Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
On Tue, 2013-08-27 at 01:39 +0200, Marc Muehlfeld wrote: > Hello Steve, > > thanks for your suggestions. > > > > Am 27.08.2013 00:40, schrieb steve: > > 1. Nested groups work fine with nslcd. Please use the latest version: > > man nslcd.conf(5) > > I use the version Redhat ships. I haven't used that latest version and I > think most will use the one shipped with their distribution, too. But of > course I've changed the information in the HowTo. > > > > > > 2. We really should encourage users away from plain text passwords > > stored in files. nslcd works fine with sasl binds. The devs have worked > > hard to give us Kerberos out of the box. I think we should use it: > > http://linuxcostablanca.blogspot.com.es/p/s4bind.html > > I wanted to first create a very simple and basic HowTo, because during > the last time we often had questions about nslcd, etc. on the list. > > But you are right. Kerberos should be the preferred way. I'll have a > look on that the next days and switch the HowTo to Kerberos or add this > as an additional way. But give me some time, because I validate > everything I publish. > > > > > > 3. nslcd is already AD aware and this is not winbind so let's keep it > > simple. The following lines are not required/produce errors/ slow down > > lookups. > > filter passwd > > (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)) > > map passwd gecos displayName > > map passwd gidNumber primaryGroupID > > filter group (&(objectClass=group)(gidNumber=*)) > > map group uniqueMember member > > Can you please give me more details here? I don't get any errors on > RHEL6 here. > > > Because the removal of this line, I'm not sure, why. I have added them > deliberately out of the following reasons: > > If I remove the "filter passwd" line, then "getent passwd" returns > nothing no domain accounts any more. > > If I remove the "map passwd gidNumber primaryGroupID", then "id > username" doesn't return the in AD configured primary group in the unix tab. > > If I remove the "filter group" line, then "getent group" doesn't return > domain groups any more. > > If I remove the "map group uniqueMember member" line, then "id username" > won't tell me, in which groups the user is. > > Do you have different results on your system? Hi Yes. All this changes as from version 0.8.10 > Or why would you remove > this lines? Current versions of nslcd do not require them. With red hat throwing some of their best coders at sssd through Fedora, it is understandable that nss-pam-ldapd maintenance will not be high priority;) > > > > > > > Again, it is important to use the latest version. > > I think most users first try the version shipped with their > distribution, like me. Because every self compiled program is something > you have to update manually (and on every server), while everything else > can be done at once via yum/apt/whatever. > > I think it's not important to use the latest version, except it contains > something I can't live without it. But everybody has different opinions > on that, I guess. ;-) It seems that the majority of users build samba4 from source. In this case it is a simple step to also build nss-pam-ldapd. As you quite rightly say, you want to keep it simple. This is all that is needed as from 0.8.10 (which most distros now have): uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm YOUR_REALM krb5_ccname /your/cache Your distro must be still using the 0.7 series. One valid point that users make is that the Samba documentation is out of date/irrelevant/written for devs by devs. With nslcd and sssd howtos you have a golden opportunity to produce something both current and which is relevant and doable by anyone If you decide to stay with the old version please make it clear by putting something like, 'This howto has been tested with x.y.z'. If you like, I'll put a 0.8.10 and newer configuration version to link to. As we recommend the latest stable version for Samba so should we recommend the latest version of all accociated kit. HTH Thanks for your patience. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
Hello Steve, thanks for your suggestions. Am 27.08.2013 00:40, schrieb steve: 1. Nested groups work fine with nslcd. Please use the latest version: man nslcd.conf(5) I use the version Redhat ships. I haven't used that latest version and I think most will use the one shipped with their distribution, too. But of course I've changed the information in the HowTo. 2. We really should encourage users away from plain text passwords stored in files. nslcd works fine with sasl binds. The devs have worked hard to give us Kerberos out of the box. I think we should use it: http://linuxcostablanca.blogspot.com.es/p/s4bind.html I wanted to first create a very simple and basic HowTo, because during the last time we often had questions about nslcd, etc. on the list. But you are right. Kerberos should be the preferred way. I'll have a look on that the next days and switch the HowTo to Kerberos or add this as an additional way. But give me some time, because I validate everything I publish. 3. nslcd is already AD aware and this is not winbind so let's keep it simple. The following lines are not required/produce errors/ slow down lookups. filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd gecos displayName map passwd gidNumber primaryGroupID filter group (&(objectClass=group)(gidNumber=*)) map group uniqueMember member Can you please give me more details here? I don't get any errors on RHEL6 here. Because the removal of this line, I'm not sure, why. I have added them deliberately out of the following reasons: If I remove the "filter passwd" line, then "getent passwd" returns nothing no domain accounts any more. If I remove the "map passwd gidNumber primaryGroupID", then "id username" doesn't return the in AD configured primary group in the unix tab. If I remove the "filter group" line, then "getent group" doesn't return domain groups any more. If I remove the "map group uniqueMember member" line, then "id username" won't tell me, in which groups the user is. Do you have different results on your system? Or why would you remove this lines? Again, it is important to use the latest version. I think most users first try the version shipped with their distribution, like me. Because every self compiled program is something you have to update manually (and on every server), while everything else can be done at once via yum/apt/whatever. I think it's not important to use the latest version, except it contains something I can't live without it. But everybody has different opinions on that, I guess. ;-) Thanks for your comments. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
On Tue, 2013-08-27 at 00:12 +0200, Marc Muehlfeld wrote: > Am 25.08.2013 09:27, schrieb Bruno Vane: > > I have some Ubuntu LTS servers running openssh server authenticating to > > external openldap. I installed a new Ubuntu LTS server with Samba4 to > > create a domain and is working very well. I managed to make a pfsense > > firewall authenticate users in this Samba4 ldap. How to make openssh in > > Ubuntu authenticate users in Samba4 ldap? > > > As the "Winbind, sshd and nslcd"-HowTo I am currently working on is > getting longer and longer, I decited to split it into the three parts, > so it won't get to confusing. Also then I can publish the already > finished and validated nslcd part. And here it is: > https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd > > > @Bruno: This HowTo should contain all the short information I already > gave you here on the list in a more detailed depth. > > > @All: Feel free to give comments. Or let me know if something is > missing/wrong. > > > Regards, > Marc Hi 1. Nested groups work fine with nslcd. Please use the latest version: man nslcd.conf(5) 2. We really should encourage users away from plain text passwords stored in files. nslcd works fine with sasl binds. The devs have worked hard to give us Kerberos out of the box. I think we should use it: http://linuxcostablanca.blogspot.com.es/p/s4bind.html 3. nslcd is already AD aware and this is not winbind so let's keep it simple. The following lines are not required/produce errors/ slow down lookups. filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd gecos displayName map passwd gidNumber primaryGroupID filter group (&(objectClass=group)(gidNumber=*)) map group uniqueMember member Again, it is important to use the latest version. Just my €0.02 Thank you for taking the time to document this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
Am 25.08.2013 09:27, schrieb Bruno Vane: I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap? As the "Winbind, sshd and nslcd"-HowTo I am currently working on is getting longer and longer, I decited to split it into the three parts, so it won't get to confusing. Also then I can publish the already finished and validated nslcd part. And here it is: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @Bruno: This HowTo should contain all the short information I already gave you here on the list in a more detailed depth. @All: Feel free to give comments. Or let me know if something is missing/wrong. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba