Re: [Samba] Question on approach to authenticate Linux against Samba4
So first of all winbind is the fastest and easiest solution with samba 4: Just be sure winbind is loaded in your samba4 smb.conf. So winbind can read from samba: wbinfo -u Administrator Guest krbtgt dns-s4master then do a ldconfig -v | grep winbind If the result is ex: ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-358.11.1.el6.x86_64.conf:6: duplicate hwcap 1 nosegneg libnss_winbind.so -> libnss_winbind.so.2 You have to link libnss_winbind this way ex.: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 In your nsswitch.conf: passwd: files winbind shadow: files group: files winbind now you get all your ads members and groups with getent passwd and group. Good luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von dahopk...@comcast.net Gesendet: Donnerstag, 25. Juli 2013 18:59 An: samba@lists.samba.org Betreff: [Samba] Question on approach to authenticate Linux against Samba4 This is in a test environment: Also, it is wordy, but I'm hoping it explains my scenario. I am migrating from a custom LDAP+Samba3 authentication solution to Samba4. I have used the classicupgrade option to pull off the data from the existing ldap server to populate the samba4 database. I've installed AD DS and Server for NIS tools on a Windows 2008 server that is connected to the Samba4 DC as a member server. All the information appears to be correct, including the Unix uid and group memberships, and the unixHomedirectory. Now I need to authenticate a Linux system against the Samba4 DC and I need to have the unixHomedirectory used. There is a lot of older information on the net on how to authenticate. I'd prefer to not be required to install samba4 on these other Linux systems which a lot of these approaches seem to require. These linux systems are running LTSP so I have 50+ users logged in at any given time. I currently NFS mount home directories for the linux systems from a central fileserver. Home directories are of the pattern /home/Graduation_year/username. I've tested the Windows logins. I have an issue with mapped drives to the fileservers but I expected this since the fileservers don't exist on the test network. I expect this issue to be resolved once the fileservers are upgraded to samba4 and joined as member servers. I found http://zachbethel.com/2013/04/10/linux-ldap-authentication-with-samba4/ which I think will work, The ldbsearch works but before embarking further on this approach, I have some concerns. 1) will the unixHomedirectory be honored? 2) will I be able to easily add users so that the unix settings will be properly configured? I currently use the IDEALX smbldap tools. Being able to script account creation is very important to me .. adding 200+ user accounts manually each year is not very appealing. ;) 3) Will the scripting tools be able to automatically assign a unique uid for each unix account. Current approach uses NextFreeUnixID but this does not exist in the Samba4 database (the ldap entry is shown below ) dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us objectClass: inetOrgPerson objectClass: sambaUnixIdPool cn: NextFreeUnixId sn: NextFreeUnixId structuralObjectClass: inetOrgPerson entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us createTimestamp: 20050708023946Z gidNumber: 1002 uidNumber: 3885 I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. Thank you for your patience and taking the time to read the above. Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
Since I couldn't get 10.04 to work, I built a server with the base 12.04 install, added the required packages per the documents suggested earlier except I didn't install any samba packages. This has worked and I can now log onto the new server with all the original accounts. I have no idea why 10.04 didn't work except for the warning about sasl not being complete ... - Original Message - From: dahopk...@comcast.net To: "steve" Cc: samba@lists.samba.org Sent: Friday, July 26, 2013 11:23:33 AM Subject: Re: [Samba] Question on approach to authenticate Linux against Samba4 Thank you for the help ... seems like almost there but .. short version .. getent passwd doesn't retrieve any information from the samba4 DC. Seems that nslcd tries to use a simple bind and not kerberos but I think I have nslcd.conf set correctly. Rest of story, see below. >For good measure add the DC to /etc/hosts on the client. Done >> Step 6: I already have samba-common, and samba-common-bin (latest for >> 10.04) installed. The directions I'm following have two different locations for the ticket cache ... shouldn't make difference as long as I am consistent in specifying where the tickets are located. I also had to install kstart on 10.04 > 10.04 . Did these go in OK? > sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit There weren't any errors in the log for installing these. But authentication still isn't working I can start nslcd and get the warning about sasl_mech and sasl_realm Starting nslcd from the command line, there is an error concerning /var/run/nslcd/socket but not sure if this is the issue. >nslcd -d nslcd: DEBUG: add_uri(ldap://10.179.2.25/) nslcd: /etc/nslcd.conf:18: option sasl_mech is currently not fully supported (please report any successes) nslcd: /etc/nslcd.conf:19: option sasl_realm is currently not fully supported (please report any successes) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(130) done nslcd: DEBUG: setuid(125) done nslcd: accepting connections I can then try getent passwd but that also fails (getent only returns the local accounts) ... nslcd returns the following: nslcd: [334873] DEBUG: connection from pid=6647 uid=0 gid=0 nslcd: [334873] DEBUG: nslcd_passwd_all() nslcd: [334873] DEBUG: myldap_search(base="dc=ncs,dc=k12,dc=de,dc=us", filter="(objectClass=posixAccount)") nslcd: [334873] DEBUG: ldap_initialize(ldap://10.179.2.25/) nslcd: [334873] DEBUG: ldap_set_rebind_proc() nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.179.2.25/";) nslcd: [334873] connected to LDAP server ldap://10.179.2.25/ nslcd: [334873] ldap_result() failed: Operations error I'm going to guess it is the simple bind but I'm not sure how to force use of kerberos. I can get tickets for any valid account, but I am missing something for the authentication. nslcd is using the keytab to get tickets. My pre-existing ldap approach had allowed the simple bind, but how to now change for kerberos? > > I'd assume I need to uninstall these and install samba4 instead > >(especially as step 8 is to join the domain). >No. You only need enough of samba on the client to get the net command >to join the domain. Any old version of samba will do. What you have is >more than enough. Joining the domain works .. net ads info returns: >net ads info LDAP server: 10.179.2.25 LDAP server name: ncssamba1.ncs.k12.de.us Realm: NCS.K12.DE.US Bind Path: dc=NCS,dc=K12,dc=DE,dc=US LDAP port: 389 Server time: Fri, 26 Jul 2013 10:11:49 EDT KDC server: 10.179.2.25 Server time offset: 0 In nslcd.conf, I have map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm NCS.K12.DE.US krb5_ccname /tmp/nslcd.tkt Note: I'm not sure why the attribute is sAMAccountName instead of samAccountName but that is what is shown if I dump the ldap database via slapcat. Also, I can change passwords as well as all other information using ADUC on a Windows 2008 server without issues. Just can't seem to figure out how to get nslcd to bind correctly. Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: htt
Re: [Samba] Question on approach to authenticate Linux against Samba4
Thank you for the help ... seems like almost there but .. short version .. getent passwd doesn't retrieve any information from the samba4 DC. Seems that nslcd tries to use a simple bind and not kerberos but I think I have nslcd.conf set correctly. Rest of story, see below. >For good measure add the DC to /etc/hosts on the client. Done >> Step 6: I already have samba-common, and samba-common-bin (latest for >> 10.04) installed. The directions I'm following have two different locations for the ticket cache ... shouldn't make difference as long as I am consistent in specifying where the tickets are located. I also had to install kstart on 10.04 > 10.04 . Did these go in OK? > sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit There weren't any errors in the log for installing these. But authentication still isn't working I can start nslcd and get the warning about sasl_mech and sasl_realm Starting nslcd from the command line, there is an error concerning /var/run/nslcd/socket but not sure if this is the issue. >nslcd -d nslcd: DEBUG: add_uri(ldap://10.179.2.25/) nslcd: /etc/nslcd.conf:18: option sasl_mech is currently not fully supported (please report any successes) nslcd: /etc/nslcd.conf:19: option sasl_realm is currently not fully supported (please report any successes) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(130) done nslcd: DEBUG: setuid(125) done nslcd: accepting connections I can then try getent passwd but that also fails (getent only returns the local accounts) ... nslcd returns the following: nslcd: [334873] DEBUG: connection from pid=6647 uid=0 gid=0 nslcd: [334873] DEBUG: nslcd_passwd_all() nslcd: [334873] DEBUG: myldap_search(base="dc=ncs,dc=k12,dc=de,dc=us", filter="(objectClass=posixAccount)") nslcd: [334873] DEBUG: ldap_initialize(ldap://10.179.2.25/) nslcd: [334873] DEBUG: ldap_set_rebind_proc() nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.179.2.25/";) nslcd: [334873] connected to LDAP server ldap://10.179.2.25/ nslcd: [334873] ldap_result() failed: Operations error I'm going to guess it is the simple bind but I'm not sure how to force use of kerberos. I can get tickets for any valid account, but I am missing something for the authentication. nslcd is using the keytab to get tickets. My pre-existing ldap approach had allowed the simple bind, but how to now change for kerberos? > > I'd assume I need to uninstall these and install samba4 instead > >(especially as step 8 is to join the domain). >No. You only need enough of samba on the client to get the net command >to join the domain. Any old version of samba will do. What you have is >more than enough. Joining the domain works .. net ads info returns: >net ads info LDAP server: 10.179.2.25 LDAP server name: ncssamba1.ncs.k12.de.us Realm: NCS.K12.DE.US Bind Path: dc=NCS,dc=K12,dc=DE,dc=US LDAP port: 389 Server time: Fri, 26 Jul 2013 10:11:49 EDT KDC server: 10.179.2.25 Server time offset: 0 In nslcd.conf, I have map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm NCS.K12.DE.US krb5_ccname /tmp/nslcd.tkt Note: I'm not sure why the attribute is sAMAccountName instead of samAccountName but that is what is shown if I dump the ldap database via slapcat. Also, I can change passwords as well as all other information using ADUC on a Windows 2008 server without issues. Just can't seem to figure out how to get nslcd to bind correctly. Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 20:59 +0100, Jonathan Buzzard wrote: > On 25/07/13 20:14, dahopk...@comcast.net wrote: > > [SNIP] > > > > > Step 6: I already have samba-common, and samba-common-bin (latest for > > 10.04) installed. I'd assume I need to uninstall these and install > > samba4 instead (especially as step 8 is to join the domain). > > > > Not familiar with Ubuntu, but that is very very unlikely. Samba 3.x has > been able to be a member server of an AD domain for a long time now, and > the version included with 10.04 is almost certainly capable of doing that. > > Samba4 is primarily about being able to imitate an Active Directory > domain controller. The point about joining the domain is to get a > Kerberos ticket so the machine can authenticate against the AD to do > lookups etc. So that's a 'No.' then:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 19:14 +, dahopk...@comcast.net wrote: > Thank you for the very quick response. But in trying to follow the > suggested link, there are few steps are different. > > First, Step 3 is to install various packages. I already have > auth-client-config installed which had installed libpam_ldap and > libnss-ldap since I simply pulled this system into the test > environment rather than rebuild from scratch. I have uninstalled these > and then added libnss-ldapd and libpam-ldapd along with the kerberos > packages. Perfect. > Issue is that I was never asked for a Kerberos realm or IP of the > DC. I should have mentioned that this system is running 10.04, not > 12.04. So .. which config file do I need to edit to ensure that the IP > of the DC is correctly specified? DNS does that so you don't need to. Just run: sudo dpkg-reconfigure krb5-config or simply copy /usr/local/samba/private/krb5.conf from the DC to /etc on the client For good measure add the DC to /etc/hosts on the client. > I also installed nslcd. > Correct. > Step 6: I already have samba-common, and samba-common-bin (latest for > 10.04) installed. 10.04 . Did these go in OK? sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit > I'd assume I need to uninstall these and install samba4 instead > (especially as step 8 is to join the domain). > No. You only need enough of samba on the client to get the net command to join the domain. Any old version of samba will do. What you have is more than enough. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On 25/07/13 20:14, dahopk...@comcast.net wrote: [SNIP] Step 6: I already have samba-common, and samba-common-bin (latest for 10.04) installed. I'd assume I need to uninstall these and install samba4 instead (especially as step 8 is to join the domain). Not familiar with Ubuntu, but that is very very unlikely. Samba 3.x has been able to be a member server of an AD domain for a long time now, and the version included with 10.04 is almost certainly capable of doing that. Samba4 is primarily about being able to imitate an Active Directory domain controller. The point about joining the domain is to get a Kerberos ticket so the machine can authenticate against the AD to do lookups etc. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On 25/07/13 17:59, dahopk...@comcast.net wrote: 1) will the unixHomedirectory be honored? 2) will I be able to easily add users so that the unix settings will be properly configured? I currently use the IDEALX smbldap tools. Being able to script account creation is very important to me .. adding 200+ user accounts manually each year is not very appealing. ;) It is scriptable, though to be honest a powershell script from Windows probably works better at this point in time. 3) Will the scripting tools be able to automatically assign a unique uid for each unix account. Current approach uses NextFreeUnixID but this does not exist in the Samba4 database (the ldap entry is shown below ) Nope. Either maintain the accounts somewhere else where you can do that and have a script that then creates and disables accounts as needed in AD, or have your script look for the highest UID and increment from that. I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. Assuming these are Linux workstations, then sssd is the way to go for the future. If you are running a samba 3.x member file server then I personally would use winbind. I have not looked at Samba4 yet (campus agreements in higher education where I work make real Microsoft AD controllers very very cheap that why would you do it), but there are reports of issues with winbind on samba4 file servers. Then again I would be hesitant in putting a Samba 4 file server into production. You gain little over a Samba 3.6.x server. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
Thank you for the very quick response. But in trying to follow the suggested link, there are few steps are different. First, Step 3 is to install various packages. I already have auth-client-config installed which had installed libpam_ldap and libnss-ldap since I simply pulled this system into the test environment rather than rebuild from scratch. I have uninstalled these and then added libnss-ldapd and libpam-ldapd along with the kerberos packages. Issue is that I was never asked for a Kerberos realm or IP of the DC. I should have mentioned that this system is running 10.04, not 12.04. So .. which config file do I need to edit to ensure that the IP of the DC is correctly specified? I also installed nslcd. Step 6: I already have samba-common, and samba-common-bin (latest for 10.04) installed. I'd assume I need to uninstall these and install samba4 instead (especially as step 8 is to join the domain). Sincerely, Dave Hopkins - Original Message - From: "steve" To: samba@lists.samba.org Sent: Thursday, July 25, 2013 1:45:01 PM Subject: Re: [Samba] Question on approach to authenticate Linux against Samba4 On Thu, 2013-07-25 at 16:59 +, dahopk...@comcast.net wrote: > > I have read through the recent thread on winbind and honestly I am not sure > that I want to pursue either winbind or sssd if it is possible to use > nss_pam_ldap which seems closest to the current approach. Hi Ok, I can understand that. So why not have a look at nss-pam-ldapd with nslcd? It's almost as good as sssd and it's quick and easy to setup: http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 16:59 +, dahopk...@comcast.net wrote: > > I have read through the recent thread on winbind and honestly I am not sure > that I want to pursue either winbind or sssd if it is possible to use > nss_pam_ldap which seems closest to the current approach. Hi Ok, I can understand that. So why not have a look at nss-pam-ldapd with nslcd? It's almost as good as sssd and it's quick and easy to setup: http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba