printer according to the driver name, then the error occurs, then the printer get renamed to '' (which is a bit painful :P) I previously had a slightly different model (document center pro c2636) which was working fine. The other working printers are not xerox ones. The driver is OK: it works fine when accessing the printer directly, and also when used from a windows print server. Also, I tried other variants (such as PCL driver instead of PS one), without success. When configuring the same printer from a Windows system, I had to configure it with raw socket connection, because IPP connection didn't allowed me to share it at all, and CIFS connection to the print queue caused me some troubles (the printer didn't appeared in the 'fax and printers list' of the server from remote hosts). The underlying printing system, cups, works perfectly. I've tried to switch from IPP to raw socket connection, because of the behaviour changes found with windows server, it didn't change anything. I performed a network capture both on server and client side while triggering the error. The result is available as: http://www.zarb.org/~guillomovitch/server.pcap http://www.zarb.org/~guillomovitch/client.pcap I can see some suspicious messages such as: WINREG OpenKey response, Error: WERR_BADFILE SPOOLSS GetPrinterData response, PrintProcCaps_NT EMF 1.008, File not found (pathname error) SPOOLSS SetPrinterDataEx response, Access denied But nothing really useful. I'm joining my samba configuration file. I'm using mandriva 2009.0 as server, and windows XP enterprise as client. Any hint appreciated. -- BOFH excuse #198: Post-it Note Sludge leaked into the monitor. # cfengine-distributed file # any local change will get lost # $Id: smb.conf 7619 2009-11-27 14:00:18Z rousse $ # vim:et:sw=4 #=== Global Settings = [global] # 1. Server Naming Options: # workgroup = NT-Domain-Name or Workgroup-Name workgroup = MSR-INRIA realm = MSR-INRIA.IDF # netbios name is the name you will see in "Network Neighbourhood", # but defaults to your hostname # netbios name = # server string is the equivalent of the NT Description field server string = Etoile # Message command is run by samba when a "popup" message is sent to it. # The example below is for use with LinPopUp: ; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s # 2. Printing Options: # CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK # (as cups is now used in linux-mandrake 7.2 by default) # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = cups load printers = yes # printcap cache time, so samba will automatically load new cups printers printcap cache time = 60 # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx, cups printing = cups # Samba 2.2 supports the Windows NT-style point-and-print feature. To # use this, you need to be able to upload print drivers to the samba # server. The printer admins (or root) may install drivers onto samba. # Note that this feature uses the print$ share, so you will need to # enable it below. # Printer admins are now defined by granting the SePrintOperatorPrivilege, ie: # run: net rpc rights grant 'DOMAIN\Printer Operators' SePrintOperatorPrivilege # 3. Logging Options: # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/%m.log # Put a capping on the size of the log files (in Kb). max log size = 50 # Set the log (verbosity) level (0 <= log level <= 10) # log level = 3 # 4. Security and Domain Membership Options: # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page. Do not enable this if (tcp/ip) name resolution does # not work for all the hosts in your network. # hosts allow = 192.168.1. 192.168.2. 127. # guest access map to guest = bad user guest account = nobody # Security mode. Most people will want user level security. See # security_level.txt for details. security = ads # Use pass
Re: [Samba] desactivating NTLM fallback when accessing a share and kerberos auth fails
Volker Lendecke a écrit : On Thu, Feb 12, 2009 at 09:49:01AM +0100, Guillaume Rousse wrote: Is there any way to either: - perform some kind of name canonicalization, either on client or server side ? Set the correct service principal names in your DC. Many thanks, it worked. And I also made large progress in understanding behavior of kerberos under windows now. For instance, the client always tries first the local KDC (the one serving the kerberos realm matching its DNS domain), even if adressing a service in another realm, and the Windows KDC only if the first one didn't provided a referal... -- BOFH excuse #54: Evil dogs hypnotised the night shift -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] desactivating NTLM fallback when accessing a share and kerberos auth fails
Volker Lendecke a écrit : On Wed, Feb 11, 2009 at 05:10:02PM +0100, Guillaume Rousse wrote: Guillaume Rousse a écrit : For members of the domain, tough, the client first attempt a kerberos auth, which fails, as he is not using print server FQDN, and doesn't performs host name canonicalization. Actually, from reading the logs, this is false: samba doesn't even attempt to perform a kerberos auth when a share is accessed through a non-FQDN name, but directly attempts NTLM: [2009/02/11 16:59:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/02/11 16:59:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121) check_spnego_blob_complete: needed_len = 180, pblob->length = 180 [2009/02/11 16:59:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24 len2=24 [2009/02/11 16:59:46, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68) auth_context challenge set by NTLMSSP callback (NTLM2) Look at the sniff. Your KDC sends a PRINCIPAL_UNKNOWN when the client asks for the ticket with the wrong servername. The client then falls back to ntlmssp. OK, so my initial assumption was not totally erroneous :) Is there any way to either: - perform some kind of name canonicalization, either on client or server side ? - desactivate any kind of authentication but kerberos, either for this share, or globally ? -- BOFH excuse #417: Computer room being moved. Our systems are down for the weekend. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] desactivating NTLM fallback when accessing a share and kerberos auth fails
Guillaume Rousse a écrit : For members of the domain, tough, the client first attempt a kerberos auth, which fails, as he is not using print server FQDN, and doesn't performs host name canonicalization. Actually, from reading the logs, this is false: samba doesn't even attempt to perform a kerberos auth when a share is accessed through a non-FQDN name, but directly attempts NTLM: [2009/02/11 16:59:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/02/11 16:59:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121) check_spnego_blob_complete: needed_len = 180, pblob->length = 180 [2009/02/11 16:59:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24 len2=24 [2009/02/11 16:59:46, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68) auth_context challenge set by NTLMSSP callback (NTLM2) When using a FQDN, this becomes: [2009/02/11 16:57:33, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/02/11 16:57:33, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/02/11 16:57:33, 10] smbd/password.c:register_initial_vuid(194) register_initial_vuid: allocated vuid = 114 [2009/02/11 16:57:33, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121) check_spnego_blob_complete: needed_len = 1365, pblob->length = 1365 [2009/02/11 16:57:33, 5] smbd/sesssetup.c:parse_spnego_mechanisms(749) parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2 [2009/02/11 16:57:33, 5] smbd/sesssetup.c:parse_spnego_mechanisms(749) parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2 [2009/02/11 16:57:33, 5] smbd/sesssetup.c:parse_spnego_mechanisms(749) parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10 [2009/02/11 16:57:33, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 1299 [2009/02/11 16:57:33, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(273) Can someone enlighten me about this behaviour difference ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] desactivating NTLM fallback when accessing a share and kerberos auth fails
Hello. I have a print server member of an AD domain, and my users are autenthicated through an external kerberos domain. My samba server FQDN is 'etoile.msr-inria.inria.fr', and has 'cups.msr-inria.inria.fr' as DNS alias. For foreign visitors, everything works fine: when attempting to reach \\cups, samba immediatly detect from given credentials than user comes from an unknown domains, and immediatly give him guest access. That's the desirable behaviour. For members of the domain, tough, the client first attempt a kerberos auth, which fails, as he is not using print server FQDN, and doesn't performs host name canonicalization. It then attempt NTLM auth as fallback, which can't succeed either, as the user doesn't have a valid password in the domain (he's using external auth service). When this fails, it is then allowed to access the service as guest, but that's a bit ugly and counter-intuitive :( On the other hand, if he tries to access \\etoile.msr-inria.inria.fr instead, kerberos auth works, and the user can access the service with its own credentials. I'd like to avoid giving different usage informations to visitors and members, and I'd also like everyone accessing the service through the CNAME, so as to be able to migrate if freely. Is there a way to achieve this with current settings ? As I'm not really interested by authentication here, unless for admins to change print drivers, I'm thinking of moving from 'ads' security model to simplest 'share' one, and using a local samba-specific password database for admins. Currently, I didn't found any advantage of making the print server member of the domain. I'm using samba 3.2.9 on Linux, and here is relevant part of my configuration: [global] workgroup = MSR-INRIA realm = MSR-INRIA.IDF use kerberos keytab = yes server string = Etoile printcap name = cups load printers = yes printcap cache time = 60 printing = cups log file = /var/log/samba/%m.log max log size = 50 log level = 3 map to guest = bad user guest account = nobody security = ads encrypt passwords = yes username map = /etc/samba/smbusers local master = no domain master = no preferred master = no dns proxy = yes wins support = no wins proxy = no [printers] comment = All Printers path = /var/spool/samba browseable = yes guest ok = yes writable = no printable = yes create mode = 0700 print command = lpr-cups -P %p -o raw %s -r use client driver = no [print$] comment = Print drivers path = /var/lib/samba/printers browseable = yes write list = root guest ok = yes -- BOFH excuse #449: greenpeace free'd the mallocs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba, ADS and privileges management
I also tried to set explicit privileges, without success: [r...@etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights grant 'MSR-INRIA.IDF\rousse' SePrintOperatorPrivilege Password: Failed to grant privileges for MSR-INRIA.IDF\rousse (NT_STATUS_ACCESS_DENIED) Enumerating existing privileges seems to imply my domain admins group only has SeMachineAccountPrivilege currently: [r...@etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights list accounts Password: BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned S-1-5-21-2709371413-4020681702-788637496-5012 SeMachineAccountPrivilege BUILTIN\Administrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned Any help appreciated here to understand what I'm going wrong. BTW, I'm using samba-3.0.28a on linux platform. I may eventually consider upgrading if needed. [1] I'm using a localized Win 2003 AD server, hence the french names [2] I'm autenticating Windows users using an heimdal server, hence the presence of both MSR-INRIA.INRIA.FR\rousse and MSR-INRIA.IDF\rousse entries. -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Ile de France Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Two problems with Samba in AD realm
Pascal Levy a écrit : On Wednesday 12 November 2008 19:23:52 Guillaume Rousse wrote: Hello list. I recently moved to an AD environment. I'm still keeping a samba servers to make my cups-managed printers available to windows users, rather than duplicating configuration with a Windows print service. But I'm facing two problems, probably due to the way we manage AD. First, all my host belong to a Unix-managed DNS domain (msr-inria.inria.fr), not to the windows-managed one corresponding to the AD realm (msr-inria.idf). It means resolving their IP address result in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a secondary server for the foo.msr-inria.idf, meaning SRV record lookup still works. But all CIFS kerberos authentication attempt for the host unqualified, or realm-qualified fails: I can't use \\foo, nor \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr I know this is probably due to kerberos DNS-based hostname canonicalisation, and not samba-specific (it also occurs with netapp filers), but I initially understood it with my samba server. Is there anything I could do there to make user's life easier ? seems very complicated to me. Maybe you could use only one DNS system with differents dns zones (something like msr-inria.inria.fr for your general domain and windows.msr-inria.inria.fr for the AD part) all managed with bind ? This is what we have here and this allow a box to know is actual name without any kind of schizophrenia. It doesn't change very much: you're just trading bind with dynamic update vs microsoft DNS, and subzone vs foreign private zone. And the result is the same, as you still have three different identities for any host belonging to your domain: - unqualified name - legacy DNS-qualified name - AD-qualified name if you need foo to be resolve as foo.msr-inria.inria.fr, you could have foo.msr-inria.inria.fr CNAME foo.windows.msr-inria.inria.fr foo.windows.msr-inria.inria.fr A x.x.x.x x.x.x.x PTR foo.windows.msr-inria.inria.fr (...) There is a user mapping option in samba, but it is primary meant for mapping Windows users to Unix users, whereas I'd need there to map Windows unqualified users to kerberos-realm users, instead of ad-realm users. Is this possible someway ? I'm not sure to understand exactly your problem but I think that samba can't use a non-AD-kerberos-realm. If there is a way, i'm very interesting, though. It does. The simple fact than accessing any host with its legacy DNS-qualified name works show than SSO works. The problem I'm facing here is precisely when it doesn't, and when the client apparently fallback to NTLM autentication. The samba server apparently tries to autenticate on the AD controler as \user, whereas I can only autenticate through alternative identity realm>\user. I've to check against a Windows server to compare behaviour. -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Ile de France Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Two problems with Samba in AD realm
Hello list. I recently moved to an AD environment. I'm still keeping a samba servers to make my cups-managed printers available to windows users, rather than duplicating configuration with a Windows print service. But I'm facing two problems, probably due to the way we manage AD. First, all my host belong to a Unix-managed DNS domain (msr-inria.inria.fr), not to the windows-managed one corresponding to the AD realm (msr-inria.idf). It means resolving their IP address result in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a secondary server for the foo.msr-inria.idf, meaning SRV record lookup still works. But all CIFS kerberos authentication attempt for the host unqualified, or realm-qualified fails: I can't use \\foo, nor \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr I know this is probably due to kerberos DNS-based hostname canonicalisation, and not samba-specific (it also occurs with netapp filers), but I initially understood it with my samba server. Is there anything I could do there to make user's life easier ? Second, when kerberos autentication fails, my samba server (and I guess, any CIFS server) fallbacks into password-based autentication. But there is an issue with the way we manage users account. We sync our unix ldap account into AD, meaning each 'bar' user exists in LDAP as 'MSR-INRIA.IDF\bar', but with a random password, and we authenticate them through their Unix-managed kerberos account 'MSR-INRIA.INRIA.FR\bar'. It means trying to authenticate them as 'MSR-INRIA.IDF\bar' won't work, and I get those error messages: [2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user rousse in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error was NT_STATUS_WRONG_PASSWORD. [2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user rousse in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error was NT_STATUS_WRONG_PASSWORD. [2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user rousse in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error was NT_STATUS_WRONG_PASSWORD. (I guess the windows client cached my credentials when I initially logged in). There is a user mapping option in samba, but it is primary meant for mapping Windows users to Unix users, whereas I'd need there to map Windows unqualified users to kerberos-realm users, instead of ad-realm users. Is this possible someway ? -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Ile de France Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] heimdal and windows compatibility up-to-date informations
Pascal Levy a écrit : Thanks for your input. Yet additional few questions, now I'm trying it... I'm understanding the users are supposed to autenticate against the kerberos realm, not against he AD domain. But this only appears in the connection dialog once once you ran ksetup on the windows host. Is there a way to automatically configure this when the host join the domain, rather than manually on each host (/me is a total AD newbie) ? And is there a way to prevent the display of the AD realm in this dialog, to prevent user confusion ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD to authenticate users against Samba + LDAP
Andrei Mikhailovsky a écrit : Hi all, I was wondering if it is possible to make MS Active Directory to authenticate against Samba + LDAP? I have a working Samba + LDAP setup in the data centre and need to have MS Active Directory to authenticate against the userbase which has been already setup on Samba + LDAP. No way current, as AD relies on Kerberos. You have to wait for samba 4. Or alternatively, look at previous post 'Heimdal/AD documentation' if you're ready to setup a Kerberos database alongside your LDAP server. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] heimdal and windows compatibility up-to-date informations
Pascal Levy a écrit : On Wednesday 08 October 2008 12:54:48 Guillaume Rousse wrote: I'm back on this old question, because I'm now really working on it. Andrew Bartlett a écrit : Second, I was looking at better way to sync users accounts between our new ldap-backed heimdal kdc and our windows AD. Currently, we have an automated task synchronising user entries into Windows LDAP from our Unix LDAP hourly, and a password-management CGI propagating password changes to both systems (using an ugly VB CGI on windows side to effectively change the password). I was wondering if the password handling stuff could be merged with the ldap synchronisation task, now we store kerberos keys in LDAP. Windows does not allow the password attributes to be manipulated like that. You could potentially read and set passwords with Samba4's DRSUAPI synchronisation, but you can't do it with just Heimdal or just LDAP. I don't know if this could be usefull for you but what we are doing here is to keep real users passwords only in heimdal KDC. openldap authentication is made by using sasl mechanism with [EMAIL PROTECTED] as userPassword chain AD authentication is made by using a trust relationship with heimdal KDC and a mapping beetwen AD accounts and heimdal KDC principals. ldap/heimdal/AD accounts are keep in sync with a perl script running each 15 min. AD userPassword is a (very) long random chain created by the perl script and set in AD with ldap tools. users can change there password by using normal windows change password interface. Admins can use heimdal tools to manage passwords directly on the kdc. That's sound really interesting, but I don't understand some points: - how do you have AD knows it can get a kerberos ticket from the heimdal KDC ? Did you set the user userPrincipalName attribute to a principal from heimdal managed realm ? - is the AD userPassword attribute ever used in this case ? - what's the exact usefulness of having OpenLDAP auth redirected to SASL mechanism ? Just for managing a single password ? We have heimdal using openldap as backend, and use smbkrb5 overlay to keep them synced already, so it may be useless for us. - how do you prevent ExOP PasswdChange to rewrite userPassword attribute with a normal value, and keep '[EMAIL PROTECTED]' instead ? - what exact cyphers did you use to ensure compatibility between heimdal and your AD controller ? From Heimdal documentation, we used des3-hmac-sha1 and des-cbc-crc, but it's quite old. From previous Andrew answer, I understand we may use arcfour-hmac-md5 as well now. Thanks for your input. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as PDC+OpenLDAP: unique login?
Joao Amancio a écrit : Questions: 1. There is a way to populate Samba (users, groups) with the OpenLDAP base? If you already have your users in your base, you just have to add additional classes and attributes to them. 2. It's really needed to get users at: linux local system, samba and openldap? Where's is the "single sign on" idea in this case? The single sign on idea is exactly the opposite: make all your users LDAP entries members of posixAccount and sambaSamAccount classes. And use smbkrb5 overlay to ensure password sync. You'd better start having a correctly configured linux user base in OpenLDAP first. Then configure samba to also, and run 'smbpasswd -a' for each of your users to add sambaSamAccount attributes to them, as well as initialising their windows password. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] heimdal and windows compatibility up-to-date informations
I'm back on this old question, because I'm now really working on it. Andrew Bartlett a écrit : Second, I was looking at better way to sync users accounts between our new ldap-backed heimdal kdc and our windows AD. Currently, we have an automated task synchronising user entries into Windows LDAP from our Unix LDAP hourly, and a password-management CGI propagating password changes to both systems (using an ugly VB CGI on windows side to effectively change the password). I was wondering if the password handling stuff could be merged with the ldap synchronisation task, now we store kerberos keys in LDAP. Windows does not allow the password attributes to be manipulated like that. You could potentially read and set passwords with Samba4's DRSUAPI synchronisation, but you can't do it with just Heimdal or just LDAP. I succeded setting or changing the unicodePwd attribute in AD, through pure LDAP operation. It allows me to pass autentication when trying to open a remote desktop sessions (which immediatly fails for authorization issue). But I guess it isn't enough to handle the kerberos part of AD authentication system. From http://wiki.samba.org/index.php/Samba4/ActiveDirectory#DRSUAPI, it seems than this API is far from being usable now. As I doubt from your answer it's not, I'm still interested about best way to handle AD user accounts remotely, without local windows code relay. Is there any issue directly modifying AD base through LDAP connection ? My windows colleage currently prefers to dump LDIF entries, and import them through a windows-specific tool. And how to set windows password from perl code ? I'm currently biased toward using an external smbpassword call, but maybe are they better ways. You could certainly run Samba tools to set the user's password, if you wanted. Well, smbpassword (from samba 3) allows one user to change its password, provided he knows its current one. But from the man page, it seems impossible to use it with a privilegiated account (member of account operation group) to change someone's else password against an AD controller. So, am I missing something if I use ldap operation to at least set up an initial password for the user, then have him use smbpassword to make it fully operational ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] heimdal and windows compatibility up-to-date informations
Andrew Bartlett a écrit : On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote: Hello list. Heimdal documentation still refers to Windows 2000 for Kerberos compatibility issues. Is there anything more recent somewhere, considering Windows 2003 and 2008, for instance ? In particular, I'm quite curious to know if, when using a ldap-backend for heimdal, I could just copy my kerberos password attributes into the AD server, provided I'm using compatible encryptions, and expect it to work magically :) No. Perhaps we need to step back a bit - what are you trying to do? First, to establish a trust relationship between the two realms, as was already possible with previous heimdal/windows version. But I think compatibility informations given on documentation about encryption types supported by Windows have to be updated, I can't think Windows 2008 still supports only des-cbc-crc. Second, I was looking at better way to sync users accounts between our new ldap-backed heimdal kdc and our windows AD. Currently, we have an automated task synchronising user entries into Windows LDAP from our Unix LDAP hourly, and a password-management CGI propagating password changes to both systems (using an ugly VB CGI on windows side to effectively change the password). I was wondering if the password handling stuff could be merged with the ldap synchronisation task, now we store kerberos keys in LDAP. As I doubt from your answer it's not, I'm still interested about best way to handle AD user accounts remotely, without local windows code relay. Is there any issue directly modifying AD base through LDAP connection ? My windows colleage currently prefers to dump LDIF entries, and import them through a windows-specific tool. And how to set windows password from perl code ? I'm currently biased toward using an external smbpassword call, but maybe are they better ways. Thanks. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] heimdal and windows compatibility up-to-date informations
Hello list. Heimdal documentation still refers to Windows 2000 for Kerberos compatibility issues. Is there anything more recent somewhere, considering Windows 2003 and 2008, for instance ? In particular, I'm quite curious to know if, when using a ldap-backend for heimdal, I could just copy my kerberos password attributes into the AD server, provided I'm using compatible encryptions, and expect it to work magically :) -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
