Re: [Samba] basic LDAP authentication to Samba share from existin g directory
Hi, Would it be thinkable that users change their password8s) via web interface, such as *phpldapadmin*? The Windows tool LdapAdmin can change both passwords at once, but its not suitable for end users. Newer versions of phpldapadmion do it too, but I've not yet checked to see if the GUI is usable for end users.. Sean Boran On 30 June 2011 15:50, Hoover, Tony hoo...@sal.ksu.edu wrote: We use pGINA (www.pgina.org) to authenticate windows user logins via ldaps:// against the university directory. Don't know if that will fit your model, but it works for us. -- Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 Don't Blend in... -- -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Brent Busby Sent: Wednesday, June 29, 2011 4:59 PM To: samba@lists.samba.org Subject: [Samba] basic LDAP authentication to Samba share from existing directory We have an existing LDAP directory in which users have UNIX passwords that are used for a variety of different services. We'd like to keep as close to having a single synchronized password service as possible, but we've run into an issue. There seem to be two ways of doing this, neither of which seem helpful: (1) ldapsam From looking at the Samba documentation that's available, it looks like there is no possibility of true password synchronization between NT passwords and UNIX. (Please correct me if that's not so -- I'd really like to be wrong!) You setup the samba.schema on the LDAP server, which gives you the sambaNTPassword objectClass (among others), and that stores the clients' Windows password. They still have regular UNIX password capability from the inetorgperson.schema. These are two separate password fields, provided by two different schemas, both belonging to the same user's LDAP account. Basically, you've got two account systems in the same user's LDAP data, completely separate. (Is all this true so far?) You use the ldapsam passdb backend to connect to Samba to your LDAP server, and when a Windows machine wants to change its NT password, it can use that backend to do it. None of this seems to be helping get any closer to allowing Windows clients to authenticate off of the same password database as our UNIX services There's a utility called smbldap-populate, but all this seems to do is go through an existing user database and give the users the new Samba object classes if they don't have them. It doesn't really translate their UNIX passwords into NT passwords and fill them in, does it? (2) pam_unix On the other hand, there is a more apocryphal (and dangerous) way to do this, which does what we want, but is completely insecure: You can setup Samba to use pam_unix to authenticate, so that it is using the local UNIX security stack rather than its own ldapsam passdb, and then setup PAM to do LDAP auth at the UNIX level (the same way you would if you were setting the machine up to allow LDAP login for SSH or some other such UNIX service). The reason that's insecure is because since PAM doesn't know what to do with an encrypted NT password, it is necessary to setup both the Windows clients and the smb.conf on the Samba server for encrypted passwords = no, which then makes it so that even if you're doing secure LDAP over SSL/TLS, you're still screwed because your passwords get sent from the Windows clients in cleartext. So you get: WINDOWS - cleartext - SAMBA - ldap ssl/tls encrypted - LDAP It's only encrypted for part of the trip, which isn't good enough at all. This method does however let you authenticate Windows clients directly off of an existing UNIX password database in LDAP, and works perfectly if you don't mind having passwords flying around in the clear on your LAN. Does anyone have any suggestions on this? I've poured over literally reams of Samba and LDAP documentation in the past week or so, looking for an answer to this. It hasn't helped that most of the documentation seems to be aimed at setting up Samba as a full scale NT Primary Domain Controller, with domain membership for machines and the whole nine yards. Many of these documents are much more elaborate than is (hopefully!) necessary for just doing LDAP password auth, and it's not clear from reading them how much of what is being described is required for basic authentication, and how much is just the writer taking advantage of everything Samba can do in one configuration. (Some of these howtos are thirty or forty pages long.) Also, many of them presume that you're starting from scratch, and that you don't have any existing users, and you're free to implement an LDAP namespace from an empty tree. Is there any way to LDAP-authenticate Samba from an existing
Re: [Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)
Hi, @Gaiseric: Yes, I have option 2, the LDAP entries include UNIX account details such as UID. (I can for example, login via ssh with the ldap accounts: which shows that the unix account details are ok and nss works) Samba is somehow not seeing ldap unix accounts though. I've also now noticed that it is not seeing the group membership in ldap either, although getent groups and id show the groups. @Takahashi: Log level 10 is interesting. But co-in cidentailly after enabling it, and a a delay of one day, the logins are working fine, even if the /etc/passwd entry is removed. I'm going to have to do more tests, thanks for the tips though. Sean On 24 May 2011 18:15, Gaiseric Vandal gaiseric.van...@gmail.com wrote: You still need a unix account to back the samba account- this can be done in several ways - have a local unix acct in /etc/passwd - have the LDAP entry for your samba user also include your unix account info. - have winbind allocate unix uid's and gid's dynamically for samba accounts in your local domain. I use option 2 - LDAP for both unix and samba authentication. I initially used nis for unix and TBD for samba, then moved both to a consolidated LDAP backend. If you don't need LDAP auth for unix level logins , it may be sufficient to add uid and gid to the LDAP entry and skip the unix password field. I have not tried option 3. On 05/23/2011 05:47 PM, Sean Boran wrote: Hi, I migrated a PDC to use an ldap backend and am having fun with a few last issues.. Existing user accounts and machine accounts were migrated, and existing users can authenticate. Now I've added some new users and none of them can authenticate. e.g. for the user inktec. The user can login via SSH, but not mount a share: smbclient server3\\someshare -U=inktec mypassword May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0] passdb/pdb_get_set.c:211(pdb_get_group_sid) May 23 19:40:47 server3 smbd[7364]: pdb_get_group_sid: Failed to find Unix account for inktec May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 1] auth/auth_util.c:577(make_server_info_sam) May 23 19:40:47 server3 smbd[7364]: User inktec in passdb, but getpwnam() fails! May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0] auth/auth_sam.c:355(check_sam_security) May 23 19:40:47 server3 smbd[7364]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' Sama can see the users and groups. The following find the user just fine: ldapsearch -x '(uid=inktec)' pdbedit -L -v inktec getent passwd inktec smbldap-usershow inktec id inktec uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser) Users were added with the tool smbldap-useradd -a, and also with ldapadmin... I also compared the ldap entries for users that work fine with the new users in ldap admin, they are basically the same. Perhaps related is that on a Windows XP client in the domain, if inktec is added to a User Groups such as Remote Desktop Users, windows complains Information return for object picket for object inktec was incomplete. Then by chance I added the test user (inktec) to /etc/passwd (but not to shadow), just to see. It worked! Its like the passwd line is nssswitch_conf is being ignored? group: compat ldap passwd: compat ldap shadow: compat ldap But then why did getent passwd inktec work, and why would SSH login work. Before ldap I would add users with both useradd and smbpasswd -a, but this should not be necessary with the ldap store? Thanks in advance, Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)
Hi, I migrated a PDC to use an ldap backend and am having fun with a few last issues.. Existing user accounts and machine accounts were migrated, and existing users can authenticate. Now I've added some new users and none of them can authenticate. e.g. for the user inktec. The user can login via SSH, but not mount a share: smbclient server3\\someshare -U=inktec mypassword May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0] passdb/pdb_get_set.c:211(pdb_get_group_sid) May 23 19:40:47 server3 smbd[7364]: pdb_get_group_sid: Failed to find Unix account for inktec May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 1] auth/auth_util.c:577(make_server_info_sam) May 23 19:40:47 server3 smbd[7364]: User inktec in passdb, but getpwnam() fails! May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0] auth/auth_sam.c:355(check_sam_security) May 23 19:40:47 server3 smbd[7364]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' Sama can see the users and groups. The following find the user just fine: ldapsearch -x '(uid=inktec)' pdbedit -L -v inktec getent passwd inktec smbldap-usershow inktec id inktec uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser) Users were added with the tool smbldap-useradd -a, and also with ldapadmin... I also compared the ldap entries for users that work fine with the new users in ldap admin, they are basically the same. Perhaps related is that on a Windows XP client in the domain, if inktec is added to a User Groups such as Remote Desktop Users, windows complains Information return for object picket for object inktec was incomplete. Then by chance I added the test user (inktec) to /etc/passwd (but not to shadow), just to see. It worked! Its like the passwd line is nssswitch_conf is being ignored? group: compat ldap passwd: compat ldap shadow: compat ldap But then why did getent passwd inktec work, and why would SSH login work. Before ldap I would add users with both useradd and smbpasswd -a, but this should not be necessary with the ldap store? Thanks in advance, Sean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba