Re: [Samba] Samba as a PDC with LDAP and Kerberos
Basically a windows client can't authenticate against a Kerberos server *and* get user information out LDAP without using AD. You can authenticate against Kerberos and have local user accounts or you can have user accounts in LDAP and use some other authentication mechanism. The way I'm doing it is storing user's Windows passwords in LDAP as sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get around having different passwords for the different architectures you can write a script that will be the change password script in samba and a replacement for passwd under *nix. This script would add/change the password in both LDAP and Kerberos keeping them synced. FW is referring to such a perl script using Authen::Krb5, Crypt::SmbHash, and Net::LDAP. The Kerberos options you see in Samba are only for having Samba authenticate against an AD server. There are some things in the works for going the other way if you're using Heimdal (see the archive), but I have no experience with Heimdal or this solution. On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote: I'm a little confused on one section here... Where are your passwords being stored? kerberos? If so, how does samba look there? What is the significance of the {SASL}USER at REALM in LDAP? Is there another password store that you are syncing with krb? Sorry for my ignorance here but after hours and hours of trying different things, I'm unable to use my kerberos backend with samba. Thanks in advance. FM Wrote: Hello, My setup : Windows stations SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT) All users (posix and ldap) are in Openldap. All my ldap password are : {SASL}USER at REALM I use saslauthd so I can connect to ldap using simplebind with password in KERBEROS this password CANNOT be changed (denied by the slapd.access.conf file) Samba cannot use MIt kerberos for the password so my little trick : I create a perl scrip using Authen::Krb5::Admin that use un keytab for authentifiaction :krb5_update_pwd.pl in the smb.conf : ldap passwd sync = No unix password sync = Yes passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat = *Password:* %n\n *Again:* %n\n *Changed* So when Windows users change their password(from the change password option in Windows), SAMBA called /krb5_update_pwd.pl that also update the KERBEROS password. Linux users just have to use : smbpasswd -r PDC_SERVER That command update SAMBA password and again it called /krb5_update_pwd.pl to sync the kerberos password I know there are some short comings (password policies for example). But it's the closer i get :-) Hope this can help :-) Ti Leggett wrote: Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP backend and use pam_smbpass to keep the passwords sync'd between the Kerberos side and the Samba side? That way the Windows clients join the domain using only the LDAP information not knowing about the Kerberos side of things? I just removed the Kerberos information from my Windows client and tried only using, as far as I can tell, the LDAP information and the client still comes back saying the user name is unknown. On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote: Ok, so I'm just trying to figure out my options here. I can: - Use local accounts and local passwords - Use Kerberos for authentication, but only with local user accounts - Use a Samba PDC with and LDAP backend for accounts and password if and only if the windows clients are not bound to a Kerberos realm Is this correct? In the third case, let's say I have a way to sync Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then? Or what am I missing? I know I can't create an AD domain, but I'm not trying to. AD is combination of a lot more than just Kerberos and LDAP. I'm curios how Apple does what seems to be just this with their OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and Samba 3.0 (at least they claim it's only this). On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote: Ti Leggett wrote: I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC that Windows clients will join. The PDC will use an LDAP backend to get authorization information (username, home directory, etc). The authentication portion is handled by an MIT Kerberos KDC. I think I'm real close to having it all together but I'm not sure. I have the Windows client setup to point at my KDC so authentication *should* be coming from there once the authorization portion is going. Hehehe, it's been a year trying to do that... but no way! I'm sorry to tell you, but what you want is a replacement of AD... in no way windows will know about ldap and mit, without an AD domain. So first question
Re: [Samba] Samba as a PDC with LDAP and Kerberos
I'm not aware of a way to authenticate via SASL in Samba. On Mon, 2005-06-06 at 18:38 -0700, Jeff Block wrote: I've seen some people using ldap password set as {SASL}USER at REALM Is there a way to have samba use sasl for authentication? Currently, my kerberos db is synchronizing with sasl so if I can get samba and my windows clients to authenticate using sasl, then I don't need to keep password hashes in ldap. Is this possible? Thanks. On 6/6/05 6:13 PM, Ti Leggett [EMAIL PROTECTED] wrote: Basically a windows client can't authenticate against a Kerberos server *and* get user information out LDAP without using AD. You can authenticate against Kerberos and have local user accounts or you can have user accounts in LDAP and use some other authentication mechanism. The way I'm doing it is storing user's Windows passwords in LDAP as sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get around having