Re: [Samba] samba3 and heimdal: both using ldap as backends
Andreas Hasenack i'rta: Em Dom 19 Mar 2006 02:58, Gémes Géza escreveu: An example ldif: dn: uid=test,ou=users,dc=example,dc=net objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount objectClass: krb5Principal sn: Account userPassword: [EMAIL PROTECTED] What is the user creation sequence you are using? First posixAccount and sambaSamAccount (for example, with smbldap-tools), then add the krb5Principal class and its attributes, set password to use {SASL} and then what? kadmin? kpasswd? Usually dump an ldif to the ldap server with the premade (mkntpwd) NTHash, and thats all. The ldif is populated by a script which writes values like: echo dn: uid=$username,ou=users,dc=example,dc=net the_created_ldif_file ... echo userPassword: [EMAIL PROTECTED] the_created_ldif_file ... and then ldapadd -Y GSSAPI -f the_created_ldif_file then rm -f the_created_ldif_file that's all Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 and heimdal: both using ldap as backends
Em Dom 19 Mar 2006 02:58, Gémes Géza escreveu: An example ldif: dn: uid=test,ou=users,dc=example,dc=net objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount objectClass: krb5Principal sn: Account userPassword: [EMAIL PROTECTED] What is the user creation sequence you are using? First posixAccount and sambaSamAccount (for example, with smbldap-tools), then add the krb5Principal class and its attributes, set password to use {SASL} and then what? kadmin? kpasswd? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 and heimdal: both using ldap as backends
Andreas Hasenack írta: samba-3.0.21c, heimdal-0.7.2 The heimdal documentation[1] talks about a samba integration when both samba and heimdal are using ldap as their backends. I quote: Now you can proceed as in See Using LDAP to store the database. Heimdal will pick up the Samba LDAP entries if they are in the same search space as the Kerberos entries. There is absolutely no further documentation. I tried with this tree: dc=mycnc,dc=com ou=People,dc=mycnc,dc=com heimdal is configured to use ou=people (I also tried with ou=KerberosPrincipals), where I already have some entries. My goal is to use only one password to avoid the sambaNTPassword/userPassword/kerberos mess (three passwords). I was under the impression that this setup should get me that. If I add a principal with a name that is already in ou=people as a posix and samba account, I get this: (...) [EMAIL PROTECTED]'s Password: Verifying - [EMAIL PROTECTED]'s Password: kadmin: kadm5_create_principal: ldap_search_s: No such object kadmin: adding joao: Principal or policy already exists The ldap logs show these queries (first collumn is the number of entries returned): 1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((objectClass=krb5Principal)([EMAIL PROTECTED])) 0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 filter=(objectClass=krb5Principal) 1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((objectClass=krb5Principal)([EMAIL PROTECTED])) 0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 filter=(objectClass=krb5Principal) 0 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((objectClass=krb5Principal)([EMAIL PROTECTED])) 1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao)) A few questions: a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's the binddn after authz-regexp; b) It found my user's entry (last search), why doesn't it add the kerberos attributes to it? Or, better yet, what is supposed to be happening? If I run kadmin to add an user that doesn't exist with posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created, which samba doesn't see. My config: Debian Sarge with: heimdal 0.7.1-3.1 from testing rebuilt on sarge libsasl2 2.1.19-1.9 from testing rebuilt on sarge slapd 2.2.23-8 from sarge slapd.conf: # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/hdb.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile/var/run/slapd.args # Read slapd.conf(5) for possible values loglevel256 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # SASL related options sasl-realm example.net sasl-host devel.example.net sasl-authz-policy both sasl-regexp uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth cn=admin,dc=example,dc=net sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth ldap:///dc=example,dc=net??sub?uid=$1 sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth ldap:///dc=example,dc=net??sub?uid=$1 sasl-secprops minssf=0 ### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backendother ### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs databasebdb # The base of your directory in database #1 suffix dc=example,dc=net # Where the database file are physically stored for database #1 directory /var/lib/ldap # Indexing options for database #1 index objectClass,uid,krb5PrincipalName,cn eq # Save the time that the entry gets modified, for database #1 lastmod on # Where
Re: [Samba] samba3 and heimdal: both using ldap as backends
Em Sáb 18 Mar 2006 13:54, Gémes Géza escreveu: (...) Thanks, it worked (somewhat) after I ran kpasswd for that user. An example ldif: dn: uid=test,ou=users,dc=example,dc=net objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount objectClass: krb5Principal sn: Account userPassword: [EMAIL PROTECTED] I see you are authenticating simple binds with an SASL mechanism. I assume it's gssapi? Via saslauthd? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 and heimdal: both using ldap as backends
Andreas Hasenack írta: Em Sáb 18 Mar 2006 13:54, Gémes Géza escreveu: (...) Thanks, it worked (somewhat) after I ran kpasswd for that user. An example ldif: dn: uid=test,ou=users,dc=example,dc=net objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount objectClass: krb5Principal sn: Account userPassword: [EMAIL PROTECTED] I see you are authenticating simple binds with an SASL mechanism. I assume it's gssapi? Via saslauthd? Yes I have saslauthd options set to: -n 3 -c -l -a kerberos5 via /etc/default/saslauthd: # This needs to be uncommented before saslauthd will be run automatically # START=yes START=yes # You must specify the authentication mechanisms you wish to use. # This defaults to pam for PAM support, but may also include # shadow or sasldb, like this: # MECHANISMS=pam shadow PARAMS=-n 3 -c -l MECHANISMS=kerberos5 and an /usr/lib/sasl2/slapd.conf, which reads: pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab This saslauthd setup works both for slapd and cyrus-imap Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba3 and heimdal: both using ldap as backends
samba-3.0.21c, heimdal-0.7.2 The heimdal documentation[1] talks about a samba integration when both samba and heimdal are using ldap as their backends. I quote: Now you can proceed as in See Using LDAP to store the database. Heimdal will pick up the Samba LDAP entries if they are in the same search space as the Kerberos entries. There is absolutely no further documentation. I tried with this tree: dc=mycnc,dc=com ou=People,dc=mycnc,dc=com heimdal is configured to use ou=people (I also tried with ou=KerberosPrincipals), where I already have some entries. My goal is to use only one password to avoid the sambaNTPassword/userPassword/kerberos mess (three passwords). I was under the impression that this setup should get me that. If I add a principal with a name that is already in ou=people as a posix and samba account, I get this: (...) [EMAIL PROTECTED]'s Password: Verifying - [EMAIL PROTECTED]'s Password: kadmin: kadm5_create_principal: ldap_search_s: No such object kadmin: adding joao: Principal or policy already exists The ldap logs show these queries (first collumn is the number of entries returned): 1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((objectClass=krb5Principal)([EMAIL PROTECTED])) 0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 filter=(objectClass=krb5Principal) 1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((objectClass=krb5Principal)([EMAIL PROTECTED])) 0 SRCH base=uid=heimdal,dc=services,dc=mycnc,dc=com scope=2 deref=0 filter=(objectClass=krb5Principal) 0 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((objectClass=krb5Principal)([EMAIL PROTECTED])) 1 SRCH base=ou=People,dc=mycnc,dc=com scope=2 deref=0 filter=((|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao)) A few questions: a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's the binddn after authz-regexp; b) It found my user's entry (last search), why doesn't it add the kerberos attributes to it? Or, better yet, what is supposed to be happening? If I run kadmin to add an user that doesn't exist with posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created, which samba doesn't see. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba