subject:"\[Samba\] samba3 and heimdal\: both using ldap as backends"

Re: [Samba] samba3 and heimdal: both using ldap as backends

2006-03-20 Thread Gémes Géza

Andreas Hasenack i'rta:
 Em Dom 19 Mar 2006 02:58, Gémes Géza escreveu:
   
 An example ldif:

 dn: uid=test,ou=users,dc=example,dc=net

 objectClass: person

 objectClass: organizationalPerson

 objectClass: inetOrgPerson

 objectClass: posixAccount

 objectClass: top

 objectClass: shadowAccount

 objectClass: sambaSamAccount

 objectClass: krb5Principal

 sn: Account

 userPassword: [EMAIL PROTECTED]
 

 What is the user creation sequence you are using? First posixAccount and 
 sambaSamAccount (for example, with smbldap-tools), then add the krb5Principal 
 class and its attributes, set password to use {SASL} and then what? kadmin? 
 kpasswd?
   
Usually dump an ldif to the ldap server with the premade (mkntpwd)
NTHash, and thats all.
The ldif is populated by a script which writes values like:

echo dn: uid=$username,ou=users,dc=example,dc=net  the_created_ldif_file
...
echo userPassword: [EMAIL PROTECTED]  the_created_ldif_file
...
and then ldapadd -Y GSSAPI -f  the_created_ldif_file
then rm -f the_created_ldif_file
that's all

Regards

Geza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba3 and heimdal: both using ldap as backends

2006-03-19 Thread Andreas Hasenack

Em Dom 19 Mar 2006 02:58, Gémes Géza escreveu:
 An example ldif:
 
 dn: uid=test,ou=users,dc=example,dc=net
 
 objectClass: person
 
 objectClass: organizationalPerson
 
 objectClass: inetOrgPerson
 
 objectClass: posixAccount
 
 objectClass: top
 
 objectClass: shadowAccount
 
 objectClass: sambaSamAccount
 
 objectClass: krb5Principal
 
 sn: Account
 
 userPassword: [EMAIL PROTECTED]

What is the user creation sequence you are using? First posixAccount and 
sambaSamAccount (for example, with smbldap-tools), then add the krb5Principal 
class and its attributes, set password to use {SASL} and then what? kadmin? 
kpasswd?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba3 and heimdal: both using ldap as backends

2006-03-18 Thread Gémes Géza

Andreas Hasenack írta:

samba-3.0.21c, heimdal-0.7.2

The heimdal documentation[1] talks about a samba integration when both
samba and heimdal are using ldap as their backends. I quote:

Now you can proceed as in See Using LDAP to store the database. Heimdal
will pick up the Samba LDAP entries if they are in the same search space
as the Kerberos entries.

There is absolutely no further documentation.
I tried with this tree:

dc=mycnc,dc=com
ou=People,dc=mycnc,dc=com

heimdal is configured to use ou=people (I also tried with
ou=KerberosPrincipals), where I already have some entries.

My goal is to use only one password to avoid the
sambaNTPassword/userPassword/kerberos mess (three passwords). I was
under the impression that this setup should get me that.

If I add a principal with a name that is already in ou=people as a posix
and samba account, I get this:
(...)
[EMAIL PROTECTED]'s Password:
Verifying - [EMAIL PROTECTED]'s Password:
kadmin: kadm5_create_principal: ldap_search_s: No such object
kadmin: adding joao: Principal or policy already exists

The ldap logs show these queries (first collumn is the number of entries 
returned):
1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((objectClass=krb5Principal)([EMAIL PROTECTED]))
0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 
filter=(objectClass=krb5Principal)
1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((objectClass=krb5Principal)([EMAIL PROTECTED]))
0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 
filter=(objectClass=krb5Principal)
0 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((objectClass=krb5Principal)([EMAIL PROTECTED]))
1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))

A few questions:
a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's
the binddn after authz-regexp;

b) It found my user's entry (last search), why doesn't it add the kerberos 
attributes
to it? Or, better yet, what is supposed to be happening?


If I run kadmin to add an user that doesn't exist with
posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created,
which samba doesn't see.

  

My config:

Debian Sarge
with:
heimdal 0.7.1-3.1 from testing rebuilt on sarge
libsasl2 2.1.19-1.9 from testing rebuilt on sarge
slapd 2.2.23-8 from sarge

slapd.conf:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

###
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/hdb.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile/var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel256

# Where the dynamically loaded modules are stored
modulepath  /usr/lib/ldap
moduleload  back_bdb

# SASL related options

sasl-realm example.net
sasl-host devel.example.net
sasl-authz-policy both

sasl-regexp uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
cn=admin,dc=example,dc=net

sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?uid=$1

sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?uid=$1

sasl-secprops minssf=0

###
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30

###
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backendother

###
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
databasebdb

# The base of your directory in database #1
suffix  dc=example,dc=net

# Where the database file are physically stored for database #1
directory   /var/lib/ldap

# Indexing options for database #1
index   objectClass,uid,krb5PrincipalName,cn eq

# Save the time that the entry gets modified, for database #1
lastmod on

# Where

Re: [Samba] samba3 and heimdal: both using ldap as backends

2006-03-18 Thread Andreas Hasenack

Em Sáb 18 Mar 2006 13:54, Gémes Géza escreveu:
(...)
Thanks, it worked (somewhat) after I ran kpasswd for that user.

 An example ldif:

 dn: uid=test,ou=users,dc=example,dc=net

 objectClass: person

 objectClass: organizationalPerson

 objectClass: inetOrgPerson

 objectClass: posixAccount

 objectClass: top

 objectClass: shadowAccount

 objectClass: sambaSamAccount

 objectClass: krb5Principal

 sn: Account

 userPassword: [EMAIL PROTECTED]

I see you are authenticating simple binds with an SASL mechanism. I assume 
it's gssapi? Via saslauthd?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba3 and heimdal: both using ldap as backends

2006-03-18 Thread Gémes Géza

Andreas Hasenack írta:

Em Sáb 18 Mar 2006 13:54, Gémes Géza escreveu:
(...)
Thanks, it worked (somewhat) after I ran kpasswd for that user.

  

An example ldif:

dn: uid=test,ou=users,dc=example,dc=net

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

objectClass: sambaSamAccount

objectClass: krb5Principal

sn: Account

userPassword: [EMAIL PROTECTED]



I see you are authenticating simple binds with an SASL mechanism. I assume 
it's gssapi? Via saslauthd?

  

Yes I have saslauthd options set to:
-n 3 -c -l -a kerberos5
via /etc/default/saslauthd:
# This needs to be uncommented before saslauthd will be run automatically
# START=yes
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to pam for PAM support, but may also include
# shadow or sasldb, like this:
# MECHANISMS=pam shadow

PARAMS=-n 3 -c -l

MECHANISMS=kerberos5


and an /usr/lib/sasl2/slapd.conf, which reads:

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab

This saslauthd setup works both for slapd and cyrus-imap

Regards

Geza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba3 and heimdal: both using ldap as backends

2006-03-17 Thread Andreas Hasenack

samba-3.0.21c, heimdal-0.7.2

The heimdal documentation[1] talks about a samba integration when both
samba and heimdal are using ldap as their backends. I quote:

Now you can proceed as in See Using LDAP to store the database. Heimdal
will pick up the Samba LDAP entries if they are in the same search space
as the Kerberos entries.

There is absolutely no further documentation.
I tried with this tree:

dc=mycnc,dc=com
ou=People,dc=mycnc,dc=com

heimdal is configured to use ou=people (I also tried with
ou=KerberosPrincipals), where I already have some entries.

My goal is to use only one password to avoid the
sambaNTPassword/userPassword/kerberos mess (three passwords). I was
under the impression that this setup should get me that.

If I add a principal with a name that is already in ou=people as a posix
and samba account, I get this:
(...)
[EMAIL PROTECTED]'s Password:
Verifying - [EMAIL PROTECTED]'s Password:
kadmin: kadm5_create_principal: ldap_search_s: No such object
kadmin: adding joao: Principal or policy already exists

The ldap logs show these queries (first collumn is the number of entries 
returned):
1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((objectClass=krb5Principal)([EMAIL PROTECTED]))
0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 
filter=(objectClass=krb5Principal)
1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((objectClass=krb5Principal)([EMAIL PROTECTED]))
0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 
filter=(objectClass=krb5Principal)
0 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((objectClass=krb5Principal)([EMAIL PROTECTED]))
1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 
filter=((|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))

A few questions:
a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's
the binddn after authz-regexp;

b) It found my user's entry (last search), why doesn't it add the kerberos 
attributes
to it? Or, better yet, what is supposed to be happening?


If I run kadmin to add an user that doesn't exist with
posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created,
which samba doesn't see.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba3 and heimdal: both using ldap as backends

Re: [Samba] samba3 and heimdal: both using ldap as backends

Re: [Samba] samba3 and heimdal: both using ldap as backends

Re: [Samba] samba3 and heimdal: both using ldap as backends

Re: [Samba] samba3 and heimdal: both using ldap as backends

[Samba] samba3 and heimdal: both using ldap as backends

6 matches

Site Navigation

Mail list logo

Footer information