On Tue, 30 Apr 2013, Alexander Bokovoy wrote:
On Tue, 30 Apr 2013, Alexander Bokovoy wrote:
On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote:
That is actually pretty good news.  The real requirement is network
storage for the Windows workstations secured by FreeIPA authentication.
If I read what you’ve said correctly this is possible now.  I can live
with the magical incantations to enrol any new Windows machines for
now.  There are a few things that would work better if Windows thought
it was logging on to a domain, but we have lived without those features
for the last year.  Once a Windows machine has been set up correctly,
which can be a bit hit and miss, the authentication works flawlessly .
To be clear, we have not tested this combination so you'll be in uncharted

Since TGT for these users would still be issued by FreeIPA KDC, it would
include MS-PAC with SIDs of these users in FreeIPA domain -- once you
have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
be able to recognize them as FreeIPA users regardless where they come
from -- IPA or Windows machines, as long as Kerberos is in use.

Any reports of how such setup would actually behave are welcomed.

It sounds as though I can set up the file server now and then extend it
to do the AD DC bit when it is ready.

I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
anywhere is there?
The only requirements for simplistic setup is to:
1. run file server on IPA master (you can make a dedicated replica for that)
2. run ipa-adtrust-install on that master to setup Samba configuration
 and enable KDC + directory server to handle SIDs
3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
 uses registry backend to store smb.conf configuration.

for sample how to work with 'net conf setparm'.

For 'valid users' I guess you can use simply user names since these
would be our local ones.

Again, this is completely untested right now.
So, I tried quick test for this, using admins group:

1. Setup shared space, apply SELinux context and modify ACLs:
[root@red samba-4.0.5]# mkdir /srv/testshare
[root@red samba-4.0.5]# chcon -t samba_share_t /srv/testshare
[root@red samba-4.0.5]# setfacl -m g:admins:rwx  /srv/testshare
[root@red samba-4.0.5]# getfacl /srv/testshare
getfacl: Removing leading '/' from absolute path names
# file: srv/testshare
# owner: root
# group: root

2. Create actual Samba share:
[root@red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y 

3. Obtain TGT for Kerberos identity (admin, belongs to admins group):
[root@red samba-4.0.5]# kinit
Password for admin@BIRD.CLONE: [root@red samba-4.0.5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@BIRD.CLONE

Valid starting       Expires              Service principal
30.04.2013 22:10:13  01.05.2013 22:10:11  krbtgt/BIRD.CLONE@BIRD.CLONE

Now try connecting to //red.bird.clone/testshare and use it (I've copied
few files in several sessions, showing last one):

[root@red samba-4.0.5]# smbclient -k //red.bird.clone/testshare
lp_load_ex: changing to config backend registry
Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5]
smb: \> dir
 .                                   D        0  Tue Apr 30 22:06:51 2013
 ..                                  D        0  Tue Apr 30 21:40:04 2013
 foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
 README                              A     7998  Tue Apr 30 22:06:51 2013

               40918 blocks of size 262144. 19277 blocks available
smb: \> put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s)
smb: \> dir
 .                                   D        0  Tue Apr 30 22:10:35 2013
 ..                                  D        0  Tue Apr 30 21:40:04 2013
 WHATSNEW.txt                        A    47112  Tue Apr 30 22:10:35 2013
 foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
 README                              A     7998  Tue Apr 30 22:06:51 2013

               40918 blocks of size 262144. 19277 blocks available
smb: \>

Check status of the last copied file, notice permissions and SELinux
[root@red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ‘/srv/testshare/WHATSNEW.txt’
 Size: 47112           Blocks: 96         IO Block: 4096   regular file
Device: fc03h/64515d    Inode: 153050      Links: 1
Access: (0744/-rwxr--r--)  Uid: (1564400000/   admin)   Gid: (1564400000/  
Context: system_u:object_r:samba_share_t:s0
Access: 2013-04-30 22:10:35.484270784 +0300
Modify: 2013-04-30 22:10:35.580239030 +0300
Change: 2013-04-30 22:10:35.579270116 +0300
Birth: -
.... And for those who are too enjoyed -- this only works for FreeIPA
own users. AD users, coming through a trust, are not supported this way
yet, only through explicit 'valid users = USER-SID' right now. It is
due to the fact that smbd doesn't yet know how to convert back gid/uid
of the AD user to a SID since these users have automatically generated
gid/uid which aren't stored anywhere.

We need to add some smart logic to ipasam module to handle it.

[2013/04/30 22:20:03.878564,  5] 
  Security token SIDs (12):
    SID[  0]: S-1-5-21-3502988750-125904550-3683905862-500
    SID[  1]: S-1-5-21-3502988750-125904550-3683905862-513
    SID[  2]: S-1-5-21-3502988750-125904550-3683905862-520
    SID[  3]: S-1-5-21-3502988750-125904550-3683905862-512
    SID[  4]: S-1-5-21-3502988750-125904550-3683905862-519
    SID[  5]: S-1-5-21-3502988750-125904550-3683905862-518
    SID[  6]: S-1-18-1
    SID[  7]: S-1-5-21-1492269836-2180264219-1113070302-1004
    SID[  8]: S-1-1-0
    SID[  9]: S-1-5-2
    SID[ 10]: S-1-5-11
    SID[ 11]: S-1-22-1-1442800500
   Privileges (0x               0):
   Rights (0x               0):
[2013/04/30 22:20:03.879021,  5] 
  UNIX token of user 1442800500
  Primary group is 1442800500 and contains 0 supplementary groups
[2013/04/30 22:20:03.879198,  5] 
  Impersonated user: uid=(1442800500,1442800500), gid=(0,1442800500)

and then

[2013/04/30 22:20:03.951270,  5] ../source3/passdb/lookup_sid.c:1212(gid_to_sid)
  gid_to_sid: winbind failed to find a sid for gid 1564400004
[2013/04/30 22:20:03.951488, 5] ../source3/lib/smbldap.c:1249(smbldap_search_ext) smbldap_search_ext: base => [dc=bird,dc=clone], filter => [(&(gidNumber=1564400004)(objectClass=ipaNTGroupAttrs))], scope => [2]
[2013/04/30 22:20:03.952132,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (1442800500, 1442800500) - sec_ctx_stack_ndx = 0
[2013/04/30 22:20:03.952214,  3] ../source3/smbd/open.c:791(open_file)
  Error opening file README.downgrade (NT_STATUS_ACCESS_DENIED) 
(local_flags=578) (flags=578)

I.e. attempt to write file while being a process under uid 1442800500
and gid 1442800500 fails. This is uid of administra...@ad.lan, AD user,
and gid of his/her primary group, which are automatically generated
based on its SID.

[root@red samba-4.0.5]# id administra...@ad.lan
uid=1442800500(administra...@ad.lan) gid=1442800500(administra...@ad.lan) 
adm...@ad.lan),1442800512(domain adm...@ad.lan),1564400004(ad_members)

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to