Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

I'm not aware of a way to authenticate via SASL in Samba.

On Mon, 2005-06-06 at 18:38 -0700, Jeff Block wrote:
> I've seen some people using ldap password set as {SASL}USER at REALM
> Is there a way to have samba use sasl for authentication?
> 
> Currently, my kerberos db is synchronizing with sasl so if I can get samba
> and my windows clients to authenticate using sasl, then I don't need to keep
> password hashes in ldap.
> 
> Is this possible?
> 
> Thanks.
> 
> 
> On 6/6/05 6:13 PM, "Ti Leggett" <[EMAIL PROTECTED]> wrote:
> 
> > Basically a windows client can't authenticate against a Kerberos server
> > *and* get user information out LDAP without using AD. You can
> > authenticate against Kerberos and have local user accounts or you can
> > have user accounts in LDAP and use some other authentication mechanism.
> > The way I'm doing it is storing user's Windows passwords in LDAP as
> > sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get
> > around having different passwords for the different architectures you
> > can write a script that will be the change password script in samba and
> > a replacement for passwd under *nix. This script would add/change the
> > password in both LDAP and Kerberos keeping them synced.
> > 
> > FW is referring to such a perl script using Authen::Krb5,
> > Crypt::SmbHash, and Net::LDAP.
> > 
> > The Kerberos options you see in Samba are only for having Samba
> > authenticate against an AD server.
> > 
> > There are some things in the works for going the other way if you're
> > using Heimdal (see the archive), but I have no experience with Heimdal
> > or this solution.
> > 
> > On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote:
> >> I'm a little confused on one section here...  Where are your passwords 
> >> being
> >> stored?  kerberos?  If so, how does samba look there?  What is the
> >> significance of the {SASL}USER at REALM in LDAP?  Is there another password
> >> store that you are syncing with krb?
> >> 
> >> Sorry for my ignorance here but after hours and hours of trying different
> >> things, I'm unable to use my kerberos backend with samba.
> >> 
> >> Thanks in advance.
> >> 
> >> 
> >> FM Wrote:
> >> 
> >>> Hello,
> >>> My setup :
> >>> Windows stations
> >>> SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
> >>> 
> >>> All users (posix and ldap) are in Openldap.
> >>> All my ldap password are : {SASL}USER at REALM
> >>> I use saslauthd so I can connect to ldap using simplebind with password
> >>> in KERBEROS
> >>> this password CANNOT be changed (denied by the slapd.access.conf file)
> >>> 
> >>> Samba cannot use MIt kerberos for the password so my little trick :
> >>> I create a perl scrip using Authen::Krb5::Admin that use un keytab for
> >>> authentifiaction :krb5_update_pwd.pl
> >>> 
> >>> in the smb.conf :
> >>>ldap passwd sync = No
> >>>unix password sync = Yes
> >>>passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
> >>> %n\n *passwd:*all*authentication*tokens*updated*successfully*
> >>>passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
> >>> 
> >>> So when Windows users change their password(from the change password
> >>> option in Windows), SAMBA called /krb5_update_pwd.pl that also update
> >>> the KERBEROS password.
> >>> 
> >>> Linux users just have to use :
> >>> smbpasswd -r PDC_SERVER
> >>> That command update SAMBA password and again it called
> >>> /krb5_update_pwd.pl to sync the kerberos password
> >>> 
> >>> I know there are some short comings (password policies for example). But
> >>> it's the closer i get :-)
> >>> 
> >>> Hope this can help :-)
> >>> 
> >>> 
> >>> 
> >> Ti Leggett wrote:
> >>> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> >>> backend and use pam_smbpass to keep the passwords sync'd between the
> >>> Kerberos side and the Samba side? That way the Windows clients join the
> >>> domain using only the LDAP information not knowing about the Kerberos
> >>> side of things?
> >>> 
> >>> I just removed the Kerberos information from my Windows client and tried
> >>> only using, as far as I can tell, the LDAP information and the client
> >>> still comes back saying the user name is unknown.
> >>> 
> >>> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
> >>> 
>  Ok, so I'm just trying to figure out my options here. I can:
>  
>  - Use local accounts and local passwords
>  - Use Kerberos for authentication, but only with local user accounts
>  - Use a Samba PDC with and LDAP backend for accounts and password if and
>  only if the windows clients are not bound to a Kerberos realm
>  
>  Is this correct? In the third case, let's say I have a way to sync
>  Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>  
>  Or what am I missing? I know I can't create an AD domain, but I'm not
>  trying to. AD is combination of a lot more than just Kerberos and LDAP.
>  
>  I'm curios how Apple does what seems to

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Jeff Block]

I've seen some people using ldap password set as {SASL}USER at REALM
Is there a way to have samba use sasl for authentication?

Currently, my kerberos db is synchronizing with sasl so if I can get samba
and my windows clients to authenticate using sasl, then I don't need to keep
password hashes in ldap.

Is this possible?

Thanks.


On 6/6/05 6:13 PM, "Ti Leggett" <[EMAIL PROTECTED]> wrote:

> Basically a windows client can't authenticate against a Kerberos server
> *and* get user information out LDAP without using AD. You can
> authenticate against Kerberos and have local user accounts or you can
> have user accounts in LDAP and use some other authentication mechanism.
> The way I'm doing it is storing user's Windows passwords in LDAP as
> sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get
> around having different passwords for the different architectures you
> can write a script that will be the change password script in samba and
> a replacement for passwd under *nix. This script would add/change the
> password in both LDAP and Kerberos keeping them synced.
> 
> FW is referring to such a perl script using Authen::Krb5,
> Crypt::SmbHash, and Net::LDAP.
> 
> The Kerberos options you see in Samba are only for having Samba
> authenticate against an AD server.
> 
> There are some things in the works for going the other way if you're
> using Heimdal (see the archive), but I have no experience with Heimdal
> or this solution.
> 
> On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote:
>> I'm a little confused on one section here...  Where are your passwords being
>> stored?  kerberos?  If so, how does samba look there?  What is the
>> significance of the {SASL}USER at REALM in LDAP?  Is there another password
>> store that you are syncing with krb?
>> 
>> Sorry for my ignorance here but after hours and hours of trying different
>> things, I'm unable to use my kerberos backend with samba.
>> 
>> Thanks in advance.
>> 
>> 
>> FM Wrote:
>> 
>>> Hello,
>>> My setup :
>>> Windows stations
>>> SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
>>> 
>>> All users (posix and ldap) are in Openldap.
>>> All my ldap password are : {SASL}USER at REALM
>>> I use saslauthd so I can connect to ldap using simplebind with password
>>> in KERBEROS
>>> this password CANNOT be changed (denied by the slapd.access.conf file)
>>> 
>>> Samba cannot use MIt kerberos for the password so my little trick :
>>> I create a perl scrip using Authen::Krb5::Admin that use un keytab for
>>> authentifiaction :krb5_update_pwd.pl
>>> 
>>> in the smb.conf :
>>>ldap passwd sync = No
>>>unix password sync = Yes
>>>passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
>>> %n\n *passwd:*all*authentication*tokens*updated*successfully*
>>>passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
>>> 
>>> So when Windows users change their password(from the change password
>>> option in Windows), SAMBA called /krb5_update_pwd.pl that also update
>>> the KERBEROS password.
>>> 
>>> Linux users just have to use :
>>> smbpasswd -r PDC_SERVER
>>> That command update SAMBA password and again it called
>>> /krb5_update_pwd.pl to sync the kerberos password
>>> 
>>> I know there are some short comings (password policies for example). But
>>> it's the closer i get :-)
>>> 
>>> Hope this can help :-)
>>> 
>>> 
>>> 
>> Ti Leggett wrote:
>>> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
>>> backend and use pam_smbpass to keep the passwords sync'd between the
>>> Kerberos side and the Samba side? That way the Windows clients join the
>>> domain using only the LDAP information not knowing about the Kerberos
>>> side of things?
>>> 
>>> I just removed the Kerberos information from my Windows client and tried
>>> only using, as far as I can tell, the LDAP information and the client
>>> still comes back saying the user name is unknown.
>>> 
>>> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
>>> 
 Ok, so I'm just trying to figure out my options here. I can:
 
 - Use local accounts and local passwords
 - Use Kerberos for authentication, but only with local user accounts
 - Use a Samba PDC with and LDAP backend for accounts and password if and
 only if the windows clients are not bound to a Kerberos realm
 
 Is this correct? In the third case, let's say I have a way to sync
 Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
 
 Or what am I missing? I know I can't create an AD domain, but I'm not
 trying to. AD is combination of a lot more than just Kerberos and LDAP.
 
 I'm curios how Apple does what seems to be just this with their
 OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
 Samba 3.0 (at least they claim it's only this).
 
 
 On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
 
> Ti Leggett wrote:
> 
>> I've been searching and researching this and I can't seem to find the
>

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

Basically a windows client can't authenticate against a Kerberos server
*and* get user information out LDAP without using AD. You can
authenticate against Kerberos and have local user accounts or you can
have user accounts in LDAP and use some other authentication mechanism.
The way I'm doing it is storing user's Windows passwords in LDAP as
sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get
around having different passwords for the different architectures you
can write a script that will be the change password script in samba and
a replacement for passwd under *nix. This script would add/change the
password in both LDAP and Kerberos keeping them synced.

FW is referring to such a perl script using Authen::Krb5,
Crypt::SmbHash, and Net::LDAP.

The Kerberos options you see in Samba are only for having Samba
authenticate against an AD server.

There are some things in the works for going the other way if you're
using Heimdal (see the archive), but I have no experience with Heimdal
or this solution.

On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote:
> I'm a little confused on one section here...  Where are your passwords being
> stored?  kerberos?  If so, how does samba look there?  What is the
> significance of the {SASL}USER at REALM in LDAP?  Is there another password
> store that you are syncing with krb?
> 
> Sorry for my ignorance here but after hours and hours of trying different
> things, I'm unable to use my kerberos backend with samba.
> 
> Thanks in advance.
> 
> 
> FM Wrote:
> 
> >Hello,
> >My setup :
> >Windows stations
> >SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
> >
> >All users (posix and ldap) are in Openldap.
> >All my ldap password are : {SASL}USER at REALM
> >I use saslauthd so I can connect to ldap using simplebind with password
> >in KERBEROS
> >this password CANNOT be changed (denied by the slapd.access.conf file)
> >
> >Samba cannot use MIt kerberos for the password so my little trick :
> >I create a perl scrip using Authen::Krb5::Admin that use un keytab for
> >authentifiaction :krb5_update_pwd.pl
> >
> >in the smb.conf :
> >ldap passwd sync = No
> >unix password sync = Yes
> >passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
> >%n\n *passwd:*all*authentication*tokens*updated*successfully*
> >passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
> >
> >So when Windows users change their password(from the change password
> >option in Windows), SAMBA called /krb5_update_pwd.pl that also update
> >the KERBEROS password.
> >
> >Linux users just have to use :
> >smbpasswd -r PDC_SERVER
> >That command update SAMBA password and again it called
> >/krb5_update_pwd.pl to sync the kerberos password
> >
> >I know there are some short comings (password policies for example). But
> >it's the closer i get :-)
> >
> >Hope this can help :-)
> >
> >
> >
> Ti Leggett wrote:
> > Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> > backend and use pam_smbpass to keep the passwords sync'd between the
> > Kerberos side and the Samba side? That way the Windows clients join the
> > domain using only the LDAP information not knowing about the Kerberos
> > side of things?
> > 
> > I just removed the Kerberos information from my Windows client and tried
> > only using, as far as I can tell, the LDAP information and the client
> > still comes back saying the user name is unknown.
> > 
> > On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
> > 
> >>Ok, so I'm just trying to figure out my options here. I can:
> >>
> >>- Use local accounts and local passwords
> >>- Use Kerberos for authentication, but only with local user accounts
> >>- Use a Samba PDC with and LDAP backend for accounts and password if and
> >>only if the windows clients are not bound to a Kerberos realm
> >>
> >>Is this correct? In the third case, let's say I have a way to sync
> >>Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
> >>
> >>Or what am I missing? I know I can't create an AD domain, but I'm not
> >>trying to. AD is combination of a lot more than just Kerberos and LDAP.
> >>
> >>I'm curios how Apple does what seems to be just this with their
> >>OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
> >>Samba 3.0 (at least they claim it's only this).
> >>
> >>
> >>On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
> >>
> >>>Ti Leggett wrote:
> >>>
> I've been searching and researching this and I can't seem to find the
> answers I'm looking for. I'd like to setup a Samba PDC that Windows
> clients will join. The PDC will use an LDAP backend to get authorization
> information (username, home directory, etc). The authentication portion
> is handled by an MIT Kerberos KDC. I think I'm  real close to having it
> all together but I'm not sure. I have the Windows client setup to point
> at my KDC so authentication *should* be coming from there once the
> authorization portion is going.
> >>>
> >>>Hehehe

[Samba] Samba as a PDC with LDAP and Kerberos

[Jeff Block]

I'm a little confused on one section here...  Where are your passwords being
stored?  kerberos?  If so, how does samba look there?  What is the
significance of the {SASL}USER at REALM in LDAP?  Is there another password
store that you are syncing with krb?

Sorry for my ignorance here but after hours and hours of trying different
things, I'm unable to use my kerberos backend with samba.

Thanks in advance.


FM Wrote:

>Hello,
>My setup :
>Windows stations
>SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
>
>All users (posix and ldap) are in Openldap.
>All my ldap password are : {SASL}USER at REALM
>I use saslauthd so I can connect to ldap using simplebind with password
>in KERBEROS
>this password CANNOT be changed (denied by the slapd.access.conf file)
>
>Samba cannot use MIt kerberos for the password so my little trick :
>I create a perl scrip using Authen::Krb5::Admin that use un keytab for
>authentifiaction :krb5_update_pwd.pl
>
>in the smb.conf :
>ldap passwd sync = No
>unix password sync = Yes
>passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
>%n\n *passwd:*all*authentication*tokens*updated*successfully*
>passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
>
>So when Windows users change their password(from the change password
>option in Windows), SAMBA called /krb5_update_pwd.pl that also update
>the KERBEROS password.
>
>Linux users just have to use :
>smbpasswd -r PDC_SERVER
>That command update SAMBA password and again it called
>/krb5_update_pwd.pl to sync the kerberos password
>
>I know there are some short comings (password policies for example). But
>it's the closer i get :-)
>
>Hope this can help :-)
>
>
>
Ti Leggett wrote:
> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> backend and use pam_smbpass to keep the passwords sync'd between the
> Kerberos side and the Samba side? That way the Windows clients join the
> domain using only the LDAP information not knowing about the Kerberos
> side of things?
> 
> I just removed the Kerberos information from my Windows client and tried
> only using, as far as I can tell, the LDAP information and the client
> still comes back saying the user name is unknown.
> 
> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
> 
>>Ok, so I'm just trying to figure out my options here. I can:
>>
>>- Use local accounts and local passwords
>>- Use Kerberos for authentication, but only with local user accounts
>>- Use a Samba PDC with and LDAP backend for accounts and password if and
>>only if the windows clients are not bound to a Kerberos realm
>>
>>Is this correct? In the third case, let's say I have a way to sync
>>Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>>
>>Or what am I missing? I know I can't create an AD domain, but I'm not
>>trying to. AD is combination of a lot more than just Kerberos and LDAP.
>>
>>I'm curios how Apple does what seems to be just this with their
>>OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
>>Samba 3.0 (at least they claim it's only this).
>>
>>
>>On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
>>
>>>Ti Leggett wrote:
>>>
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm  real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.
>>>
>>>Hehehe, it's been a year trying to do that... but no way! I'm sorry to
>>>tell you, but what you want is a replacement of AD... in no way windows
>>>will know about ldap and mit, without an AD domain.
>>>
>>>
So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.COM:
kdc = 
kdc = 
kpasswd = 
Realm Flags = 0x0 none
No user mappings defined.
>>>
>>>Users must be somewhere to get HKEY_LOCAL* work... and they should be
>>>local users (the MIT-KDC authentication works this way).
>>>
>>>
Second, here's what I have in LDAP so far:
[...]
I've done a smbpasswd -w 

I can do a net getlocalsid and it will get the correct SID out of LDAP.
>>>
>>>Correct.
>>>
>>>
However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.
>>>
>>>Yes. Active Directory is not there... and it wants AD. In no way you can
>>>fake AD, even though it's kerberos, ldap and smb + natural-flavours...
>>>
>>
>>
> 


-- 
To uns

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

Why would the add machine script fail? Here's a quick overview of my
setup:

All Kerberos authenticated admin users (user/admin) have write to the
entire directory
The Samba admin user has write to the relevant samba branches
All Kerberos authenticated non-admin users have read access to
non-sensitve portions of the directory.

There are three users that could be involved in this process:

leggett : A normal user (inetOrgPerson, posizUser, sambaSamAccount) who
is a Domain Admin. Does not have write access to the directory. Password
stored in Kerberos, sambaNTPassword stored in LDAP.

samba_server : An LDAP user (person, uidObject) who has write access to
the directory. Password stored in LDAP. sambaNTPassword not in LDAP as
user isn't a sambaSamAccount

root: A local unix user who has an entry in LDAP (person,
sambaSamAccount). Does not have write access to the directory. Password
is kept locally, sambaNTPassword kept in LDAP. Password and
sambaNTPassword are not the same.


So let me make sure I have all this straight on how it all works.

legget, a Domain Admin, uses the SeMachineAccountPrivilege to add the
machine to the Samba domain. In this process smbd queries LDAP as
samba_server to see if the machine account is already created. If it's
not, smbd changes to root and call the script in the "add machine
script" directive. That script should be responsible for changing to a
user or gaining Kerberos credentials to write to the directory.

Is that about right?

On Mon, 2005-05-30 at 21:05 -0500, Gerald (Jerry) Carter wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Ti Leggett wrote:
> 
> > So, here's my new question (I'm full of em): Are LDAP actions 
> > done as the Samab ldap admin dn or the user doing the
> > action? It appears the latter is the case.
> 
> All LDAP actions from smbd are done as the ldap admin dn, but
> the add machine script should be called under root if the user
> has the SeMachineAccountPrivilege.
> 
> 
> 
> 
> 
> 
> 
> cheers, jerry
> =
> Alleviating the pain of Windows(tm)  --- http://www.samba.org
> GnuPG Key- http://www.plainjoe.org/gpg_public.asc
> "I never saved anything for the swim back." Ethan Hawk in Gattaca
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCm8ZvIR7qMdg1EfYRAi/zAJ9h6Bzhz5algsAA6hB4O+vyl+sP3gCgu4hP
> wxOm2UkvC6BXHCpwwtmcxNk=
> =AFm2
> -END PGP SIGNATURE-
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ti Leggett wrote:

> So, here's my new question (I'm full of em): Are LDAP actions 
> done as the Samab ldap admin dn or the user doing the
> action? It appears the latter is the case.

All LDAP actions from smbd are done as the ldap admin dn, but
the add machine script should be called under root if the user
has the SeMachineAccountPrivilege.







cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCm8ZvIR7qMdg1EfYRAi/zAJ9h6Bzhz5algsAA6hB4O+vyl+sP3gCgu4hP
wxOm2UkvC6BXHCpwwtmcxNk=
=AFm2
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

Okee dokee. I've gotten somewhere.

So samba 3.0.11 didn't seem to quite handle privileges all the way. I
upgraded to 3.0.14 and everything is now peachy happy with one small
exception. Before I get to the problem here's what did work:

net -S localhost -Uleggett rpc rights grant "CI\Domain Admins" \
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

I gave the user's password stored in LDAP and it succeeded. Next I went
to join the machine to the domain. Here's where the problem happened. I
was under the impression that all LDAP activity was done as the user
listed in the "ldap admin dn". However, when I went to join the machine,
let's call it WORKSTATION, it prompted for a domain admin user and
password so I put in leggett's. It tried, but failed (with a new error).
So I looked in the LDAP server's log and, lo and behold, it was trying
to run the add machine script as user leggett (who doesn't have
permission to write to the directory). So I hand added the machine to
the directory and then tried the join again and it worked beautifully.

So, here's my new question (I'm full of em): Are LDAP actions done as
the Samab ldap admin dn or the user doing the action? It appears the
latter is the case.

On Mon, 2005-05-09 at 10:29 -0500, Ti Leggett wrote:
> Unfortunately this still doesn't work. As a note, I thought about this
> and had added the root account to the Domain Admins group.
> 
> On Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote:
> > Try doing the "net rpc rights" as a
> > 
> > Ti Leggett wrote:
> > 
> > >However the following fails:
> > >
> > >net -S localhost rpc rights grant "CI\Domain Admins"
> > >SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> > >SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
> > >
> > >Reading through the logs, everything appears to be fine until it goes to
> > >assign privileges. Here's a snip from the logs (log level = 10):
> > >  
> > >
> > 
> > 
> > >[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
> > >   status: NT_STATUS_ACCESS_DENIED
> > >
> > >The LDAP logs show everything successful and there's no MODs trying to
> > >occur.
> > >  
> > >
> > Try doing the "net rpc rights grant" as a domain admin ("-U username") 
> > instead of as root.  The Samba HOWTO states, "You must be connected as a 
> > member of the Domain Admins group to be able to grant or revoke 
> > privileges assigned to an account. This capability is inherent to the 
> > Domain Admins group and is not configurable."
> > 
> > Granting rights as root doesn't seem to work.  (At least, it doesn't for 
> > me.)  I don't know if that's intentional or not; the HOWTO also states, 
> > "Access as the root user (UID=0) bypasses all privilege checks," which 
> > seems to contradict the previous statement and seems to imply that not 
> > working for root is a bug.
> > 
> > Josh Kelley
> > //
> > 
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ti Leggett wrote:
| Unfortunately this still doesn't work. As a note,
| I thought about this and had added the root account
| to the Domain Admins group.
|
|>>However the following fails:
|>>
|>>net -S localhost rpc rights grant "CI\Domain Admins"
|>>SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
|>>SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
|>>
|>>Reading through the logs, everything appears to be fine until it goes to
|>>assign privileges. Here's a snip from the logs (log level = 10):
|>>
|>>
|>
|>
|>
|>>[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
|>>  status: NT_STATUS_ACCESS_DENIED
|>>
|>>The LDAP logs show everything successful and there's
|>>no MODs trying to occur.
Can you send me a level 10 debug log?  I'll take a look.
Also include the version fo Samba you are using (since I'm
picking up on this thread late in the game).


cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCf4YFIR7qMdg1EfYRAuX1AKCi1zd4iwWaXIZ8Q5qe0ffbuBWAegCgxzmO
loXKDcVidB/AzofwWAyMypI=
=fZLa
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

Unfortunately this still doesn't work. As a note, I thought about this
and had added the root account to the Domain Admins group.

On Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote:
> Try doing the "net rpc rights" as a
> 
> Ti Leggett wrote:
> 
> >However the following fails:
> >
> >net -S localhost rpc rights grant "CI\Domain Admins"
> >SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> >SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
> >
> >Reading through the logs, everything appears to be fine until it goes to
> >assign privileges. Here's a snip from the logs (log level = 10):
> >  
> >
> 
> 
> >[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
> >   status: NT_STATUS_ACCESS_DENIED
> >
> >The LDAP logs show everything successful and there's no MODs trying to
> >occur.
> >  
> >
> Try doing the "net rpc rights grant" as a domain admin ("-U username") 
> instead of as root.  The Samba HOWTO states, "You must be connected as a 
> member of the Domain Admins group to be able to grant or revoke 
> privileges assigned to an account. This capability is inherent to the 
> Domain Admins group and is not configurable."
> 
> Granting rights as root doesn't seem to work.  (At least, it doesn't for 
> me.)  I don't know if that's intentional or not; the HOWTO also states, 
> "Access as the root user (UID=0) bypasses all privilege checks," which 
> seems to contradict the previous statement and seems to imply that not 
> working for root is a bug.
> 
> Josh Kelley
> //
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Josh Kelley]

Try doing the "net rpc rights" as a
Ti Leggett wrote:
However the following fails:
net -S localhost rpc rights grant "CI\Domain Admins"
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Reading through the logs, everything appears to be fine until it goes to
assign privileges. Here's a snip from the logs (log level = 10):
 


[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
  status: NT_STATUS_ACCESS_DENIED
The LDAP logs show everything successful and there's no MODs trying to
occur.
 

Try doing the "net rpc rights grant" as a domain admin ("-U username") 
instead of as root.  The Samba HOWTO states, "You must be connected as a 
member of the Domain Admins group to be able to grant or revoke 
privileges assigned to an account. This capability is inherent to the 
Domain Admins group and is not configurable."

Granting rights as root doesn't seem to work.  (At least, it doesn't for 
me.)  I don't know if that's intentional or not; the HOWTO also states, 
"Access as the root user (UID=0) bypasses all privilege checks," which 
seems to contradict the previous statement and seems to imply that not 
working for root is a bug.

Josh Kelley
//
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

So I'm still doing something wrong. I now have a root sambaSamAccount in
my directory with the PrimaryGroupSID of the Domain Admins SID. The ldap
admin dn can write to the directory. From my PDC I can do the following
successfully:

net -S localhost rpc join (Success)
smbpasswd -a -w pdc (Success and pdc$ added to the LDAP machine group
wiht password)

However the following fails:

net -S localhost rpc rights grant "CI\Domain Admins"
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

Reading through the logs, everything appears to be fine until it goes to
assign privileges. Here's a snip from the logs (log level = 10):

[2005/05/02 12:09:43, 7] rpc_parse/parse_prs.c:prs_debug(82)
  000152 smb_io_unistr2 string
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642)
  0154 uni_max_len: 0019
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642)
  0158 offset : 
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642)
  015c uni_str_len: 0019
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814)
  0160 buffer :
S.e.R.e.m.o.t.e.S.h.u.t.d.o.w.n.P.r.i.v.i.l.e.g.e.
[2005/05/02 12:09:43, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
  Found policy hnd[0] [000] 00 00 00 00 03 00 00 00  00 00 00 00 D7 5E
76 42   .^vB
  [010] 3E 31 00 00   >1..
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
  00 lsa_io_r_add_acct_rights
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
   status: NT_STATUS_ACCESS_DENIED

The LDAP logs show everything successful and there's no MODs trying to
occur.

Below is my smb.conf

[global]
security = user
log level = 10
log file = /var/log/samba/samba.log
workgroup = CI
netbios name = PDC
server string = Primary Domain Controller
private dir = /var/lib/samba/private
passdb backend = ldapsam:ldap://ldap.example.com
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
enable privileges = Yes
hosts allow = none
ldap admin dn =
uid=samba_server,ou=people,o=ci,dc=example,dc=com
ldap group suffix = ou=group
ldap machine suffix = ou=hosts,ou=samba
ldap suffix = o=ci,dc=uchicago,dc=edu
ldap ssl = start tls
ldap user suffix = ou=people

[netlogon]
path = /var/lib/samba/netlogon
browseable = No

[profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700

On Wed, 2005-04-27 at 15:07 -0400, Josh Kelley wrote:
> [EMAIL PROTECTED] wrote:
> 
> >So I think I have the steps needed to get this all working, but I think I
> >have a chicken/egg problem now.
> >  
> >
> 
> 
> >So, is there a way to get it to a point where a normal user in the Domain
> >Admins group can join machine and add Samba Accounts, etc without
> >requiring a uid 0 user to be in LDAP.
> >  
> >
> The sambaSamAccount entry for root needs to be in the LDAP directory, 
> but the rest of the account doesn't.  We have an entry for the root 
> account in our LDAP directory that only has the following non-Samba 
> attributes defined:
> 
> dn: uid=root,dc=jbc,dc=edu
> objectClass: account
> objectClass: sambaSamAccount
> uid: root
> displayName: root
> cn: root
> 
> Although this technically means that there is a uid 0 user in LDAP, it's 
> only a uid 0 user as far as Samba is concerned; Linux/Unix won't 
> recognize the LDAP portion of the root account as being a valid user.
> 
>  From what I've read, this setup won't work if you set ldapsam:trusted = 
> yes in smb.conf, but it will work long enough to assign privileges then 
> set ldapsam:trusted.
> 
> >Also, what pieces are really needed to join a machine to the Samba Domain.
> >And what and who needs to be able to read/write LDAP for this to happen?
> >
> >Pieces I've identified so far. Things starting with '?' I'm not sure about.
> >
> >- Domain Users, Domain Admins, and Domain Guests groups exist with valid
> >sambaSIDs (posixGroup and sambaGroupMapping)
> >- Domain Admins group has the SeMachineAccountPrivilege privilege
> >  
> >
> Correct.
> 
> >- a sambaDomainName object with a valid sambaSID
> >  
> >
> It's a sambaDomain object, not a sambaDomainName object.  I'm pretty 
> sure that Samba will create this for you if it doesn't exist.
> 
> >- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
> >whose SID is in the the Domain Admins sambaSIDList
> >  
> >
> Correct.
> 
> >? A machine user (posixAccount sambaSamAccount) with a valid uid and
> >sambaSID and whose parent LDAP tree is listed as a passwd search path for
> >NSS
> >  
> >
> Generally unnecessary.  Although you can create it yourself, it's easier 
> to set up 

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Josh Kelley]

[EMAIL PROTECTED] wrote:
So I think I have the steps needed to get this all working, but I think I
have a chicken/egg problem now.
 


So, is there a way to get it to a point where a normal user in the Domain
Admins group can join machine and add Samba Accounts, etc without
requiring a uid 0 user to be in LDAP.
 

The sambaSamAccount entry for root needs to be in the LDAP directory, 
but the rest of the account doesn't.  We have an entry for the root 
account in our LDAP directory that only has the following non-Samba 
attributes defined:

dn: uid=root,dc=jbc,dc=edu
objectClass: account
objectClass: sambaSamAccount
uid: root
displayName: root
cn: root
Although this technically means that there is a uid 0 user in LDAP, it's 
only a uid 0 user as far as Samba is concerned; Linux/Unix won't 
recognize the LDAP portion of the root account as being a valid user.

From what I've read, this setup won't work if you set ldapsam:trusted = 
yes in smb.conf, but it will work long enough to assign privileges then 
set ldapsam:trusted.

Also, what pieces are really needed to join a machine to the Samba Domain.
And what and who needs to be able to read/write LDAP for this to happen?
Pieces I've identified so far. Things starting with '?' I'm not sure about.
- Domain Users, Domain Admins, and Domain Guests groups exist with valid
sambaSIDs (posixGroup and sambaGroupMapping)
- Domain Admins group has the SeMachineAccountPrivilege privilege
 

Correct.
- a sambaDomainName object with a valid sambaSID
 

It's a sambaDomain object, not a sambaDomainName object.  I'm pretty 
sure that Samba will create this for you if it doesn't exist.

- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
whose SID is in the the Domain Admins sambaSIDList
 

Correct.
? A machine user (posixAccount sambaSamAccount) with a valid uid and
sambaSID and whose parent LDAP tree is listed as a passwd search path for
NSS
 

Generally unnecessary.  Although you can create it yourself, it's easier 
to set up an add machine script (such as that provided by the Idealx 
smbldap-tools, if you're using those) and let it take care of this for 
you.  Chapter 6 of the Samba-HOWTO has more information on how machine 
trust accounts are created.

My last question is this. Does the above user listed above have to have
write access to the LDAP directory or does only the samba user whose
password is stored in private/secrets.tdb need write access to the
directory?
 

Only the Samba user (whoever you specify as the ldap admin dn) needs 
write access.

Because I'm using Kerberos as my authentication scheme, in order to write
to the directory you must have an admin principal (userfoo/admin).
However, these principals should not be in LDAP with UIDs because they're
never used in that aspect.
 

Sorry, I'm not familiar with Kerberos.
Josh Kelley
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[leggett]

So I think I have the steps needed to get this all working, but I think I
have a chicken/egg problem now.

In order to join a machine to the Samba PDC Domain, you need to either use
a uid 0 user or one that has the SeMachineAccountPrivilege (3.0.11+)
privilege . This user must also be able to read and write to many pieces
of the LDAP directory. Now, I really would rather not have uid 0 users in
LDAP, so that leaves me with the privileges. However, in order to assign
privileges to a user or group, you must login as a Domain Admins user.
Now, by default the Domain Admins group doesn't have these privileges by
default so you must use  a uid 0 user to get these privileges assigned.
However, since I don't have a uid 0 user in LDAP, Samba doesn't recognize
root as a valid user (passdb backend = ldapsam). And from what I can tell,
the updated schema with 3.0.11 got rid of the sambaPrivilegesList has been
removed so that privileges can only be assigned using net rpc rights.

So, is there a way to get it to a point where a normal user in the Domain
Admins group can join machine and add Samba Accounts, etc without
requiring a uid 0 user to be in LDAP.

Also, what pieces are really needed to join a machine to the Samba Domain.
And what and who needs to be able to read/write LDAP for this to happen?

Pieces I've identified so far. Things starting with '?' I'm not sure about.

- Domain Users, Domain Admins, and Domain Guests groups exist with valid
sambaSIDs (posixGroup and sambaGroupMapping)
- Domain Admins group has the SeMachineAccountPrivilege privilege
- a sambaDomainName object with a valid sambaSID
- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
whose SID is in the the Domain Admins sambaSIDList
? A machine user (posixAccount sambaSamAccount) with a valid uid and
sambaSID and whose parent LDAP tree is listed as a passwd search path for
NSS

My last question is this. Does the above user listed above have to have
write access to the LDAP directory or does only the samba user whose
password is stored in private/secrets.tdb need write access to the
directory?

Because I'm using Kerberos as my authentication scheme, in order to write
to the directory you must have an admin principal (userfoo/admin).
However, these principals should not be in LDAP with UIDs because they're
never used in that aspect.

Does any of this make sense, or am I just thoroughly confused?

> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> backend and use pam_smbpass to keep the passwords sync'd between the
> Kerberos side and the Samba side? That way the Windows clients join the
> domain using only the LDAP information not knowing about the Kerberos
> side of things?
>
> I just removed the Kerberos information from my Windows client and tried
> only using, as far as I can tell, the LDAP information and the client
> still comes back saying the user name is unknown.
>
> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
>> Ok, so I'm just trying to figure out my options here. I can:
>>
>> - Use local accounts and local passwords
>> - Use Kerberos for authentication, but only with local user accounts
>> - Use a Samba PDC with and LDAP backend for accounts and password if and
>> only if the windows clients are not bound to a Kerberos realm
>>
>> Is this correct? In the third case, let's say I have a way to sync
>> Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>>
>> Or what am I missing? I know I can't create an AD domain, but I'm not
>> trying to. AD is combination of a lot more than just Kerberos and LDAP.
>>
>> I'm curios how Apple does what seems to be just this with their
>> OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
>> Samba 3.0 (at least they claim it's only this).
>>
>>
>> On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
>> > Ti Leggett wrote:
>> > > I've been searching and researching this and I can't seem to find
>> the
>> > > answers I'm looking for. I'd like to setup a Samba PDC that Windows
>> > > clients will join. The PDC will use an LDAP backend to get
>> authorization
>> > > information (username, home directory, etc). The authentication
>> portion
>> > > is handled by an MIT Kerberos KDC. I think I'm  real close to having
>> it
>> > > all together but I'm not sure. I have the Windows client setup to
>> point
>> > > at my KDC so authentication *should* be coming from there once the
>> > > authorization portion is going.
>> >
>> > Hehehe, it's been a year trying to do that... but no way! I'm sorry to
>> > tell you, but what you want is a replacement of AD... in no way
>> windows
>> > will know about ldap and mit, without an AD domain.
>> >
>> > > So first question is, are sambaLMPassword and sambaNTPassword still
>> > > needed in LDAP for each user?
>> > >
>> > > Here's the output from ksetup /dumpstate:
>> > >
>> > > Machine is not configured to log on to an external KDC. Probably a
>> > > workgroup member
>> > > EXAMPL

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[FM]

Hello,
My setup :
Windows stations
SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
All users (posix and ldap) are in Openldap.
All my ldap password are : [EMAIL PROTECTED]
I use saslauthd so I can connect to ldap using simplebind with password 
in KERBEROS
this password CANNOT be changed (denied by the slapd.access.conf file)

Samba cannot use MIt kerberos for the password so my little trick :
I create a perl scrip using Authen::Krb5::Admin that use un keytab for 
authentifiaction :krb5_update_pwd.pl

in the smb.conf :
   ldap passwd sync = No
   unix password sync = Yes
   passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
%n\n *passwd:*all*authentication*tokens*updated*successfully*
   passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
So when Windows users change their password(from the change password 
option in Windows), SAMBA called /krb5_update_pwd.pl that also update 
the KERBEROS password.

Linux users just have to use :
smbpasswd -r PDC_SERVER
That command update SAMBA password and again it called 
/krb5_update_pwd.pl to sync the kerberos password

I know there are some short comings (password policies for example). But 
it's the closer i get :-)

Hope this can help :-)

Ti Leggett wrote:
Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
backend and use pam_smbpass to keep the passwords sync'd between the
Kerberos side and the Samba side? That way the Windows clients join the
domain using only the LDAP information not knowing about the Kerberos
side of things?
I just removed the Kerberos information from my Windows client and tried
only using, as far as I can tell, the LDAP information and the client
still comes back saying the user name is unknown.
On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
Ok, so I'm just trying to figure out my options here. I can:
- Use local accounts and local passwords
- Use Kerberos for authentication, but only with local user accounts
- Use a Samba PDC with and LDAP backend for accounts and password if and
only if the windows clients are not bound to a Kerberos realm
Is this correct? In the third case, let's say I have a way to sync
Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
Or what am I missing? I know I can't create an AD domain, but I'm not
trying to. AD is combination of a lot more than just Kerberos and LDAP.
I'm curios how Apple does what seems to be just this with their
OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
Samba 3.0 (at least they claim it's only this).
On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
Ti Leggett wrote:
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm  real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.
Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
tell you, but what you want is a replacement of AD... in no way windows 
will know about ldap and mit, without an AD domain.


So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?
Here's the output from ksetup /dumpstate:
Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.COM:
kdc = 
kdc = 
kpasswd = 
Realm Flags = 0x0 none
No user mappings defined.
Users must be somewhere to get HKEY_LOCAL* work... and they should be 
local users (the MIT-KDC authentication works this way).


Second, here's what I have in LDAP so far:
[...]
I've done a smbpasswd -w 
I can do a net getlocalsid and it will get the correct SID out of LDAP.
Correct.

However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.
Yes. Active Directory is not there... and it wants AD. In no way you can 
fake AD, even though it's kerberos, ldap and smb + natural-flavours...



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
backend and use pam_smbpass to keep the passwords sync'd between the
Kerberos side and the Samba side? That way the Windows clients join the
domain using only the LDAP information not knowing about the Kerberos
side of things?

I just removed the Kerberos information from my Windows client and tried
only using, as far as I can tell, the LDAP information and the client
still comes back saying the user name is unknown.

On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
> Ok, so I'm just trying to figure out my options here. I can:
> 
> - Use local accounts and local passwords
> - Use Kerberos for authentication, but only with local user accounts
> - Use a Samba PDC with and LDAP backend for accounts and password if and
> only if the windows clients are not bound to a Kerberos realm
> 
> Is this correct? In the third case, let's say I have a way to sync
> Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
> 
> Or what am I missing? I know I can't create an AD domain, but I'm not
> trying to. AD is combination of a lot more than just Kerberos and LDAP.
> 
> I'm curios how Apple does what seems to be just this with their
> OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
> Samba 3.0 (at least they claim it's only this).
> 
> 
> On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
> > Ti Leggett wrote:
> > > I've been searching and researching this and I can't seem to find the
> > > answers I'm looking for. I'd like to setup a Samba PDC that Windows
> > > clients will join. The PDC will use an LDAP backend to get authorization
> > > information (username, home directory, etc). The authentication portion
> > > is handled by an MIT Kerberos KDC. I think I'm  real close to having it
> > > all together but I'm not sure. I have the Windows client setup to point
> > > at my KDC so authentication *should* be coming from there once the
> > > authorization portion is going.
> > 
> > Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
> > tell you, but what you want is a replacement of AD... in no way windows 
> > will know about ldap and mit, without an AD domain.
> > 
> > > So first question is, are sambaLMPassword and sambaNTPassword still
> > > needed in LDAP for each user?
> > > 
> > > Here's the output from ksetup /dumpstate:
> > > 
> > > Machine is not configured to log on to an external KDC. Probably a
> > > workgroup member
> > > EXAMPLE.COM:
> > >   kdc = 
> > >   kdc = 
> > >   kpasswd = 
> > >   Realm Flags = 0x0 none
> > > No user mappings defined.
> > 
> > Users must be somewhere to get HKEY_LOCAL* work... and they should be 
> > local users (the MIT-KDC authentication works this way).
> > 
> > > Second, here's what I have in LDAP so far:
> > > [...]
> > > I've done a smbpasswd -w 
> > > 
> > > I can do a net getlocalsid and it will get the correct SID out of LDAP.
> > 
> > Correct.
> > 
> > > However, when I try to join my Windows client to the EXAMPLE.COM domain,
> > > I can see the ldap queries happening, but the Windows client reports an
> > > invalid username.
> > 
> > Yes. Active Directory is not there... and it wants AD. In no way you can 
> > fake AD, even though it's kerberos, ldap and smb + natural-flavours...
> > 
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

Ok, so I'm just trying to figure out my options here. I can:

- Use local accounts and local passwords
- Use Kerberos for authentication, but only with local user accounts
- Use a Samba PDC with and LDAP backend for accounts and password if and
only if the windows clients are not bound to a Kerberos realm

Is this correct? In the third case, let's say I have a way to sync
Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?

Or what am I missing? I know I can't create an AD domain, but I'm not
trying to. AD is combination of a lot more than just Kerberos and LDAP.

I'm curios how Apple does what seems to be just this with their
OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
Samba 3.0 (at least they claim it's only this).


On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
> Ti Leggett wrote:
> > I've been searching and researching this and I can't seem to find the
> > answers I'm looking for. I'd like to setup a Samba PDC that Windows
> > clients will join. The PDC will use an LDAP backend to get authorization
> > information (username, home directory, etc). The authentication portion
> > is handled by an MIT Kerberos KDC. I think I'm  real close to having it
> > all together but I'm not sure. I have the Windows client setup to point
> > at my KDC so authentication *should* be coming from there once the
> > authorization portion is going.
> 
> Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
> tell you, but what you want is a replacement of AD... in no way windows 
> will know about ldap and mit, without an AD domain.
> 
> > So first question is, are sambaLMPassword and sambaNTPassword still
> > needed in LDAP for each user?
> > 
> > Here's the output from ksetup /dumpstate:
> > 
> > Machine is not configured to log on to an external KDC. Probably a
> > workgroup member
> > EXAMPLE.COM:
> > kdc = 
> > kdc = 
> > kpasswd = 
> > Realm Flags = 0x0 none
> > No user mappings defined.
> 
> Users must be somewhere to get HKEY_LOCAL* work... and they should be 
> local users (the MIT-KDC authentication works this way).
> 
> > Second, here's what I have in LDAP so far:
> > [...]
> > I've done a smbpasswd -w 
> > 
> > I can do a net getlocalsid and it will get the correct SID out of LDAP.
> 
> Correct.
> 
> > However, when I try to join my Windows client to the EXAMPLE.COM domain,
> > I can see the ldap queries happening, but the Windows client reports an
> > invalid username.
> 
> Yes. Active Directory is not there... and it wants AD. In no way you can 
> fake AD, even though it's kerberos, ldap and smb + natural-flavours...
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba as a PDC with LDAP and Kerberos

[Ti Leggett]

I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm  real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.COM:
kdc = 
kdc = 
kpasswd = 
Realm Flags = 0x0 none
No user mappings defined.

Second, here's what I have in LDAP so far:

dn: ou=Samba,dc=example,dc=com
objectClass: organizationalUnit
ou: Samba

dn: sambaDomainName=EXAMPLE.COM,ou=Samba,dc=example,dc=com
objectClass: top
objectClass: sambaDomain
sambaSID: S-1-5-21-2230234512-1629394365-1821015051
sambaDomainName: EXAMPLE.COM

dn: uid=samba_server,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: uidObject
sn: samba_server
cn: samba_server
userPassword: 
uid: samba_server

dn: cn=Domain Admins,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 1011
memberUid: leggett
sambaGroupType: 2
description: Windows Domain Administrators
sambaSIDList: S-1-5-21-2230234512-1629394365-1821015051-3002
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-512

dn: cn=Domain Users,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Users
gidNumber: 1012
sambaGroupType: 2
description: Windows Domain Users
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-513

dn: cn=Domain Guests,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Guests
gidNumber: 1013
sambaGroupType: 2
description: Windows Domain Guests
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-514

dn: uid=leggett,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: Ti Leggett
givenName: Ti
sn: Leggett
mail: [EMAIL PROTECTED]
uid: leggett
uidNumber: 1001
homeDirectory: /home/leggett
loginShell: /bin/bash
gidNumber: 1000
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-3002
sambaLMPassword: 
sambaNTPassword: 
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-2230234512-1629394365-1821015051-512

I've done a smbpasswd -w 

I can do a net getlocalsid and it will get the correct SID out of LDAP.

However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Not sure if these are related questions or not, but what are the
sambaAcctFlags values and meanings? And, is it necessary to have an ldap
entry of uid=WINDOWSCLIENT$,ou=people,dc=example,dc=com?

And lastly, here's relevant sections from my smb.conf:

[global]
workgroup = EXAMPLE.COM
realm = EXAMPLE.COM
password server = 
netbios name = CI-PDC
server string = Example Primary Domain Controller
passdb backend = ldapsam:ldap://
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
ldap admin dn = uid=samba_server,ou=people,dc=example,dc=com
ldap group suffix = ou=group
ldap machine suffix = ou=hosts
ldap suffix = dc=example,dc=com
ldap ssl = start tls
ldap user suffix = ou=people
admin users = leggett

I can send logs from LDAP server if they might be helpful. Thanks a head
of time!

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Franco \"Sensei\"]

Ti Leggett wrote:
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm  real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.
Hehehe, it's been a year trying to do that... but no way! I'm sorry to 
tell you, but what you want is a replacement of AD... in no way windows 
will know about ldap and mit, without an AD domain.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?
Here's the output from ksetup /dumpstate:
Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.COM:
kdc = 
kdc = 
kpasswd = 
Realm Flags = 0x0 none
No user mappings defined.
Users must be somewhere to get HKEY_LOCAL* work... and they should be 
local users (the MIT-KDC authentication works this way).

Second, here's what I have in LDAP so far:
[...]
I've done a smbpasswd -w 
I can do a net getlocalsid and it will get the correct SID out of LDAP.
Correct.
However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.
Yes. Active Directory is not there... and it wants AD. In no way you can 
fake AD, even though it's kerberos, ldap and smb + natural-flavours...

--
Sensei  
The difference between stupidity and genius is that genius has its limits.
   Albert Einstein


signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba