Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-28 Thread Jim Klimov 
27 августа 2016 г. 15:00:38 CEST, Tobi Oetiker  пишет:
>Gordon
>
>from your explanation it is not quite clear to me if one colud use an
>openldap server, and how one would have to go about telling illumos to
>use it.
>
>cheers
>tobi
>
>> On 26.08.2016, at 18:14, Gordon Ross  wrote:
>> 
>> Sorry for the delay -- been quite busy.  I do look at this list, but
>> only occasionally.
>> 
>> The way LDAP auth. works in SMB servers like Samba is that the server
>> allows SMB clients (i.e. Windows) to logon using accounts that work
>> the same as "local" accounts (what Windows would call "local"
>> accounts, meaning they are NOT domain accounts).  However, while the
>> SMB clients think these are "local" accounts, the server uses
>> something akin to the name service switch functions for LDAP to get
>> the details of these accounts needed for SMB.
>> 
>> Such accounts are not really "local", but are defined in your LDAP
>> service.  The SMB server needs a way to get some Windows-specific
>> details about those accounts from LDAP, including the "NT password
>> hash" (for authentication) and some other Windows-ish details.
>> 
>> The current LDAP libraries in illumos are sufficient for this (though
>> for other reasons, it would be nice if we could update them some
>day).
>> What's missing is some "glue" in the name service switch design, and
>> perhaps a new lookup method for the "NT password hash", which is
>> similar conceptually to the "shadow password" back-end functions. 
>One
>> can probably pretty much copy/paste the LDAP back-end function for
>> shadow passwd. to make the "ntpass" or whatever we call this new
>> nsswitch method.  The current /var/smb/smbpasswd stuff, currently
>> accessed directly from libsmb should really go through the "files"
>> back-end, and we might want to consider taking the opportunity to
>> change the format of that file (though that means doing some format
>> conversion work during upgrades).  Once a new nsswitch method for
>> "ntpass" (or whatever) is in place, the parts of this in the SMB
>> server (mostly libsmb) are fairly easy.
>> 
>> Requests for this feature have come up from time to time over the
>last
>> few years, but (so far) not from anyone who wanted it badly enough to
>> pay for the work.
>> 
>> Gordon
>> 
>> 
>>> On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald 
>wrote:
>>> 
 On Aug 18, 2016, at 11:04 AM, Mick Burns  wrote:
 
 *bump*
 anyone ?
>>> 
>>> I'm going to forward your note to someone I know who works on CIFS. 
>He's not on this list.
>>> 
>>> Stay tuned,
>>> Dan
>>> 
>>> ___
>>> OmniOS-discuss mailing list
>>> OmniOS-discuss@lists.omniti.com
>>> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>> ___
>> OmniOS-discuss mailing list
>> OmniOS-discuss@lists.omniti.com
>> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>> 
>
>___
>OmniOS-discuss mailing list
>OmniOS-discuss@lists.omniti.com
>http://lists.omniti.com/mailman/listinfo/omnios-discuss

From my fiddling with LDAP (DSEE) for Solaris/OI/Linux accounts with Sol/OI 
kCIFS server vs. a separate AD domain a few years back, and Gordon's 
explanations, I think you are asking about several slightly related subsystems 
in one sentence ;)

Yes, you can use an(y?) LDAP service with NIS-equivalent schema with the 
Solarish ldap-client. DSEE and AD+MS Unix Extensions can do it. Probably 
OpenLDAP can do it - you might need to port DSEE schema dialect to be 
recognised by that service though.

This regards recognition of Unix accounts for file ownership, ssh, etc. You can 
also fiddle with netgroups to limit which groups and accounts from LDAP are at 
all "defined" for a particular client (e.g. a zone might only know about admins 
or devs for its services, not all organization).

Separate from that is kCIFS auth that may rely on a password file (with NTLM 
hashes, or so they say) which Gordon suggests might be re-coded separately to 
be an nsswitch service so it can also come from an LDAP backend or from the 
file. This authorizes the users to enter the server via CIFS.

Separate from that is ephemeral mapping (and SMF service for that) to connect 
AD UUIDs to local (or ldap) Unix id numbers. This part requires an AD service 
connection so probably a special AD account for the server and perhaps a 
kerberos login setup.

Hope this rant helps ;)
Jim
--
Typos courtesy of K-9 Mail on my Samsung Android
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-27 Thread Tobi Oetiker 
Gordon

from your explanation it is not quite clear to me if one colud use an openldap 
server, and how one would have to go about telling illumos to use it.

cheers
tobi

> On 26.08.2016, at 18:14, Gordon Ross  wrote:
> 
> Sorry for the delay -- been quite busy.  I do look at this list, but
> only occasionally.
> 
> The way LDAP auth. works in SMB servers like Samba is that the server
> allows SMB clients (i.e. Windows) to logon using accounts that work
> the same as "local" accounts (what Windows would call "local"
> accounts, meaning they are NOT domain accounts).  However, while the
> SMB clients think these are "local" accounts, the server uses
> something akin to the name service switch functions for LDAP to get
> the details of these accounts needed for SMB.
> 
> Such accounts are not really "local", but are defined in your LDAP
> service.  The SMB server needs a way to get some Windows-specific
> details about those accounts from LDAP, including the "NT password
> hash" (for authentication) and some other Windows-ish details.
> 
> The current LDAP libraries in illumos are sufficient for this (though
> for other reasons, it would be nice if we could update them some day).
> What's missing is some "glue" in the name service switch design, and
> perhaps a new lookup method for the "NT password hash", which is
> similar conceptually to the "shadow password" back-end functions.  One
> can probably pretty much copy/paste the LDAP back-end function for
> shadow passwd. to make the "ntpass" or whatever we call this new
> nsswitch method.  The current /var/smb/smbpasswd stuff, currently
> accessed directly from libsmb should really go through the "files"
> back-end, and we might want to consider taking the opportunity to
> change the format of that file (though that means doing some format
> conversion work during upgrades).  Once a new nsswitch method for
> "ntpass" (or whatever) is in place, the parts of this in the SMB
> server (mostly libsmb) are fairly easy.
> 
> Requests for this feature have come up from time to time over the last
> few years, but (so far) not from anyone who wanted it badly enough to
> pay for the work.
> 
> Gordon
> 
> 
>> On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald  wrote:
>> 
>>> On Aug 18, 2016, at 11:04 AM, Mick Burns  wrote:
>>> 
>>> *bump*
>>> anyone ?
>> 
>> I'm going to forward your note to someone I know who works on CIFS.  He's 
>> not on this list.
>> 
>> Stay tuned,
>> Dan
>> 
>> ___
>> OmniOS-discuss mailing list
>> OmniOS-discuss@lists.omniti.com
>> http://lists.omniti.com/mailman/listinfo/omnios-discuss
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
> 

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-26 Thread Gordon Ross 
I should also mention: The other solution for the problem of
"centralized Windows accounts in a Unix shop" is to run a Samba AD
server somewhere, and point your other clients that want LDAP to that.
That way you can just tell the Windows clients to use domain accounts.


On Fri, Aug 26, 2016 at 12:14 PM, Gordon Ross  wrote:
> Sorry for the delay -- been quite busy.  I do look at this list, but
> only occasionally.
>
> The way LDAP auth. works in SMB servers like Samba is that the server
> allows SMB clients (i.e. Windows) to logon using accounts that work
> the same as "local" accounts (what Windows would call "local"
> accounts, meaning they are NOT domain accounts).  However, while the
> SMB clients think these are "local" accounts, the server uses
> something akin to the name service switch functions for LDAP to get
> the details of these accounts needed for SMB.
>
> Such accounts are not really "local", but are defined in your LDAP
> service.  The SMB server needs a way to get some Windows-specific
> details about those accounts from LDAP, including the "NT password
> hash" (for authentication) and some other Windows-ish details.
>
> The current LDAP libraries in illumos are sufficient for this (though
> for other reasons, it would be nice if we could update them some day).
> What's missing is some "glue" in the name service switch design, and
> perhaps a new lookup method for the "NT password hash", which is
> similar conceptually to the "shadow password" back-end functions.  One
> can probably pretty much copy/paste the LDAP back-end function for
> shadow passwd. to make the "ntpass" or whatever we call this new
> nsswitch method.  The current /var/smb/smbpasswd stuff, currently
> accessed directly from libsmb should really go through the "files"
> back-end, and we might want to consider taking the opportunity to
> change the format of that file (though that means doing some format
> conversion work during upgrades).  Once a new nsswitch method for
> "ntpass" (or whatever) is in place, the parts of this in the SMB
> server (mostly libsmb) are fairly easy.
>
> Requests for this feature have come up from time to time over the last
> few years, but (so far) not from anyone who wanted it badly enough to
> pay for the work.
>
> Gordon
>
>
> On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald  wrote:
>>
>>> On Aug 18, 2016, at 11:04 AM, Mick Burns  wrote:
>>>
>>> *bump*
>>> anyone ?
>>
>> I'm going to forward your note to someone I know who works on CIFS.  He's 
>> not on this list.
>>
>> Stay tuned,
>> Dan
>>
>> ___
>> OmniOS-discuss mailing list
>> OmniOS-discuss@lists.omniti.com
>> http://lists.omniti.com/mailman/listinfo/omnios-discuss
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-26 Thread Gordon Ross 
Sorry for the delay -- been quite busy.  I do look at this list, but
only occasionally.

The way LDAP auth. works in SMB servers like Samba is that the server
allows SMB clients (i.e. Windows) to logon using accounts that work
the same as "local" accounts (what Windows would call "local"
accounts, meaning they are NOT domain accounts).  However, while the
SMB clients think these are "local" accounts, the server uses
something akin to the name service switch functions for LDAP to get
the details of these accounts needed for SMB.

Such accounts are not really "local", but are defined in your LDAP
service.  The SMB server needs a way to get some Windows-specific
details about those accounts from LDAP, including the "NT password
hash" (for authentication) and some other Windows-ish details.

The current LDAP libraries in illumos are sufficient for this (though
for other reasons, it would be nice if we could update them some day).
What's missing is some "glue" in the name service switch design, and
perhaps a new lookup method for the "NT password hash", which is
similar conceptually to the "shadow password" back-end functions.  One
can probably pretty much copy/paste the LDAP back-end function for
shadow passwd. to make the "ntpass" or whatever we call this new
nsswitch method.  The current /var/smb/smbpasswd stuff, currently
accessed directly from libsmb should really go through the "files"
back-end, and we might want to consider taking the opportunity to
change the format of that file (though that means doing some format
conversion work during upgrades).  Once a new nsswitch method for
"ntpass" (or whatever) is in place, the parts of this in the SMB
server (mostly libsmb) are fairly easy.

Requests for this feature have come up from time to time over the last
few years, but (so far) not from anyone who wanted it badly enough to
pay for the work.

Gordon


On Thu, Aug 18, 2016 at 11:15 AM, Dan McDonald  wrote:
>
>> On Aug 18, 2016, at 11:04 AM, Mick Burns  wrote:
>>
>> *bump*
>> anyone ?
>
> I'm going to forward your note to someone I know who works on CIFS.  He's not 
> on this list.
>
> Stay tuned,
> Dan
>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-18 Thread Ian Kaufman 
In all honesty, the native Solaris LDAP client sucks.

I would investigate installing an OpenLDAP client, or make the system an
OpenLDAP slave to your 389 DS, and have the local client talk to the local
OpenLDAP slave via loopback. That's how we were able to successfully set
things up on our Thors so that they could talk to our OpenLDAP servers.

Ian

On Thu, Aug 18, 2016 at 11:28 AM, Andries Annema <an3s.ann...@gmail.com>
wrote:

> *raises hand*
> Here's another one interested in this matter.
>
> Researched the possibilities about two years ago myself, but eventually
> gave
> up; it didn't seem to be possible.
> Would be awesome if it would be one day, though.
>
> Regards,
> Andries
>
>
> -Original Message-
> From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] On
> Behalf Of Tobias Oetiker
> Sent: donderdag 18 augustus 2016 17:33
> To: Dan McDonald
> Cc: omnios-discuss
> Subject: Re: [OmniOS-discuss] LDAP external auth for CIFS service
>
> - On 18 Aug, 2016, at 17:15, Dan McDonald dan...@omniti.com wrote:
>
> >> On Aug 18, 2016, at 11:04 AM, Mick Burns <bmx1...@gmail.com> wrote:
> >>
> >> *bump*
> >> anyone ?
> >
> > I'm going to forward your note to someone I know who works on CIFS.  He's
> not on
> > this list.
>
> looking forward to the answer ... :) I have always used an AD for this but
> openldap would be so much cooler.
>
> cheers
> tobi
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>



-- 
Ian Kaufman
Research Systems Administrator
UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-18 Thread Tobias Oetiker 
- On 18 Aug, 2016, at 17:15, Dan McDonald dan...@omniti.com wrote:

>> On Aug 18, 2016, at 11:04 AM, Mick Burns  wrote:
>> 
>> *bump*
>> anyone ?
> 
> I'm going to forward your note to someone I know who works on CIFS.  He's not 
> on
> this list.

looking forward to the answer ... :) I have always used an AD for this but 
openldap would be so much cooler.

cheers
tobi
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-18 Thread Dan McDonald 

> On Aug 18, 2016, at 11:04 AM, Mick Burns  wrote:
> 
> *bump*
> anyone ?

I'm going to forward your note to someone I know who works on CIFS.  He's not 
on this list.

Stay tuned,
Dan

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] LDAP external auth for CIFS service

2016-08-18 Thread Mick Burns 
*bump*
anyone ?

On Fri, Aug 12, 2016 at 4:58 PM, Mick Burns  wrote:
> Hello.
>
> I cannot get the CIFS service to use an external LDAP server for
> authentication to users connecting to smb-configured shares.
> Local LDAP authentication for OmniOS itself works fine for local login
> (console or ssh).
>
> Note that this setup is not using AD domain servers but standalone 389
> directory servers. So no AD auth / kerberos involved at all.
>
> Followed many examples but when monitoring packets on the LDAP server
> there is nothing coming from OmniOS when trying to bind to a share.
>
> i.e. : 
> https://docs.oracle.com/cd/E36784_01/html/E36832/configuredirbasedmapping.html
>
> Hoping for some kind of walk-through from a kind soul who got that all
> worked out.
>
> Thank you.
> Mick
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss