Re: Machine Account Passwords are changed on the WRONG server!!
Brian M Hoy wrote: Summary The second point happens, because the PC will _occasionally_ use a different DC to authenticate against (it's secure channel partner in MS parlance). If it just so happens to change its machine account password with this SCP, then the machine's domain membership is broken next time it uses its normal SCP. My Workaround I have a written a Perl script which fetches the machine account details from every LDAP server on our network and then figures out which one has the most recent machine account password, and then submits the change to the LDAP master so that it is replicated everywhere, thereby getting around these problems. It works, but is not ideal A quick look at the Samba source suggests that it would not handle LDAP referrals. Am I right here? If it did, then LDAP could be configured to give a referral to the LDAP master for changes, solving the problem (at least for LDAP users). samba 2.2.8 may help: 16) Fixes for --with-ldapsam * Default to port 389 when ldap ssl != on * add support for rebinding to the master directory server for password changes when ldap server points to a read-only slave -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/
Re: [PATCH 2.2.7a] was: Samba Referrals
http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#patches Tested the rebind stuff with ldap in round robin (master/slave) Some fixes Tar and diff -uRn textfiles available: http://www.unav.es/cti/ldap-smb/patches-ldap.tar http://www.unav.es/cti/ldap-smb/patches-ldap/ As two of the patches are for configure.in and configure.h.in, an autoconf is required before the configure. Tested in Mandrake 8.2/9.0 (Buchan Milne, C.Lee Taylor) and RedHat 7.2, kernel 2.4.x, OpenLDAP 2.0.25-27 and 2.1.7 Ignacio -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/
Re: Fwd: Samba Referrals
C.Lee Taylor wrote: 2.2.* doesn't support referrals at all :-( It is on a production server, so it is 2.2.7a. The only thing, if this works, which I need to try and figure out, which Herb Lewis has sent me a patch which I have not looked at yet, is get the autoconf stuff working, so that this can become standard in 2.2 .. I think it would be good if we put something in the docs at the moment about Samba 2.2 Referrals not working ... at least for the moment. I'm also changing/testing the patch in the samba_3 fashion to catch/wrap the correct version/arguments and so. -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/
Re: Fwd: Samba Referrals
C.Lee Taylor wrote: I'm also changing/testing the patch in the samba_3 fashion to catch/wrap the correct version/arguments and so. You talking about autoconf stuff for testing weather two or three parameters for ldap_set_rebind_proc? as in the SAMBA_3 switching the code via #if defined(LDAP_API_FEATURE_X_OPENLDAP) (LDAP_API_VERSION 2000) # if LDAP_SET_REBIND_PROC_ARGS == 3 ... -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/
Re: Fwd: Samba Referrals
Original Message --- From: Stefan (metze) Metzmacher [EMAIL PROTECTED] To: Andrew Bartlett [EMAIL PROTECTED], Gerald Carter [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Fwd: Samba Referrals also I have one patch for the 2.2.x in my page that some one wrote a month ago: http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html ignacio
Re: LDAP machine lookup strangeness
Don Hayward wrote: I don't know whether this is a samba problem, but that's my current best guess. I'm using Debian woody with the upgrades mentioned below. I got the samba-2.2.7 source and did the build with debain/rules with the addition of the ldapsam flag. I've upgraded my ldap, nss, and pam, etc. libraries to 'testing' to use the tls enabled libldap. I'm using gcc 3.0.4. I tested the same scenario but with RH 7.2 and gcc 2.96-81 and can't reproduce the error. I added a ws account, joined to the domain, logon, etc. But can't reproduce the error. The rid is stored and fetched well in/from the ldap. Ignacio -- Ignacio Coupeau, Ph.D. [EMAIL PROTECTED] CTI, Director [EMAIL PROTECTED] University of Navarra [EMAIL PROTECTED] Pamplona, SPAINhttp://www.unav.es/cti/
Re: [Samba] multiple ldap servers
Nathan Ehresman wrote: Something like this (smb.conf) runs pretty well in samba 2.2.x for us: --- ... ldap server = saruman.cti.unav.es strider.cti.unav.es ... Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
samba_2_2 sambatest (security=server) and ldap performance
We have several samba printservers and fileservers with
security=server validating against several PDC with ldap (samba 2.2.6).
I found a lot of ldap request like:
(uid=SAMBATESTPSERVER04)
beating the ldap servers: one before *each* validation in every print
job or share session.
I found this is related with a security issue as Jeremy says in the
server_validate() function.
To avoid this I tried to use security=domain because server_validate()
is called by check_server_security(), but our servers joined to the
domain-asigned likes very much ask to the neighborn PDC as
security=server than their domain-asigned-server (perhaps the
subneting, or so... is a big and complex network).
The question is if I can skip the code around
if(!tested_password_server) {
to avoid the calls to ldap and if it is safe.
We are using only samba servers.
Any idea?
Thanks
Ignacio
--
Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED]
CTI, Director fax:948 425619
University of Navarra voice: 948 425600
Pamplona, SPAINhttp://www.unav.es/cti/
Re: samba_2_2 sambatest (security=server) and ldap performance
Andrew Bartlett wrote:
On Thu, Oct 31, 2002 at 11:33:15AM +0100, Ignacio Coupeau wrote:
We have several samba printservers and fileservers with
security=server validating against several PDC with ldap (samba 2.2.6).
I found a lot of ldap request like:
(uid=SAMBATESTPSERVER04)
beating the ldap servers: one before *each* validation in every print
job or share session.
I found this is related with a security issue as Jeremy says in the
server_validate() function.
To avoid this I tried to use security=domain because server_validate()
is called by check_server_security(), but our servers joined to the
domain-asigned likes very much ask to the neighborn PDC as
security=server than their domain-asigned-server (perhaps the
subneting, or so... is a big and complex network).
The question is if I can skip the code around
if(!tested_password_server) {
to avoid the calls to ldap and if it is safe.
We are using only samba servers.
You could, but you really don't want to. Security=server
is really nasty. Fix whatever is causing Samba to pick the
wrong DC for secruity=domain. You can still specify the
server to use.
I'm tracking it, but is amazing...
for example
../bin/smbpasswd -r ENIGMA -j CTI-SMB-2
joins the pserver01 to ENIGMA perfectly.
pserver01 has security server=enigma, but resolve in every PDC (of
course the ldap base is te same), like security server=* but in server
mode (for example in the PDC3 or PDC1) instead domain mode in ENIGMA...
it looks like if a broadcast is performed and the winner is the nearest
PDC because the trusted pdc (ENIGMA) is in other subnet... amazing!
Ignacio
--
Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED]
CTI, Director fax:948 425619
University of Navarra voice: 948 425600
Pamplona, SPAINhttp://www.unav.es/cti/
Re: samba_2_2 sambatest (security=server) and ldap performance
Andrew Bartlett wrote: You could, but you really don't want to. Security=server is really nasty. Fix whatever is causing Samba to pick the wrong DC for secruity=domain. You can still specify the server to use. fixed (a wrong path :), we are using security = domain in the print servers now. Thanks, Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: [PATCH] ldap connection caching (not ready!!!)
Stefan (metze) Metzmacher wrote: !!! a few line above I read 'return NT_STATUS_OK' but it was 'ret = NT_STATUS_OK' :-( but now it works! :-) what I need is to test is the non_unix_account stuff. I browsed the code and the ldap schema changes... if I don't misunderstand, the the nextrid is used only for non_unix_account, and the algorithmic mapping for unix accounts, rigth? So, the other question is if a non_unix_account should be in only-one domain? In other words: if an user logs in the domain x the ldap stuff will provide a rid-x only useable for the domain-x? I wonder if this may be a strong restriction for large sites with n domains and only-one ldap base... because the administrators should maintain n accounts/rid per-user for access to the n domains. On the other hand, if the domain attr takes n-values may solve the multiple logon but the rid space may be broken. Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: [Samba] upgrade to 3.0alpha20: accented chars in filenames unreadable
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can anyone comment on this? On Tue, 15 Oct 2002, Louis-David Mitterrand wrote: Upon upgrading from 2.2.5 to 3.0alpha20 on Debian unstable, filenames with accented characters (ie: éàî etc.) became unreadable. For example in W2K a filename previously called résumé.xls became r when looking at the samba share; and the filename is impossible to modify from windows: samba log says file not found. From the shell the file looks like r?sum?.xls but the ? are actually 0x83. In a hurry I used unix charset = CP850 http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html#internationalization this solved our problems (redhat 7.2; samba-3.0a20) for example in the profile load on the spanish xp (ie Star menu--menú Inicio). Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: 'Production' improvements to pdb_ldap
Andrew Bartlett wrote: Samba 3.0 is starting to be used in a lot of places, and I'm starting to look into how we can best ensure we don't get bottlenecks in our performance. Metze has raised a number of issues with pdb_ldap: - We do a Get_Pwnam() on every user - even in enums. - We hit the LDAP server for a new connection each time Both of these we have known about for a while - but it turns out that usrmgr asks for a list of all users (enum), then asks for each user by RID. In his (quite large) setup, this can take so long that usrmgr times out! For the first problem, I am proposing that we use the uidNumber gidNumber etc in the user's ldap record directly - rather than going a Get_Pwnam() for that information. Naturally, if that information is not present, we can do a Get_Pwnam anyway. However, the question is: Should we make this the default? It's fine for sites running nss_ldap, but it does change behavior. Or should we add 'yet another smb.conf option', that admins would have to turn on if they are running such large domains? I would propose 'ldap trust uids' as the name, unless somebody comes up with a better one :-). some suggestions... 1. A uid mapping like pam_login_attribute uid may be useful because in some places other attr than uid may be used. 2. If the user database is very big (the mine has +27.000 users in very few groups) some enums simply makes the samba server frozen for a while... a max_enum_size may be useful. 3. The cache may be useful, but may be a bit tricky in some places: things like nscd may runs pretty well, but may be tricky. 4. As the ldap implements a cache, perhaps a persistent connection may be a first step... for us, a well tunned ldap server aswer the nss questions from smtp and pop as a charm (~1000/min). 5. 'yet another option' may be convenient. Thanks, Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: Atomic RID allocation in LDAP
Andrew Bartlett wrote: I've been thinking about the problem of allocating RIDs in LDAP. We need a race-proof scheme to allocate RIDs, and I would prefer not to need to use a local TDB - I would like it all 'in ldap', if at all possible. yes, and is better because several PDC may share the same ldap samba accounts... an several sources of rids may be a bit dangerous. While the real solution is an LDAP server that imposes restrictions on attributes (like uniqueness constraints), we will have to settle for what we have... Could we use LDAP DNs for this purpose? An LDAP distinguished name must be unique - so why don't we have a separate 'allocation suffix' so cn=rids,dc=example,dc=com would contain: nextRid,cn=rids,dc=example,dc=com rid=1000,cn=rids,dc=example,dc=com rid=1001,cn=rids,dc=example,dc=com rid=1002,cn=rids,dc=example,dc=com A program wanting to allocate a RID would first read nextRid, and attempt to add that RID. If it succeeds, it updates nextRID. If it fails, it re-reads nextRid, and if unchanged adds 1 to the RID, and tries again. I read in the OpenLdap list (Kurt, Chu) that the solution is modify *after* delete with previous value required, this ensures the atomicity: dn: cn=rids, o=smb, dc=example,dc=com changetype: modify delete: nextRid nextRid: 15000 - add: nextRid nextRid: 15001 - also runs with ldap_mod and so. Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: Samba 3.0a20+LDAP-backend group-builit and mapping questions
Ignacio Coupeau wrote: I'm been playing with the groups and LDAP (passdb backend) and found two problems: I found the answer. The problem was caused by unknow type in the group type field. By default the builtin-domain and every new group created is marked as Group type: Unknown type: Domain Admins SID : S-1-5-21-298858960-1863792627-3661451959-512 Unix group: admins Group type: Unknown type Comment : Privilege : SaAddUsers SeMachineAccountPrivilege SaPrintOp With the command smbgroupedit and the flag -t d I solved some of the problems: the groups may be searched/imported from the XP and the ldap database is not enumerated. Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: Groups in ldap and /etc/group?
Eddie Lania wrote: Hello, Using smbgroupedit, should I link groups to ldap groups, those in /etc/group (if I also would define them in there) or both? Or none? (If using ldap) the groups are stored in the group_mapping.tdb... I think mapping is unix--NT, but not LDAP groups (perhaps with nsswitch...) Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: [FYI] samba_2_2 openLdap 2.1.3 and the auxiliary/structural objects
Luke Howard wrote: The fact that sn is required is a constant annoyance. :-) It's good to use person or a subclass thereof for compatibility with white pages-type clients (e-mail address books, etc). The Active Directory User object class is also derived from person. Here however, it is perhaps better that the user of person as a structural object class is best left to administrators. SAMBA can just add the sambaAccount auxiliary object class to such entries. In the case where there is no existing entry, then SAMBA should probably use the account structural object class which only requires the uid attribute. See section 5.3 of RFC 2307. thanks a lot, this (the account object when no pevious entry is present) may simplify the things. Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
[patch samba_2_2] LDAP_MOD_ADD structural
A possible patch to add a new account smbpasswd -a new_user in the
ldap. As the ldap v3 (openldap 2.1.3) requires a structural object, the
patch provides objectclass: account, as Luke Howard sugest in the list:
In the case where there is no existing entry, then SAMBA should
probably use the account structural object class which only
requires the uid attribute. See section 5.3 of RFC 2307.
The account object don't require any aditional attribute.
The patch:
diff -u passdb/pdb_ldap.c passdb/pdb_ldap.c-DIST-020705
--- passdb/pdb_ldap.c Wed Aug 14 20:02:42 2002
+++ passdb/pdb_ldap.c-DIST-020705 Fri Jul 5 14:54:32 2002
@@ -1104,7 +1104,6 @@
if (ldap_op == LDAP_MOD_REPLACE) {
rc = ldap_modify_s(ldap_struct, dn, mods);
} else {
- make_a_mod(mods, LDAP_MOD_ADD, objectclass, account);
rc = ldap_add_s(ldap_struct, dn, mods);
}
Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED]
CTI, Director fax:948 425619
University of Navarra voice: 948 425600
Pamplona, SPAINhttp://www.unav.es/cti/
[FYI] samba_2_2 openLdap 2.1.3 and the auxiliary/structural objects
I wrote a note about the use the ldif files as provided in the docs, because an structural object *must* be present with the new samba schema and the strong schema checking in the new openldap (2.1.3). http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#AUXILIARY The command bin/smbpasswd -a user is useless with the openldap 2.1.3 unless an account exists because the samba_2_2 code don't supply an structural object: ldap_search_one_user: searching for:[((uid=ccourse)(objectclass=sambaAccount))] ldap_search_one_user: searching for:[uid=ccourse] Adding new user Setting entry for user: ccourse failed to modify user with uid = ccourse with: Object class violation no structural object classes provided Failed to add entry for user ccourse. Failed to modify password entry for user ccourse Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: [PATCH] LDAP PASSWD SYNC v02
Stefan (metze) Metzmacher wrote: Hi Andrew, here's the patch... It adds a new parameter to smb.conf 'ldap passwd sync = Yes | No | Only': A question: there are some plan to merge this code in the SAMBA_3_ branch or is intended only for HEAD? Thanks, Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
Re: TLS and SSL with 2.2.5
Jeff Mandel wrote: Does samba support tls only? I am trying to get the 2.2.5 version of samba to work with ldap and ssl/tls on solaris 8 with iPlanet's Directory 5.x.. I can successfully compile and run nss_ldap and pam_ldap over ssl, but those are compiled against the mozilla ldapsdk. It seems that the samba code only supports TLS, and the mozilla sdk only supports ssl. Please correct me if I'm wrong here. We are using for months ldap with tls and pam support with OpenLdap, but the /etc/ldap.conf is a bit tricky: base o=smb,dc=unav,dc=es ldap_version 3 # The port. # Optional: default is 389. #port 636 port 636 # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls ssl on ... and the slapd.conf *must* the ldap port (nor the secure) for start tls ( 389 for example), but not the secure port (636) as the RFC says: [global] ldap suffix = o=smb, dc=unav, dc=es ldap server = your_server ldap port = 389 ldap admin dn = your rotdn: cn=root, etc... ldap ssl = start tls a bit more here: http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#smb.conf.tls regards, Ignacio -- Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED] CTI, Director fax:948 425619 University of Navarra voice: 948 425600 Pamplona, SPAINhttp://www.unav.es/cti/
[BUG] and a problem with ldap_start_tls_s 2.2.5
1. The bug
---
In the
passdb/pdb_ldap.c
case LDAP_SSL_START_TLS:
#ifdef HAVE_LDAP_START_TLS_S
if the HAVE_LDAP_START_TLS_S is definied the rc is used but not
declared, so don't compile. A posible patch:
--- /usr/local/etc/samba-2.2.5/source/passdb/pdb_ldap.c-DISTSat Jun
22 11:35:34 2002
+++ /usr/local/etc/samba-2.2.5/source/passdb/pdb_ldap.c Sat Jun 22
11:37:53 2002
@@ -114,7 +114,7 @@
{
int port;
int version;
- int tls;
+ int tls, rc;
uid_t uid = geteuid();
struct passwd* pass;
-
2. The problem: configure don't catch the ldap_start_tls_s in the
/usr/include|lib files:
--
When I the configure --with-ldapsam with an openldap-2.0.23+openssl
support, I fount that the AC_CHECK_FUNCS(ldap_start_tls_s) macro
don't runs properly because says: ldap_start_tls_s (no).
Of course, the samba compiles with ldap *but* dont start the tls
(ldap_open_connection:
StartTLS not supported by LDAP client libraries!).
With the samba-2.2.4 runs well.
In the configure.log I found:
---
lnsl -lcrypt 15
/tmp/ccX9dGzo.o: In function `main':
/tmp/ccX9dGzo.o(.text+0x7): undefined reference to `ldap_start_tls_s'
collect2: ld returned 1 exit status
configure: failed program was:
#line 12240 configure
#include confdefs.h
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char ldap_start_tls_s(); below. */
#include assert.h
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char ldap_start_tls_s();
to avoid temporaly this problem I used the LDAP section from the 2.2.4
configure.in patched, but is not the solution:
#
# check for a LDAP password database
AC_MSG_CHECKING(whether to use LDAP SAM database)
AC_ARG_WITH(ldapsam,
[ --with-ldapsam Include experimental LDAP SAM support
(default=no)],
[ case $withval in
yes)
AC_MSG_RESULT(yes)
AC_DEFINE(WITH_LDAP_SAM)
AC_DEFINE(HAVE_LDAP_START_TLS_S)
LDAPLIBS=-lldap -llber -lresolv
with_smbpasswd_sam=no
AC_SUBST(LDAPLIBS)
;;
*)
AC_MSG_RESULT(no)
;;
esac ],
AC_MSG_RESULT(no)
)
Ignacio
--
Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED]
CTI, Director fax:948 425619
University of Navarra voice: 948 425600
Pamplona, SPAINhttp://www.unav.es/cti/
