Re: [Freeipa-users] Samba Authentication progres

2015-12-31 Thread Alexander Bokovoy 

On Wed, 30 Dec 2015, Matt . wrote:

He Alexander!

I saw your post some time form some time ago on your G+ page and I see
you guys are really making a lot of progres, there is a lot todo, but
it's great, really!

What you say is right, but I thought this was fixed by the newer SSSD
package from 1.12.2+ or so, need to check that out.

I did the check on 15.10+updates, so no, there is no change. And why
would it be if both Samba and SSSD packages need to be actively changed,
as well as libldap needs to be updated, and so on.


For the moment I cannot move to CentOS for this machine, I can
actually add another VM for Samba with CentOS, but also here I had an
issue in the past, CentOS 7 and IPA 4.

Which version should be working, so Distro (I prefer CentOS), IPA,
SSSD and Samba ?

CentOS 7/RHEL 7/Fedora 22+ should work fine with Kerberos just like John
said.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

2015-12-30 Thread Matt . 
He Alexander!

I saw your post some time form some time ago on your G+ page and I see
you guys are really making a lot of progres, there is a lot todo, but
it's great, really!

What you say is right, but I thought this was fixed by the newer SSSD
package from 1.12.2+ or so, need to check that out.

For the moment I cannot move to CentOS for this machine, I can
actually add another VM for Samba with CentOS, but also here I had an
issue in the past, CentOS 7 and IPA 4.

Which version should be working, so Distro (I prefer CentOS), IPA,
SSSD and Samba ?

If I know those, I can fire another test in minutes :)

Thanks and have a great new year ! (With MIT!)

Matt

2015-12-30 16:38 GMT+01:00 Alexander Bokovoy :
> On Wed, 30 Dec 2015, Matt . wrote:
>>
>> Hi John,
>>
>> With which OS, package version and config ? On Ubuntu 15.10 I'm not
>> able it seems.
>
> That is purely issue of Ubuntu packaging:
> - Samba in Ubuntu 15.10 is built provide and use libwbclient.so.0.11
> - SSSD in Ubuntu 15.10 is built to provide libwbclient.so.0.12
>   -8<-8<-8<-
> root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
> -rw-r--r-- 1 root root 43216 Nov 12 18:08
> /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
> root@u1510:~# ls -la
> /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 -rw-r--r-- 1
> root root 35032 Sep  7 13:50
> /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0
>   ->8->8->8-
> - There are no alternatives configured to switch libwbclient to use
>   SSSD's version (Ubuntu packaging of Samba doesn't really know that
>   there could be an alternative implementation of libwbclient)
>
> So you Samba wouldn't be able to use the libwbclient provided by SSSD
> directly without special tricks or rebuilding.
>
> Furthermore, - Samba in Ubuntu 15.10 is built with Heimdal Kerberos, SSSD is
> built
>   with MIT Kerberos. When you enroll Ubuntu 15.10 client into FreeIPA,
>   it configures /etc/krb5.conf according to use of MIT Kerberos,
>   including default ccache location to be in the kernel keyring:
>   -8<-8<-8<-
> root@u1510:~# cat /etc/krb5.conf|grep default_ccache_name
>  default_ccache_name = KEYRING:persistent:%{uid}
>   ->8->8->8-
>
> This means that Samba will not be able to see default credentials cache
> as set up by SSSD for the user. Also, if you change default_ccache_name
> to be somewhere on file system, like FILE:/tmp/krb5cc_%{uid}, MIT
> Kerberos has some differences in the internal format of the credentials
> cache and applications compiled against Heimdal kerberos library will
> not be able to see some of the extended details in that ccache. While
> Heimdal and MIT Kerberos are mostly compatible on the wire, there are no
> promises of compatibility here for the credentials caches beyond the
> basics.
>
> Also, libldap is built against Heimdal in Ubuntu 15.10. This means that
> whenever SSSD starts using some advanced features provided by MIT
> Kerberos, LDAP libraries might fail to pick them up for SASL GSSAPI
> authentication. In most cases this would probably work fine but for
> cases like using kernel keyring it would fail miserably as well.
>
> So, really, there are issues with packaging that you might overcome by
> doing manual work of symlinking proper libraries like we did in Fedora
> in coordination between Samba and SSSD packages, but things still might
> not work unless you downgrade a common base to features supported by
> both Heimdal and MIT Kerberos. There are also practical issues of SSSD's
> ldap helper loading both MIT and Heimdal Kerberos code in the same
> process instance -- which is a disaster to happen when a function with
> the same name from one library is called on a structure allocated by
> another library.
>
> A proper solution would be to get Canonical more involved into the work
> we do with move of Samba to use MIT Kerberos for Samba AD as lack of MIT
> Kerberos support in Samba AD is what forces Debian and Ubuntu to stick
> to Heimdal (and Fedora to abstain from packaging Samba AD flavor for
> several years to avoid using Heimdal instead of MIT Kerberos). Until
> that happens, using Fedora/CentOS/RHEL is a better choice.
>
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

2015-12-30 Thread Alexander Bokovoy 

On Wed, 30 Dec 2015, Matt . wrote:

Hi John,

With which OS, package version and config ? On Ubuntu 15.10 I'm not
able it seems.

That is purely issue of Ubuntu packaging:
- Samba in Ubuntu 15.10 is built provide and use libwbclient.so.0.11
- SSSD in Ubuntu 15.10 is built to provide libwbclient.so.0.12
  -8<-8<-8<-
root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 
-rw-r--r-- 1 root root 43216 Nov 12 18:08 /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 
-rw-r--r-- 1 root root 35032 Sep  7 13:50 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0

  ->8->8->8-
- There are no alternatives configured to switch libwbclient to use
  SSSD's version (Ubuntu packaging of Samba doesn't really know that
  there could be an alternative implementation of libwbclient)

So you Samba wouldn't be able to use the libwbclient provided by SSSD
directly without special tricks or rebuilding.

Furthermore, 
- Samba in Ubuntu 15.10 is built with Heimdal Kerberos, SSSD is built

  with MIT Kerberos. When you enroll Ubuntu 15.10 client into FreeIPA,
  it configures /etc/krb5.conf according to use of MIT Kerberos,
  including default ccache location to be in the kernel keyring:
  -8<-8<-8<-
root@u1510:~# cat /etc/krb5.conf|grep default_ccache_name
 default_ccache_name = KEYRING:persistent:%{uid}
  ->8->8->8-

This means that Samba will not be able to see default credentials cache
as set up by SSSD for the user. Also, if you change default_ccache_name
to be somewhere on file system, like FILE:/tmp/krb5cc_%{uid}, MIT
Kerberos has some differences in the internal format of the credentials
cache and applications compiled against Heimdal kerberos library will
not be able to see some of the extended details in that ccache. While
Heimdal and MIT Kerberos are mostly compatible on the wire, there are no
promises of compatibility here for the credentials caches beyond the
basics.

Also, libldap is built against Heimdal in Ubuntu 15.10. This means that
whenever SSSD starts using some advanced features provided by MIT
Kerberos, LDAP libraries might fail to pick them up for SASL GSSAPI
authentication. In most cases this would probably work fine but for
cases like using kernel keyring it would fail miserably as well.

So, really, there are issues with packaging that you might overcome by
doing manual work of symlinking proper libraries like we did in Fedora
in coordination between Samba and SSSD packages, but things still might
not work unless you downgrade a common base to features supported by
both Heimdal and MIT Kerberos. There are also practical issues of SSSD's
ldap helper loading both MIT and Heimdal Kerberos code in the same
process instance -- which is a disaster to happen when a function with
the same name from one library is called on a structure allocated by
another library.

A proper solution would be to get Canonical more involved into the work
we do with move of Samba to use MIT Kerberos for Samba AD as lack of MIT
Kerberos support in Samba AD is what forces Debian and Ubuntu to stick
to Heimdal (and Fedora to abstain from packaging Samba AD flavor for
several years to avoid using Heimdal instead of MIT Kerberos). Until
that happens, using Fedora/CentOS/RHEL is a better choice.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

2015-12-30 Thread John Obaterspok 
Hi Matt,

It already works fine to use kerberos ticket to access samba shares.

-- john

2015-12-28 14:01 GMT+01:00 Matt . :

> Hi guys,
>
>
> How is the progres on the Samba (Share) Authentication for FreeIpa ?
>
> I hope we already have some work around to use the FreeIPA credentials
> for authing network shares.
>
> Matt
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

2015-12-30 Thread Matt . 
Hi John,

With which OS, package version and config ? On Ubuntu 15.10 I'm not
able it seems.

Thanks!

2015-12-30 9:43 GMT+01:00 John Obaterspok :
> Hi Matt,
>
> It already works fine to use kerberos ticket to access samba shares.
>
> -- john
>
> 2015-12-28 14:01 GMT+01:00 Matt . :
>>
>> Hi guys,
>>
>>
>> How is the progres on the Samba (Share) Authentication for FreeIpa ?
>>
>> I hope we already have some work around to use the FreeIPA credentials
>> for authing network shares.
>>
>> Matt
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project