different passwords for the different architectures you can write a script that will be the change password script in samba and a replacement for passwd under *nix. This script would add/change the password in both LDAP and Kerberos keeping them synced. FW is referring to such a perl script using Authen::Krb5, Crypt::SmbHash, and Net::LDAP. The Kerberos options you see in Samba are only for having Samba authenticate against an AD server. There are some things in the works for going the other way if you're using Heimdal (see the archive), but I have no experience with Heimdal or this solution. On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote: I'm a little confused on one section here... Where are your passwords being stored? kerberos? If so, how does samba look there? What is the significance of the {SASL}USER at REALM in LDAP? Is there another password store that you are syncing with krb? Sorry for my ignorance here but after hours and hours of trying different things, I'm unable to use my kerberos backend with samba. Thanks in advance. FM Wrote: Hello, My setup : Windows stations SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT) All users (posix and ldap) are in Openldap. All my ldap password are : {SASL}USER at REALM I use saslauthd so I can connect to ldap using simplebind with password in KERBEROS this password CANNOT be changed (denied by the slapd.access.conf file) Samba cannot use MIt kerberos for the password so my little trick : I create a perl scrip using Authen::Krb5::Admin that use un keytab for authentifiaction :krb5_update_pwd.pl in the smb.conf : ldap passwd sync = No unix password sync = Yes passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat = *Password:* %n\n *Again:* %n\n *Changed* So when Windows users change their password(from the change password option in Windows), SAMBA called /krb5_update_pwd.pl that also update the KERBEROS password. Linux users just have to use : smbpasswd -r PDC_SERVER That command update SAMBA password and again it called /krb5_update_pwd.pl to sync the kerberos password I know there are some short comings (password policies for example). But it's the closer i get :-) Hope this can help :-) Ti Leggett wrote: Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP backend and use pam_smbpass to keep the passwords sync'd between the Kerberos side and the Samba side? That way the Windows clients join the domain using only the LDAP information not knowing about the Kerberos side of things? I just removed the Kerberos information from my Windows client and tried only using, as far as I can tell, the LDAP information and the client still comes back saying the user name is unknown. On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote: Ok, so I'm just trying to figure out my options here. I can: - Use local accounts and local passwords - Use Kerberos for authentication, but only with local user accounts - Use a Samba PDC with and LDAP backend for accounts and password if and only if the windows clients are not bound to a Kerberos realm Is this correct? In the third case, let's say I have a way to sync Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then? Or what am I missing? I know I can't create an AD domain, but I'm not trying to. AD is combination of a lot more than just Kerberos and LDAP. I'm curios how Apple does what seems to be just this with their OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and Samba 3.0 (at least they claim it's only this). On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote: Ti Leggett wrote: I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC
Re: [Samba] Samba as a PDC with LDAP and Kerberos
Why would the add machine script fail? Here's a quick overview of my setup: All Kerberos authenticated admin users (user/admin) have write to the entire directory The Samba admin user has write to the relevant samba branches All Kerberos authenticated non-admin users have read access to non-sensitve portions of the directory. There are three users that could be involved in this process: leggett : A normal user (inetOrgPerson, posizUser, sambaSamAccount) who is a Domain Admin. Does not have write access to the directory. Password stored in Kerberos, sambaNTPassword stored in LDAP. samba_server : An LDAP user (person, uidObject) who has write access to the directory. Password stored in LDAP. sambaNTPassword not in LDAP as user isn't a sambaSamAccount root: A local unix user who has an entry in LDAP (person, sambaSamAccount). Does not have write access to the directory. Password is kept locally, sambaNTPassword kept in LDAP. Password and sambaNTPassword are not the same. So let me make sure I have all this straight on how it all works. legget, a Domain Admin, uses the SeMachineAccountPrivilege to add the machine to the Samba domain. In this process smbd queries LDAP as samba_server to see if the machine account is already created. If it's not, smbd changes to root and call the script in the add machine script directive. That script should be responsible for changing to a user or gaining Kerberos credentials to write to the directory. Is that about right? On Mon, 2005-05-30 at 21:05 -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ti Leggett wrote: So, here's my new question (I'm full of em): Are LDAP actions done as the Samab ldap admin dn or the user doing the action? It appears the latter is the case. All LDAP actions from smbd are done as the ldap admin dn, but the add machine script should be called under root if the user has the SeMachineAccountPrivilege. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCm8ZvIR7qMdg1EfYRAi/zAJ9h6Bzhz5algsAA6hB4O+vyl+sP3gCgu4hP wxOm2UkvC6BXHCpwwtmcxNk= =AFm2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 and kerberos authentication of users
The with Kerberos option is only to allow samba to authenticate to a Microsoft Active Directory Kerberos server. You basically have two options: keep using smbpasswd files or store the passwords in an LDAP directory. It seems the recommended method by the Samba team is to use LDAP. However, you can use the pam_smbpass module to keep smbpasswd files updated with whatever other password methods you might use. pam_smbpass does not work with LDAP stored passwords to my knowledge. On Thu, 2005-05-26 at 10:05 +0200, David Komanek wrote: Hi all, this is probably VFAQ, but I never found a working solution. I have a standalone samba server running samba ver. 3. In the network, we have heimdal kerberos used to authenticate users for pop3,imap,web-based applications etc. Now I would like to make the samba communicating with kerberos kdc so there will no longer be users in smbpasswd with separate passwords outside of kerberos. I already compiled samba with --with-krb5 configure switch and have following options in smb.conf: client use spnego = yes realm = KERBEROS.REALM.NAME use kerberos keytab = yes While it is heimdal's kerberos implementation, I added default_keytab_name = FILE:/etc/krb5.keytab to the [libdefaults] section of /etc/krb5.conf as I saw somewhere. But this is still not working for me: Debud on the client side: $ smbclient -d3 -U komanek //127.0.0.1/homes lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /usr/local/lib/smb.conf Processing section [global] added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 added interface ip=a.b.c.d bcast=a.b.c.255 nmask=255.255.255.0 Client started (version 3.0.14a). Connecting to 127.0.0.1 at port 445 Password: Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x608a0215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE using -k switch in smbclient disables password prompt, but in other aspects it has the same behavior, regardless I have valid kerberos ticket or not. Debug on the server side: [2005/05/26 09:50:15, 4] lib/username.c:map_username(132) Scanning username map /usr/local/etc/samba/smbusers [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224) make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from workstation [XXX] [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132) attempting to make a user_info for komanek (komanek) [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142) making strings for komanek's user_info struct [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184) making blobs for komanek's user_info struct [2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200) made an encrypted user_info for komanek (komanek) [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231) What should I do to make the kerberos authentication in samba working ? Thanks in advance, David Komanek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as a PDC with LDAP and Kerberos
Okee dokee. I've gotten somewhere. So samba 3.0.11 didn't seem to quite handle privileges all the way. I upgraded to 3.0.14 and everything is now peachy happy with one small exception. Before I get to the problem here's what did work: net -S localhost -Uleggett rpc rights grant CI\Domain Admins \ SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege I gave the user's password stored in LDAP and it succeeded. Next I went to join the machine to the domain. Here's where the problem happened. I was under the impression that all LDAP activity was done as the user listed in the ldap admin dn. However, when I went to join the machine, let's call it WORKSTATION, it prompted for a domain admin user and password so I put in leggett's. It tried, but failed (with a new error). So I looked in the LDAP server's log and, lo and behold, it was trying to run the add machine script as user leggett (who doesn't have permission to write to the directory). So I hand added the machine to the directory and then tried the join again and it worked beautifully. So, here's my new question (I'm full of em): Are LDAP actions done as the Samab ldap admin dn or the user doing the action? It appears the latter is the case. On Mon, 2005-05-09 at 10:29 -0500, Ti Leggett wrote: Unfortunately this still doesn't work. As a note, I thought about this and had added the root account to the Domain Admins group. On Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote: Try doing the net rpc rights as a Ti Leggett wrote: However the following fails: net -S localhost rpc rights grant CI\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege Reading through the logs, everything appears to be fine until it goes to assign privileges. Here's a snip from the logs (log level = 10): snip [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672) status: NT_STATUS_ACCESS_DENIED The LDAP logs show everything successful and there's no MODs trying to occur. Try doing the net rpc rights grant as a domain admin (-U username) instead of as root. The Samba HOWTO states, You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned to an account. This capability is inherent to the Domain Admins group and is not configurable. Granting rights as root doesn't seem to work. (At least, it doesn't for me.) I don't know if that's intentional or not; the HOWTO also states, Access as the root user (UID=0) bypasses all privilege checks, which seems to contradict the previous statement and seems to imply that not working for root is a bug. Josh Kelley // -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What is good about kereberos auth?
There are two main benefits to Kerberos authentication. The first is that in a true Kerberos environment, no password is never sent across the wire. The second, is that you get the holy grail of single sign on. Your LDAP PDC should be able to make use of Kerberos though not in the true sense. There is Kerberos support in Samba, but as I understand it, it's only for interacting with a Microsoft AD server and not others. What will happen is authentication requests will come to the PDC which will then use the underlying mechanism (a.k.a. PAM) to authenticate a user. This is how I understand it and I'll defer to those more knowledgeable on the list if I'm wrong. On Mon, 2005-05-02 at 09:51 -0700, Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just curious but what is so great about Kereberos authentication? Would my LDAP PDC arrangement benefit? Jim C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCdlqCB4AhF6wVFMERAvA2AJ9ZLZlQp8cWSHWdJRu7C3ZZO9+9KwCgmZKT /2QLrrhjgisoJerB0RrOpmw= =SnGr -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as a PDC with LDAP and Kerberos
So I'm still doing something wrong. I now have a root sambaSamAccount in my directory with the PrimaryGroupSID of the Domain Admins SID. The ldap admin dn can write to the directory. From my PDC I can do the following successfully: net -S localhost rpc join (Success) smbpasswd -a -w pdc (Success and pdc$ added to the LDAP machine group wiht password) However the following fails: net -S localhost rpc rights grant CI\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege Reading through the logs, everything appears to be fine until it goes to assign privileges. Here's a snip from the logs (log level = 10): [2005/05/02 12:09:43, 7] rpc_parse/parse_prs.c:prs_debug(82) 000152 smb_io_unistr2 string [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642) 0154 uni_max_len: 0019 [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642) 0158 offset : [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642) 015c uni_str_len: 0019 [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814) 0160 buffer : S.e.R.e.m.o.t.e.S.h.u.t.d.o.w.n.P.r.i.v.i.l.e.g.e. [2005/05/02 12:09:43, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 03 00 00 00 00 00 00 00 D7 5E 76 42 .^vB [010] 3E 31 00 00 1.. [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_debug(82) 00 lsa_io_r_add_acct_rights [2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672) status: NT_STATUS_ACCESS_DENIED The LDAP logs show everything successful and there's no MODs trying to occur. Below is my smb.conf [global] security = user log level = 10 log file = /var/log/samba/samba.log workgroup = CI netbios name = PDC server string = Primary Domain Controller private dir = /var/lib/samba/private passdb backend = ldapsam:ldap://ldap.example.com domain logons = Yes os level = 33 preferred master = Yes domain master = Yes enable privileges = Yes hosts allow = none ldap admin dn = uid=samba_server,ou=people,o=ci,dc=example,dc=com ldap group suffix = ou=group ldap machine suffix = ou=hosts,ou=samba ldap suffix = o=ci,dc=uchicago,dc=edu ldap ssl = start tls ldap user suffix = ou=people [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 On Wed, 2005-04-27 at 15:07 -0400, Josh Kelley wrote: [EMAIL PROTECTED] wrote: So I think I have the steps needed to get this all working, but I think I have a chicken/egg problem now. snip So, is there a way to get it to a point where a normal user in the Domain Admins group can join machine and add Samba Accounts, etc without requiring a uid 0 user to be in LDAP. The sambaSamAccount entry for root needs to be in the LDAP directory, but the rest of the account doesn't. We have an entry for the root account in our LDAP directory that only has the following non-Samba attributes defined: dn: uid=root,dc=jbc,dc=edu objectClass: account objectClass: sambaSamAccount uid: root displayName: root cn: root Although this technically means that there is a uid 0 user in LDAP, it's only a uid 0 user as far as Samba is concerned; Linux/Unix won't recognize the LDAP portion of the root account as being a valid user. From what I've read, this setup won't work if you set ldapsam:trusted = yes in smb.conf, but it will work long enough to assign privileges then set ldapsam:trusted. Also, what pieces are really needed to join a machine to the Samba Domain. And what and who needs to be able to read/write LDAP for this to happen? Pieces I've identified so far. Things starting with '?' I'm not sure about. - Domain Users, Domain Admins, and Domain Guests groups exist with valid sambaSIDs (posixGroup and sambaGroupMapping) - Domain Admins group has the SeMachineAccountPrivilege privilege Correct. - a sambaDomainName object with a valid sambaSID It's a sambaDomain object, not a sambaDomainName object. I'm pretty sure that Samba will create this for you if it doesn't exist. - a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID, whose SID is in the the Domain Admins sambaSIDList Correct. ? A machine user (posixAccount sambaSamAccount) with a valid uid and sambaSID and whose parent LDAP tree is listed as a passwd search path for NSS Generally unnecessary. Although you can create it yourself, it's easier to set up an add machine script (such as that provided by the Idealx smbldap-tools, if you're using
Re: [Samba] Samba as a PDC with LDAP and Kerberos
Ok, so I'm just trying to figure out my options here. I can: - Use local accounts and local passwords - Use Kerberos for authentication, but only with local user accounts - Use a Samba PDC with and LDAP backend for accounts and password if and only if the windows clients are not bound to a Kerberos realm Is this correct? In the third case, let's say I have a way to sync Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then? Or what am I missing? I know I can't create an AD domain, but I'm not trying to. AD is combination of a lot more than just Kerberos and LDAP. I'm curios how Apple does what seems to be just this with their OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and Samba 3.0 (at least they claim it's only this). On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote: Ti Leggett wrote: I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC that Windows clients will join. The PDC will use an LDAP backend to get authorization information (username, home directory, etc). The authentication portion is handled by an MIT Kerberos KDC. I think I'm real close to having it all together but I'm not sure. I have the Windows client setup to point at my KDC so authentication *should* be coming from there once the authorization portion is going. Hehehe, it's been a year trying to do that... but no way! I'm sorry to tell you, but what you want is a replacement of AD... in no way windows will know about ldap and mit, without an AD domain. So first question is, are sambaLMPassword and sambaNTPassword still needed in LDAP for each user? Here's the output from ksetup /dumpstate: Machine is not configured to log on to an external KDC. Probably a workgroup member EXAMPLE.COM: kdc = kdc1 server kdc = kdc2 server kpasswd = kpasswd server Realm Flags = 0x0 none No user mappings defined. Users must be somewhere to get HKEY_LOCAL* work... and they should be local users (the MIT-KDC authentication works this way). Second, here's what I have in LDAP so far: [...] I've done a smbpasswd -w hidden samba_server password I can do a net getlocalsid and it will get the correct SID out of LDAP. Correct. However, when I try to join my Windows client to the EXAMPLE.COM domain, I can see the ldap queries happening, but the Windows client reports an invalid username. Yes. Active Directory is not there... and it wants AD. In no way you can fake AD, even though it's kerberos, ldap and smb + natural-flavours... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as a PDC with LDAP and Kerberos
Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP backend and use pam_smbpass to keep the passwords sync'd between the Kerberos side and the Samba side? That way the Windows clients join the domain using only the LDAP information not knowing about the Kerberos side of things? I just removed the Kerberos information from my Windows client and tried only using, as far as I can tell, the LDAP information and the client still comes back saying the user name is unknown. On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote: Ok, so I'm just trying to figure out my options here. I can: - Use local accounts and local passwords - Use Kerberos for authentication, but only with local user accounts - Use a Samba PDC with and LDAP backend for accounts and password if and only if the windows clients are not bound to a Kerberos realm Is this correct? In the third case, let's say I have a way to sync Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then? Or what am I missing? I know I can't create an AD domain, but I'm not trying to. AD is combination of a lot more than just Kerberos and LDAP. I'm curios how Apple does what seems to be just this with their OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and Samba 3.0 (at least they claim it's only this). On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote: Ti Leggett wrote: I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC that Windows clients will join. The PDC will use an LDAP backend to get authorization information (username, home directory, etc). The authentication portion is handled by an MIT Kerberos KDC. I think I'm real close to having it all together but I'm not sure. I have the Windows client setup to point at my KDC so authentication *should* be coming from there once the authorization portion is going. Hehehe, it's been a year trying to do that... but no way! I'm sorry to tell you, but what you want is a replacement of AD... in no way windows will know about ldap and mit, without an AD domain. So first question is, are sambaLMPassword and sambaNTPassword still needed in LDAP for each user? Here's the output from ksetup /dumpstate: Machine is not configured to log on to an external KDC. Probably a workgroup member EXAMPLE.COM: kdc = kdc1 server kdc = kdc2 server kpasswd = kpasswd server Realm Flags = 0x0 none No user mappings defined. Users must be somewhere to get HKEY_LOCAL* work... and they should be local users (the MIT-KDC authentication works this way). Second, here's what I have in LDAP so far: [...] I've done a smbpasswd -w hidden samba_server password I can do a net getlocalsid and it will get the correct SID out of LDAP. Correct. However, when I try to join my Windows client to the EXAMPLE.COM domain, I can see the ldap queries happening, but the Windows client reports an invalid username. Yes. Active Directory is not there... and it wants AD. In no way you can fake AD, even though it's kerberos, ldap and smb + natural-flavours... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba as a PDC with LDAP and Kerberos
I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC that Windows clients will join. The PDC will use an LDAP backend to get authorization information (username, home directory, etc). The authentication portion is handled by an MIT Kerberos KDC. I think I'm real close to having it all together but I'm not sure. I have the Windows client setup to point at my KDC so authentication *should* be coming from there once the authorization portion is going. So first question is, are sambaLMPassword and sambaNTPassword still needed in LDAP for each user? Here's the output from ksetup /dumpstate: Machine is not configured to log on to an external KDC. Probably a workgroup member EXAMPLE.COM: kdc = kdc1 server kdc = kdc2 server kpasswd = kpasswd server Realm Flags = 0x0 none No user mappings defined. Second, here's what I have in LDAP so far: dn: ou=Samba,dc=example,dc=com objectClass: organizationalUnit ou: Samba dn: sambaDomainName=EXAMPLE.COM,ou=Samba,dc=example,dc=com objectClass: top objectClass: sambaDomain sambaSID: S-1-5-21-2230234512-1629394365-1821015051 sambaDomainName: EXAMPLE.COM dn: uid=samba_server,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: uidObject sn: samba_server cn: samba_server userPassword: hidden uid: samba_server dn: cn=Domain Admins,ou=group,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: Domain Admins gidNumber: 1011 memberUid: leggett sambaGroupType: 2 description: Windows Domain Administrators sambaSIDList: S-1-5-21-2230234512-1629394365-1821015051-3002 sambaSID: S-1-5-21-2230234512-1629394365-1821015051-512 dn: cn=Domain Users,ou=group,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: Domain Users gidNumber: 1012 sambaGroupType: 2 description: Windows Domain Users sambaSID: S-1-5-21-2230234512-1629394365-1821015051-513 dn: cn=Domain Guests,ou=group,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: Domain Guests gidNumber: 1013 sambaGroupType: 2 description: Windows Domain Guests sambaSID: S-1-5-21-2230234512-1629394365-1821015051-514 dn: uid=leggett,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: sambaSamAccount cn: Ti Leggett givenName: Ti sn: Leggett mail: [EMAIL PROTECTED] uid: leggett uidNumber: 1001 homeDirectory: /home/leggett loginShell: /bin/bash gidNumber: 1000 sambaSID: S-1-5-21-2230234512-1629394365-1821015051-3002 sambaLMPassword: hidden sambaNTPassword: hidden sambaAcctFlags: [U ] sambaPrimaryGroupSID: S-1-5-21-2230234512-1629394365-1821015051-512 I've done a smbpasswd -w hidden samba_server password I can do a net getlocalsid and it will get the correct SID out of LDAP. However, when I try to join my Windows client to the EXAMPLE.COM domain, I can see the ldap queries happening, but the Windows client reports an invalid username. Not sure if these are related questions or not, but what are the sambaAcctFlags values and meanings? And, is it necessary to have an ldap entry of uid=WINDOWSCLIENT$,ou=people,dc=example,dc=com? And lastly, here's relevant sections from my smb.conf: [global] workgroup = EXAMPLE.COM realm = EXAMPLE.COM password server = kpasswd server netbios name = CI-PDC server string = Example Primary Domain Controller passdb backend = ldapsam:ldap://ldap server domain logons = Yes os level = 33 preferred master = Yes domain master = Yes ldap admin dn = uid=samba_server,ou=people,dc=example,dc=com ldap group suffix = ou=group ldap machine suffix = ou=hosts ldap suffix = dc=example,dc=com ldap ssl = start tls ldap user suffix = ou=people admin users = leggett I can send logs from LDAP server if they might be helpful. Thanks a head of time! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba