Re: [Samba] Synchronising password of some AD users with an external LDAP?
There is a way to sync passwords. It's not perfect but it works if you can live with passwords stored as reversible encryption in samba4. 1. Allow clear text password by using samba-tools 2. Enable reversible encryption on each user (can be done with ms ad tool) 3. Make a query and use samba python lib to decode the attribute that holds the password. I made a python script just for this that I use to sync passwords to google apps. The downside is that the passwords are in clear text but my network is well secured so I'm fine with that. And the script has to run as a daemon or in cron. But it works. If you are interested I can share my script when I'm back at the office. Skickat från min iPhone 26 feb 2013 kl. 17:30 skrev Gregory Sloop : >>> PLJJ> I know that if I were running a Windows AD, I could most likely >>> PLJJ> accomplish what I want with--if nothing else--the 389 DS by using >>> PLJJ> DS-provided Password Sync Service (see >>> PLJJ> >>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html >>> PLJJ> for more information). >>> >>> This is way over my head, in terms of expertise - but since the AD >>> should function identically to the Windows AD setup, it may well work >>> just fine, even though the back-end isn't a Windows AD box, but a >>> Samba4 AD. > > PLJJ> Read the guide on the page that I linked. The said Password Sync Service > PLJJ> is a Windows application. It installs a new password filtering DLL and a > PLJJ> system service to a Windows DC. > > PLJJ> Samba, on the other hand, hardly runs on Windows. And even if it can be > PLJJ> run (by compiling under Cygwin, perhaps?) it would be rather pointless. > > > Sorry, I missed that - I did do a very cursory scan and didn't see > anything Windows specific. Guess that's what happens when you scan a > little too quickly/lightly. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
On 26.2.2013 23:34, Andrew Bartlett wrote: > On Tue, 2013-02-26 at 18:16 +0200, Pekka L.J. Jalkanen wrote: >> True, webservers can authenticate against AD in a similar fashion to >> other LDAPs. But that's not the whole story. >> >> The thing is that Samba 4 is designed from a ground up with AD in mind, >> and AD itself has been designed with workstation authentication and NT4 >> client compatibility in mind. All this adds a lot of complexity to the >> system--and to the schema itself--that isn't in my opinion really >> benefical. Also, manually editing the AD schema, and especially removing >> objectclasses and/or attributes from the default schema, is generally >> regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS, >> but that isn't an option with Samba (which is perfectly understandable, >> as on Linux, unlike Windows, there are many alternatives). >> >> However, after a lot of googling it appears that there should be a way >> to make OpenLDAP to accept simple binds both with and without kerberos >> backing, using SASL as an authentication vehicle: >> http://www.openldap.org/lists/openldap-software/201002/threads.html#3 >> >> Perhaps I'll try that route. > > So to avoid your perceived complexity of the Samba 4.0 AD DC, you > instead want to build a private and even more complex arrangement with > synchronisation between multiple directories? It may sound strange but this is really only about potentially enabling 30+ users to log to the LDAP using their AD passwords, while the total amount of users in the LDAP could well end up being several hundreds if not even thousands. But if it seems that this ends up being too complex, then I'll simply scrap that plan and force two different passwords for these users. I do understand that in your opinion just putting up a Samba subdomain would do, but while no longer in beta, Samba 4 still isn't all that mature product, and should problems arise... well, I simply am not such an expert with it as you very obviously are, so I'd rather err on the safe side and risk having 30 users with minor authentication annoyances than having 1,000 users that can't log in at all. > Anyway, currently the only way to get a cleartext password out of Samba > 4.0 as an AD DC is to permit storage of cleartext passwords in the > password policy and set it per-user. Then a tool (not yet written) > could extract these from Samba. Thanks! I don't really think that I'm willing to go down that route, but it's still good to know what's actually possible and what isn't. Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
On Tue, 2013-02-26 at 18:16 +0200, Pekka L.J. Jalkanen wrote: > True, webservers can authenticate against AD in a similar fashion to > other LDAPs. But that's not the whole story. > > The thing is that Samba 4 is designed from a ground up with AD in mind, > and AD itself has been designed with workstation authentication and NT4 > client compatibility in mind. All this adds a lot of complexity to the > system--and to the schema itself--that isn't in my opinion really > benefical. Also, manually editing the AD schema, and especially removing > objectclasses and/or attributes from the default schema, is generally > regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS, > but that isn't an option with Samba (which is perfectly understandable, > as on Linux, unlike Windows, there are many alternatives). > > However, after a lot of googling it appears that there should be a way > to make OpenLDAP to accept simple binds both with and without kerberos > backing, using SASL as an authentication vehicle: > http://www.openldap.org/lists/openldap-software/201002/threads.html#3 > > Perhaps I'll try that route. So to avoid your perceived complexity of the Samba 4.0 AD DC, you instead want to build a private and even more complex arrangement with synchronisation between multiple directories? Anyway, currently the only way to get a cleartext password out of Samba 4.0 as an AD DC is to permit storage of cleartext passwords in the password policy and set it per-user. Then a tool (not yet written) could extract these from Samba. However, I'm well aware of demand for better password handling, particularly for users who need to sync with Google Docs (this comes up quite often), so I'm planning (at some point) on adding a mode where we expose somehow a more standard password hash, or provide a 'hook' that sends cleartext passwords to some ongoing listener process (like the old password sync scripts). Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
>> PLJJ> I know that if I were running a Windows AD, I could most likely >> PLJJ> accomplish what I want with--if nothing else--the 389 DS by using >> PLJJ> DS-provided Password Sync Service (see >> PLJJ> >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html >> PLJJ> for more information). >> >> This is way over my head, in terms of expertise - but since the AD >> should function identically to the Windows AD setup, it may well work >> just fine, even though the back-end isn't a Windows AD box, but a >> Samba4 AD. PLJJ> Read the guide on the page that I linked. The said Password Sync Service PLJJ> is a Windows application. It installs a new password filtering DLL and a PLJJ> system service to a Windows DC. PLJJ> Samba, on the other hand, hardly runs on Windows. And even if it can be PLJJ> run (by compiling under Cygwin, perhaps?) it would be rather pointless. Sorry, I missed that - I did do a very cursory scan and didn't see anything Windows specific. Guess that's what happens when you scan a little too quickly/lightly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
On 26.2.2013 17:16, Gregory Sloop wrote: > > > PLJJ> I know that if I were running a Windows AD, I could most likely > PLJJ> accomplish what I want with--if nothing else--the 389 DS by using > PLJJ> DS-provided Password Sync Service (see > PLJJ> > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html > PLJJ> for more information). > > This is way over my head, in terms of expertise - but since the AD > should function identically to the Windows AD setup, it may well work > just fine, even though the back-end isn't a Windows AD box, but a > Samba4 AD. Read the guide on the page that I linked. The said Password Sync Service is a Windows application. It installs a new password filtering DLL and a system service to a Windows DC. Samba, on the other hand, hardly runs on Windows. And even if it can be run (by compiling under Cygwin, perhaps?) it would be rather pointless. Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
True, webservers can authenticate against AD in a similar fashion to other LDAPs. But that's not the whole story. The thing is that Samba 4 is designed from a ground up with AD in mind, and AD itself has been designed with workstation authentication and NT4 client compatibility in mind. All this adds a lot of complexity to the system--and to the schema itself--that isn't in my opinion really benefical. Also, manually editing the AD schema, and especially removing objectclasses and/or attributes from the default schema, is generally regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS, but that isn't an option with Samba (which is perfectly understandable, as on Linux, unlike Windows, there are many alternatives). However, after a lot of googling it appears that there should be a way to make OpenLDAP to accept simple binds both with and without kerberos backing, using SASL as an authentication vehicle: http://www.openldap.org/lists/openldap-software/201002/threads.html#3 Perhaps I'll try that route. Pekka L.J. Jalkanen On 26.2.2013 16:13, Daniel Müller wrote: > Apache can authenticate against samba4 ads the same way as if it were > openldap. > http://wiki.samba.org/index.php/Samba4/beyond > > Good Luck > Daniel > > --- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > --- > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im > Auftrag von Pekka L.J. Jalkanen > Gesendet: Dienstag, 26. Februar 2013 15:01 > An: samba@lists.samba.org > Betreff: [Samba] Synchronising password of some AD users with an external > LDAP? > > I'm in a situation where I should establish an external (i.e. non-AD) LDAP > directory for my employer for various web-based authentication purposes. I > don't think that Samba--or Windows AD, for that matter--in and itself would > be the best tool for this purpose; so far I've been reviewing 389 DS, > ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision > yet. > > Now however, it would be beneficial, even if not strictly speaking > necessary, if I could automatically synchronise the passwords of certain > accounts between that LDAP and our AD; most sensible solution here would > probably be to do it between the LDAP users having a corresponding AD > account belonging to a specific AD OU. Other than passwords, the accounts > and their attributes themselves should stay separate. > > I know that if I were running a Windows AD, I could most likely accomplish > what I want with--if nothing else--the 389 DS by using DS-provided Password > Sync Service (see > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/ > html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html > for more information). > > However, our goal is to completely migrate our AD to Samba 4, so committing > to any software that depends on the continued availability of a Windows DC > simply won't do. > > How could I accomplish this synchronisation with Samba 4? Can anyone nudge > me to the right direction? Or is possible at all? > > > Pekka L.J. Jalkanen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
PLJJ> I know that if I were running a Windows AD, I could most likely PLJJ> accomplish what I want with--if nothing else--the 389 DS by using PLJJ> DS-provided Password Sync Service (see PLJJ> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html PLJJ> for more information). This is way over my head, in terms of expertise - but since the AD should function identically to the Windows AD setup, it may well work just fine, even though the back-end isn't a Windows AD box, but a Samba4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
Apache can authenticate against samba4 ads the same way as if it were openldap. http://wiki.samba.org/index.php/Samba4/beyond Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Pekka L.J. Jalkanen Gesendet: Dienstag, 26. Februar 2013 15:01 An: samba@lists.samba.org Betreff: [Samba] Synchronising password of some AD users with an external LDAP? I'm in a situation where I should establish an external (i.e. non-AD) LDAP directory for my employer for various web-based authentication purposes. I don't think that Samba--or Windows AD, for that matter--in and itself would be the best tool for this purpose; so far I've been reviewing 389 DS, ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision yet. Now however, it would be beneficial, even if not strictly speaking necessary, if I could automatically synchronise the passwords of certain accounts between that LDAP and our AD; most sensible solution here would probably be to do it between the LDAP users having a corresponding AD account belonging to a specific AD OU. Other than passwords, the accounts and their attributes themselves should stay separate. I know that if I were running a Windows AD, I could most likely accomplish what I want with--if nothing else--the 389 DS by using DS-provided Password Sync Service (see https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/ html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html for more information). However, our goal is to completely migrate our AD to Samba 4, so committing to any software that depends on the continued availability of a Windows DC simply won't do. How could I accomplish this synchronisation with Samba 4? Can anyone nudge me to the right direction? Or is possible at all? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba