subject:"\[Samba\] Samba3 capable of AD auth. without matching Linux users\?"

[Samba] Samba3 capable of AD auth. without matching Linux users?

2013-06-23 Thread Stefan Midjich

My goal is to share a CIFS volume from Linux, to Windows clients, using
Samba 3.6 and only authenticate users over AD.

I do not want one local Linux user for each AD user, in other words. I want
all users connecting to CIFS to use one shared local user for FS
operations. So the CIFS share will be owned by one local user that all AD
users will use when they use the CIFS volume.

Is this possible in Samba 3.6?

I ask because I can't make heads nor tails of the documentation. I've
managed to piece together a winbind/krb5 configuration that allows me to do
the following.

 * Get kerberos token from Windows 2008 AD server (not r2)
 * net ads join my Linux host into the Windows 2008 AD
 * List users and groups in the AD using wbinfo, and getent -s winbind

But whenever I try to login to my share from a Windows server in the same
AD, it says the user is invalid on this system. Unless I keep a local
user matching that same AD sAMAccountName as the user logging in.

Here is my current smb.conf

[global]
 workgroup = DOMAIN
 realm = DOMAIN.LOCAL
 server string = %h server
 security = ads
 allow trusted domains = no
 local master = no
 domain master = no
 interfaces = eth0 10.221.111.51/24
 bind interfaces only = yes
 log level = 0 auth:10 smb:10
 log file = /var/log/samba/log.%m
 max log size = 1000
#syslog only = no
 syslog = 0
 load printers = no
 printing = bsd
 printcap name = /etc/printcap

# Bug #8676 workaround
 idmap config * : backend = tdb
 idmap config * : range = 2000-4999
 idmap config DOMAIN : backend = rid
 idmap config DOMAIN : range = 1-4
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 encrypt passwords = yes
 valid users = @Domain Users

[www]
 comment = HTML share
 path = /var/www/website.domain.local
 valid users = share
 writable = yes
 force user = share
 force group = share
 force directory mode = 0775
 force create mode = 0664

Here is my current krb5.conf

[libdefaults]
 default_realm = DOMAIN.LOCAL
 ticket_lifetime = 24000
 clock-skew = 300

[realms]
 DOMAIN.LOCAL = {
  kdc = DC02.DOMAIN.LOCAL:88
  admin_server = DC02.DOMAIN.LOCAL:464
  default_domain = DOMAIN.LOCAL
 }

[domain_realm]
 .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
 DOMAIN.LOCAL = DC02.DOMAIN.LOCAL

There are several DC's but I picked one because the docs I was reading made
it seem like you had to pick one for kerberos.

The machine is using the DC DNS so all domains involved here, all the DC's,
the machines domain, the clients, can be resolved. However, I have despite
this added some domains to /etc/hosts.

127.0.0.1   webb04.domain.local webb04
10.221.111.51   webb04.domain.local webb04

10.221.111.16 DC02.DOMAIN.LOCAL DC02

10.221.111.10 DOMAIN.LOCAL

My /etc/resolv.conf reflects the AD setup in the network.

domain domain.local
search domain.local
nameserver 10.221.111.10
nameserver 10.221.111.16

With this configuration on Debian Wheezy I can run kinit to get a token
using an AD administrator account.

Then I can run net ads join -U Administrator and enter the same accounts
password, to join the domain.

After that I can run wbinfo -u to list all users in the Windows AD servers.
I can also run getent -s winbind passwd username to see information for
that user like this.
stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false

Of course this is meta information, that user does not exist on my Linux
server. At least that is my understanding.

-- 
Hälsningar / Greetings

http://Stefan.Midjich.name
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba3 capable of AD auth. without matching Linux users?

2013-06-23 Thread Stefan Midjich

I eventually got it working with the following configuration, in case any
googlers find it helpful.

I wrote it all down here on this wiki
http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I
would not forget until tomorrow. :)

It's in Swedish but all the configuration files are recognizable.

I'm not sure about many of the options, like idmap backend, so I will
investigate them in the morning when I write a proper installation manual.
Just to remove things I don't need.


2013/6/23 Stefan Midjich sweh...@gmail.com

 My goal is to share a CIFS volume from Linux, to Windows clients, using
 Samba 3.6 and only authenticate users over AD.

 I do not want one local Linux user for each AD user, in other words. I
 want all users connecting to CIFS to use one shared local user for FS
 operations. So the CIFS share will be owned by one local user that all AD
 users will use when they use the CIFS volume.

 Is this possible in Samba 3.6?

 I ask because I can't make heads nor tails of the documentation. I've
 managed to piece together a winbind/krb5 configuration that allows me to do
 the following.

  * Get kerberos token from Windows 2008 AD server (not r2)
  * net ads join my Linux host into the Windows 2008 AD
  * List users and groups in the AD using wbinfo, and getent -s winbind

 But whenever I try to login to my share from a Windows server in the same
 AD, it says the user is invalid on this system. Unless I keep a local
 user matching that same AD sAMAccountName as the user logging in.

 Here is my current smb.conf

 [global]
  workgroup = DOMAIN
  realm = DOMAIN.LOCAL
  server string = %h server
  security = ads
  allow trusted domains = no
  local master = no
  domain master = no
  interfaces = eth0 10.221.111.51/24
  bind interfaces only = yes
  log level = 0 auth:10 smb:10
  log file = /var/log/samba/log.%m
  max log size = 1000
 #syslog only = no
  syslog = 0
  load printers = no
  printing = bsd
  printcap name = /etc/printcap

 # Bug #8676 workaround
  idmap config * : backend = tdb
  idmap config * : range = 2000-4999
  idmap config DOMAIN : backend = rid
  idmap config DOMAIN : range = 1-4
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  encrypt passwords = yes
  valid users = @Domain Users

 [www]
  comment = HTML share
  path = /var/www/website.domain.local
  valid users = share
  writable = yes
  force user = share
  force group = share
  force directory mode = 0775
  force create mode = 0664

 Here is my current krb5.conf

 [libdefaults]
  default_realm = DOMAIN.LOCAL
  ticket_lifetime = 24000
  clock-skew = 300

 [realms]
  DOMAIN.LOCAL = {
   kdc = DC02.DOMAIN.LOCAL:88
   admin_server = DC02.DOMAIN.LOCAL:464
   default_domain = DOMAIN.LOCAL
  }

 [domain_realm]
  .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
  DOMAIN.LOCAL = DC02.DOMAIN.LOCAL

 There are several DC's but I picked one because the docs I was reading
 made it seem like you had to pick one for kerberos.

 The machine is using the DC DNS so all domains involved here, all the
 DC's, the machines domain, the clients, can be resolved. However, I have
 despite this added some domains to /etc/hosts.

 127.0.0.1   webb04.domain.local webb04
 10.221.111.51   webb04.domain.local webb04

 10.221.111.16 DC02.DOMAIN.LOCAL DC02

 10.221.111.10 DOMAIN.LOCAL

 My /etc/resolv.conf reflects the AD setup in the network.

 domain domain.local
 search domain.local
 nameserver 10.221.111.10
 nameserver 10.221.111.16

 With this configuration on Debian Wheezy I can run kinit to get a token
 using an AD administrator account.

 Then I can run net ads join -U Administrator and enter the same accounts
 password, to join the domain.

 After that I can run wbinfo -u to list all users in the Windows AD
 servers. I can also run getent -s winbind passwd username to see
 information for that user like this.
 stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false

 Of course this is meta information, that user does not exist on my Linux
 server. At least that is my understanding.

 --
 Hälsningar / Greetings

 http://Stefan.Midjich.name




-- 
Hälsningar / Greetings

http://Stefan.Midjich.name
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba3 capable of AD auth. without matching Linux users?

2013-06-23 Thread Marc Muehlfeld


Hello Stefan,

Am 23.06.2013 22:44, schrieb Stefan Midjich:

I eventually got it working with the following configuration, in case any
googlers find it helpful.

I wrote it all down here on this wiki
http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I
would not forget until tomorrow. :)


I haven't fully compared, but isn't it widely the same like here:
http://wiki.samba.org/index.php/Samba4/Domain_Member
Is there a reason, why you use Idmap backend rid and don't take the UIDs 
from AD?



I don't understand swedish and what you wrote in the sentence before, 
but I think setting

127.0.0.1   webb01.domain.local webb01
could maybe make problems somewhere sometime. 127.0.0.1 should be better 
resolved to localhost. If some program resolves webb01 /etc/hosts 
would return 127.0.0.1 instead of the IP of your NIC.




Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba3 capable of AD auth. without matching Linux users?

2013-06-23 Thread Stefan Midjich

Thanks Marc. In fact the localhost was just a precaution and I was never
sure of it, I even tried resolving localhost to make sure it worked after I
made the change.

I will test idmap backend ad later, because I think what made it all work
for me was setting up NSS. Now that NSS is setup I can even run id ad-user
in the cli and get all the information from AD. So it seems more integrated
now and I have a better understanding of NSS.

I was under the impression that rid converted the SIDs into valid UIDs and
GIDs. But if I am, as now, only needing it for authentication and now for
IO to the FS then I should logically not require the local UIDs/GIDs.

2013/6/23 Marc Muehlfeld sa...@marc-muehlfeld.de

Hello Stefan,

Am 23.06.2013 22:44, schrieb Stefan Midjich:

I eventually got it working with the following configuration, in case any
googlers find it helpful.

I wrote it all down here on this wiki
http://wiki.sydit.se/teknik:**ad_autentisering_foer_cifs_**med_sambahttp://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_sambaJust
so I
would not forget until tomorrow. :)

I haven't fully compared, but isn't it widely the same like here:
http://wiki.samba.org/index.**php/Samba4/Domain_Memberhttp://wiki.samba.org/index.php/Samba4/Domain_Member
Is there a reason, why you use Idmap backend rid and don't take the UIDs
from AD?

I don't understand swedish and what you wrote in the sentence before, but
I think setting
127.0.0.1 webb01.domain.local webb01
could maybe make problems somewhere sometime. 127.0.0.1 should be better
resolved to localhost. If some program resolves webb01 /etc/hosts would
return 127.0.0.1 instead of the IP of your NIC.

Regards,
Marc

--
Hälsningar / Greetings

http://Stefan.Midjich.name
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Samba] Samba3 capable of AD auth. without matching Linux users?

Re: [Samba] Samba3 capable of AD auth. without matching Linux users?

Re: [Samba] Samba3 capable of AD auth. without matching Linux users?

Re: [Samba] Samba3 capable of AD auth. without matching Linux users?

4 matches

Site Navigation

Mail list logo

Footer information