Re: [Freeipa-users] Samba Authentication progres
On Wed, 30 Dec 2015, Matt . wrote: He Alexander! I saw your post some time form some time ago on your G+ page and I see you guys are really making a lot of progres, there is a lot todo, but it's great, really! What you say is right, but I thought this was fixed by the newer SSSD package from 1.12.2+ or so, need to check that out. I did the check on 15.10+updates, so no, there is no change. And why would it be if both Samba and SSSD packages need to be actively changed, as well as libldap needs to be updated, and so on. For the moment I cannot move to CentOS for this machine, I can actually add another VM for Samba with CentOS, but also here I had an issue in the past, CentOS 7 and IPA 4. Which version should be working, so Distro (I prefer CentOS), IPA, SSSD and Samba ? CentOS 7/RHEL 7/Fedora 22+ should work fine with Kerberos just like John said. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Authentication progres
He Alexander! I saw your post some time form some time ago on your G+ page and I see you guys are really making a lot of progres, there is a lot todo, but it's great, really! What you say is right, but I thought this was fixed by the newer SSSD package from 1.12.2+ or so, need to check that out. For the moment I cannot move to CentOS for this machine, I can actually add another VM for Samba with CentOS, but also here I had an issue in the past, CentOS 7 and IPA 4. Which version should be working, so Distro (I prefer CentOS), IPA, SSSD and Samba ? If I know those, I can fire another test in minutes :) Thanks and have a great new year ! (With MIT!) Matt 2015-12-30 16:38 GMT+01:00 Alexander Bokovoy: > On Wed, 30 Dec 2015, Matt . wrote: >> >> Hi John, >> >> With which OS, package version and config ? On Ubuntu 15.10 I'm not >> able it seems. > > That is purely issue of Ubuntu packaging: > - Samba in Ubuntu 15.10 is built provide and use libwbclient.so.0.11 > - SSSD in Ubuntu 15.10 is built to provide libwbclient.so.0.12 > -8<-8<-8<- > root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 > -rw-r--r-- 1 root root 43216 Nov 12 18:08 > /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 > root@u1510:~# ls -la > /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 -rw-r--r-- 1 > root root 35032 Sep 7 13:50 > /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 > ->8->8->8- > - There are no alternatives configured to switch libwbclient to use > SSSD's version (Ubuntu packaging of Samba doesn't really know that > there could be an alternative implementation of libwbclient) > > So you Samba wouldn't be able to use the libwbclient provided by SSSD > directly without special tricks or rebuilding. > > Furthermore, - Samba in Ubuntu 15.10 is built with Heimdal Kerberos, SSSD is > built > with MIT Kerberos. When you enroll Ubuntu 15.10 client into FreeIPA, > it configures /etc/krb5.conf according to use of MIT Kerberos, > including default ccache location to be in the kernel keyring: > -8<-8<-8<- > root@u1510:~# cat /etc/krb5.conf|grep default_ccache_name > default_ccache_name = KEYRING:persistent:%{uid} > ->8->8->8- > > This means that Samba will not be able to see default credentials cache > as set up by SSSD for the user. Also, if you change default_ccache_name > to be somewhere on file system, like FILE:/tmp/krb5cc_%{uid}, MIT > Kerberos has some differences in the internal format of the credentials > cache and applications compiled against Heimdal kerberos library will > not be able to see some of the extended details in that ccache. While > Heimdal and MIT Kerberos are mostly compatible on the wire, there are no > promises of compatibility here for the credentials caches beyond the > basics. > > Also, libldap is built against Heimdal in Ubuntu 15.10. This means that > whenever SSSD starts using some advanced features provided by MIT > Kerberos, LDAP libraries might fail to pick them up for SASL GSSAPI > authentication. In most cases this would probably work fine but for > cases like using kernel keyring it would fail miserably as well. > > So, really, there are issues with packaging that you might overcome by > doing manual work of symlinking proper libraries like we did in Fedora > in coordination between Samba and SSSD packages, but things still might > not work unless you downgrade a common base to features supported by > both Heimdal and MIT Kerberos. There are also practical issues of SSSD's > ldap helper loading both MIT and Heimdal Kerberos code in the same > process instance -- which is a disaster to happen when a function with > the same name from one library is called on a structure allocated by > another library. > > A proper solution would be to get Canonical more involved into the work > we do with move of Samba to use MIT Kerberos for Samba AD as lack of MIT > Kerberos support in Samba AD is what forces Debian and Ubuntu to stick > to Heimdal (and Fedora to abstain from packaging Samba AD flavor for > several years to avoid using Heimdal instead of MIT Kerberos). Until > that happens, using Fedora/CentOS/RHEL is a better choice. > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Authentication progres
On Wed, 30 Dec 2015, Matt . wrote: Hi John, With which OS, package version and config ? On Ubuntu 15.10 I'm not able it seems. That is purely issue of Ubuntu packaging: - Samba in Ubuntu 15.10 is built provide and use libwbclient.so.0.11 - SSSD in Ubuntu 15.10 is built to provide libwbclient.so.0.12 -8<-8<-8<- root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 -rw-r--r-- 1 root root 43216 Nov 12 18:08 /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 -rw-r--r-- 1 root root 35032 Sep 7 13:50 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 ->8->8->8- - There are no alternatives configured to switch libwbclient to use SSSD's version (Ubuntu packaging of Samba doesn't really know that there could be an alternative implementation of libwbclient) So you Samba wouldn't be able to use the libwbclient provided by SSSD directly without special tricks or rebuilding. Furthermore, - Samba in Ubuntu 15.10 is built with Heimdal Kerberos, SSSD is built with MIT Kerberos. When you enroll Ubuntu 15.10 client into FreeIPA, it configures /etc/krb5.conf according to use of MIT Kerberos, including default ccache location to be in the kernel keyring: -8<-8<-8<- root@u1510:~# cat /etc/krb5.conf|grep default_ccache_name default_ccache_name = KEYRING:persistent:%{uid} ->8->8->8- This means that Samba will not be able to see default credentials cache as set up by SSSD for the user. Also, if you change default_ccache_name to be somewhere on file system, like FILE:/tmp/krb5cc_%{uid}, MIT Kerberos has some differences in the internal format of the credentials cache and applications compiled against Heimdal kerberos library will not be able to see some of the extended details in that ccache. While Heimdal and MIT Kerberos are mostly compatible on the wire, there are no promises of compatibility here for the credentials caches beyond the basics. Also, libldap is built against Heimdal in Ubuntu 15.10. This means that whenever SSSD starts using some advanced features provided by MIT Kerberos, LDAP libraries might fail to pick them up for SASL GSSAPI authentication. In most cases this would probably work fine but for cases like using kernel keyring it would fail miserably as well. So, really, there are issues with packaging that you might overcome by doing manual work of symlinking proper libraries like we did in Fedora in coordination between Samba and SSSD packages, but things still might not work unless you downgrade a common base to features supported by both Heimdal and MIT Kerberos. There are also practical issues of SSSD's ldap helper loading both MIT and Heimdal Kerberos code in the same process instance -- which is a disaster to happen when a function with the same name from one library is called on a structure allocated by another library. A proper solution would be to get Canonical more involved into the work we do with move of Samba to use MIT Kerberos for Samba AD as lack of MIT Kerberos support in Samba AD is what forces Debian and Ubuntu to stick to Heimdal (and Fedora to abstain from packaging Samba AD flavor for several years to avoid using Heimdal instead of MIT Kerberos). Until that happens, using Fedora/CentOS/RHEL is a better choice. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Authentication progres
Hi Matt, It already works fine to use kerberos ticket to access samba shares. -- john 2015-12-28 14:01 GMT+01:00 Matt .: > Hi guys, > > > How is the progres on the Samba (Share) Authentication for FreeIpa ? > > I hope we already have some work around to use the FreeIPA credentials > for authing network shares. > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Authentication progres
Hi John, With which OS, package version and config ? On Ubuntu 15.10 I'm not able it seems. Thanks! 2015-12-30 9:43 GMT+01:00 John Obaterspok: > Hi Matt, > > It already works fine to use kerberos ticket to access samba shares. > > -- john > > 2015-12-28 14:01 GMT+01:00 Matt . : >> >> Hi guys, >> >> >> How is the progres on the Samba (Share) Authentication for FreeIpa ? >> >> I hope we already have some work around to use the FreeIPA credentials >> for authing network shares. >> >> Matt >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project