Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. I talked to the Ubuntu maintainer last week and he said that: * SSSD is built against MIT. * Samba against Heimdal. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Yes that is known for SSSD, but there must be another way maybe ? I wonder what the future is there, as it seems there is non when this is not changed I guess. 2015-08-09 9:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. I talked to the Ubuntu maintainer last week and he said that: * SSSD is built against MIT. * Samba against Heimdal. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi having done some more experimentation with creating users, changing passwords, and the attribute sambaPwdLast set, it is time to reactivate this old thread. I have a newly setup FreeIPA 4.1 Server configured with the good old Samba schema extensions for FreeIPA. I have established the following: 1) user created via CLI with no initial password given: # ipa user-add usr1--first=Aunt --last=Agatha # ipa group-add-member smbgrp --users=usr1 -- The user has neither the smbPwdLastSet nor sambaNTPassword attributes -- NOT OK 2) Now set an initial pwd for the same user # ipa user-mod usr1 --password -- The user has sambaNTPassword, but NOT smbPwdLastSet 3) user created via CLI with initial password given: # ipa user-add usr2--first=Bertie --last=Wooster # ipa group-add-member smbgrp --users=usr2 -- The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet = 0 -- OK 4) Now let usr2 set his real password: # su usr2 # kinit usr2 -- The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet remains = 0 -- NOT OK, smbPwdLastSet should now be a positive number! At this stage usr2 cannot access Samba shares. Of course, I can use an LDAP browser or CLI commands to set smbPwdLastSet=1, but that is easily forgotten. The next test (result still open) is to set what happens with smbPwdLastSet on password expiry. To do this I have created a fast expiring password group policy, added usr2 to that group, and then let usr2 change his password to ensure the new policy is active. # ipa group-add fastexpire --desc=group with a fast expiring pwd policy # ipa group-add-member fastexpire --users=usr2 # ipa pwpolicy-add fastexpire --minlife=0 --maxlife=1 --history=1 --priority=1 # su usr2 # ipa user-mod usr2 --password Results of this test tomorrow Chris From: Alexander Bokovoy aboko...@redhat.com To: Rob Crittenden rcrit...@redhat.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 20.07.2015 15:52 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet On Mon, 20 Jul 2015, Rob Crittenden wrote: Christopher Lamb wrote: Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct versions of OEL 7.1 and SSSD), it seems to require the Windows clients to be members of an Active Diretory trusted by IPA. Unfortunately there is no AD in our architecture - our Windows and OSX clients are effectively islands. That would seem to leave us stuck with sambaPwdLastSet. After a user has had his password reset via the IPA WebUi to a temporary value, the user then logs on using the temporary password, and is asked to enter a new password. At his point sambaPwdLastSet should be set to a positive value. However our testing indicates that it is not. We have tried 3 techniques: 1) User connects to LDAP server via remote ssh. 2) kinit user 3) su - user over an existing ssh session with another user (e.g. mine) In all three cases the user is able to set their password, but sambaPwdLastSet remains set to 0. As a workaround we use Apache Directory Studio to manually set sambaPwdLastSet once the user has changed his password. Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? Yes, exactly. This object class is not used by IPA integration with Samba, so we don't give it to users by default. The code in IPA password plugin checks if there is an object class named SambaSamAccount on the user entry and then manipulates sambaPwdLastSet as required. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On Sun, Aug 09, 2015 at 10:23:50AM +0200, Matt . wrote: Hi, Yes that is known for SSSD, but there must be another way maybe ? I wonder what the future is there, as it seems there is non when this is not changed I guess. The future is MIT according to the recent development and commits to samba git tree :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html. I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep username Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam