subject:"\[Samba\] Samba LDAP passthrough authentication to another openLDAP"

[Samba] Samba LDAP passthrough authentication to another openLDAP

2012-02-16 Thread Fajar Priyanto

Hi all,
I have a setup like this. Pls let me know if it's possible or not.

SAMBA + Local LDAP --- SASLAUTHD -- Global LDAP
Desc:
I'd like to do Samba authentication to LDAP, passthrough to another
LDAP using SASL.

The current situation is:
SSH authentication from LDAP user to that Samba box works.
However, smb authentication doesn't work (yet).


This is what's shown in syslog when doing Samba authentication:

Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access
to uid=fajar,ou=people,dc=example,dc=com userPassword requested
Feb 16 20:47:05 sglabldap slapd[1393]: = acl_get: [1] attr userPassword
Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: access to entry
uid=fajar,ou=people,dc=example,dc=com, attr userPassword requested
Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: to value by , (=0)
Feb 16 20:47:05 sglabldap slapd[1393]: = check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 16 20:47:05 sglabldap slapd[1393]: = check a_dn_pat: anonymous
Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: [2] applying
read(=rscxd) (stop)
Feb 16 20:47:05 sglabldap slapd[1393]: = acl_mask: [2] mask: read(=rscxd)
Feb 16 20:47:05 sglabldap slapd[1393]: = slap_access_allowed: read
access granted by read(=rscxd)
Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access
granted by read(=rscxd)
Feb 16 20:47:05 sglabldap slapd[1393]: conn=1062 op=1 ENTRY
dn=uid=fajar,ou=people,dc=example,dc=com
Feb 16 20:47:05 sglabldap slapd[1393]: = send_search_entry: conn 1062 exit.
Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_result: conn=1062 op=1 p=3
Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_result: err=0
matched= text=
Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_response: msgid=2 tag=101 err=0
Feb 16 20:47:05 sglabldap slapd[1393]: conn=1062 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Feb 16 20:47:05 sglabldap slapd[1393]: daemon: activity on 1 descriptor
Feb 16 20:47:05 sglabldap slapd[1393]: daemon: activity on:
Feb 16 20:47:05 sglabldap slapd[1393]:  15r

In /var/log/samba/log.smbd:

[2012/02/16 21:05:46,  3] smbd/negprot.c:672(reply_negprot)
  Selected protocol NT LANMAN 1.0
[2012/02/16 21:05:57,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[MYGROUP]\[fajar]@[SG-ROUTER0] with the new password interface
[2012/02/16 21:05:57,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [LDAPCLIENT]\[fajar]@[SG-ROUTER0]
[2012/02/16 21:05:57,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/02/16 21:05:57,  2] lib/smbldap.c:890(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2012/02/16 21:05:57,  3] lib/smbldap.c:1101(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2012/02/16 21:05:57,  2] passdb/pdb_ldap.c:571(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: fajar
[2012/02/16 21:05:57,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2012/02/16 21:05:57,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2012/02/16 21:05:57,  2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 11000
[2012/02/16 21:05:57,  3] libsmb/ntlm_check.c:350(ntlm_password_check)
  ntlm_password_check: NT MD4 password check failed for user fajar
[2012/02/16 21:05:57,  2] passdb/pdb_ldap.c:1199(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: fajar
[2012/02/16 21:05:57,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/16 21:05:57,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [fajar] - [fajar]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2012/02/16 21:05:57,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/02/16 21:05:57,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/16 21:05:57,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2012/02/16 21:05:57,  3] smbd/server.c:849(exit_server_common)
  Server exit (failed to receive smb request)
--


This is what's shown in syslog when doing SSH authentication:

Feb 16 20:59:17 sglabldap slapd[1393]: conn=1064 op=2 do_bind
Feb 16 20:59:17 sglabldap slapd[1393]:  dnPrettyNormal:
uid=fajar,ou=people,dc=example,dc=com
Feb 16 20:59:17 sglabldap slapd[1393]:  dnPrettyNormal:
uid=fajar,ou=people,dc=example,dc=com,
uid=fajar,ou=people,dc=example,dc=com
Feb 16 20:59:17 sglabldap slapd[1393]: conn=1064 op=2 BIND
dn=uid=fajar,ou=people,dc=example,dc=com method=128
Feb 16 20:59:17 sglabldap slapd[1393]: do_bind: version=3
dn=uid=fajar,ou=people,dc=example,dc=com method=128
Feb 16 20:59:17 sglabldap slapd[1393]: == hdb_bind: dn:
uid=fajar,ou=people,dc=example,dc=com
Feb 16 20:59:17 sglabldap slapd[1393]:

Re: [Samba] Samba LDAP passthrough authentication to another openLDAP

2012-02-16 Thread Adam Tauno Williams

On Thu, 2012-02-16 at 21:10 +0800, Fajar Priyanto wrote:
 Hi all,
 I have a setup like this. Pls let me know if it's possible or not.
 SAMBA + Local LDAP --- SASLAUTHD -- Global LDAP

No.  

Samba uses the sambaNTPassword attribute in it's LDAP schema which is a
crypt of the password.  You may be able to get plain-text authentication
to work but only by adjusting Samba *and* hacking the registry on every
client.

 Desc:
 I'd like to do Samba authentication to LDAP, passthrough to another
 LDAP using SASL.
 The current situation is:
 SSH authentication from LDAP user to that Samba box works.

That doesn't involve Samba unless you are using Kerberos or something
like pam_winbind / pam_smbpasswd [I don't even know which if any of
those are currently 'active'].

 However, smb authentication doesn't work (yet).
 This is what's shown in syslog when doing Samba authentication:
 Feb 16 20:47:05 sglabldap slapd[1393]: = access_allowed: read access
 to uid=fajar,ou=people,dc=example,dc=com userPassword requested

Looks like pam_ldap authentication to me.

There may be a way to proxy authentication via LDAP [there are jillions
of things you can do with LDAP] but I doubt involving saslauthd [plain
text authentication] is going to work very well.

-- 
System  Network Administrator [ LPI  NCLA ]
http://www.whitemiceconsulting.com
OpenGroupware Developer http://www.opengroupware.us
Adam Tauno Williams

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba LDAP passthrough authentication to another openLDAP

Re: [Samba] Samba LDAP passthrough authentication to another openLDAP

2 matches

Site Navigation

Mail list logo

Footer information