Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
On Tue, 27 Jan 2015, Raoul Becke wrote: Alexander Bokovoy abokovoy@... writes: On Wed, 14 Jan 2015, Raoul Becke wrote: Alexander Bokovoy abokovoy at ... writes: Thank you very much for this detailed instructions. It seems not to be too complicated and I think giving it a 2nd try - the only thing that worries me a bit is: This would work more or less same in 3.0 but you would need to add permissions differently because 3.x doesn't have as easy permission constructing means as 4.0 has. Is there a document that describes how to do this in: Name: ipa-server Arch: x86_64 Version : 3.3.3 Or a document that describes the differences then I can take it from there. I think the difference would be in unavailability of 'ipa privilege-add-permission' command. You still need to create the privilege and the role but then create ACI manually referencing the privilege. # ipa privilege-add 'CIFS server privilege' --- Added privilege CIFS server privilege --- Privilege name: CIFS server privilege # ipa role-add 'CIFS server' Added role CIFS server Role name: CIFS server # ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege' Role name: CIFS server Privileges: CIFS server privilege Number of privileges added 1 And add ACI based on the privilege group DN: # cat 89-cifs-privilege-aci.update dn: $SUFFIX add:aci: '(targetattr = ipaNTHash || ipaNTSecurityIdentifier)(version 3.0; acl CIFS server privilege permission; allow (read,search,compare) groupdn=ldap:///cn=CIFS server privilege,cn=privileges,cn=pbac,$SUFFIX;)' # ipa-ldap-updater -l ./89-cifs-privilege-aci.update Parsing update file './89-cifs-privilege-aci.update' Updating existing entry: dc=f21,dc=test Done The ipa-ldap-updater command was successful The add:aci line in the .update file shold be that long. Note that changing ACI as opposed to using permission CLI in FreeIPA 4.x is not really recommended. You need to understand what are you doing and that wrong operations may cause slowness or even total malfunctioning of the LDAP server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
Alexander Bokovoy abokovoy@... writes: On Wed, 14 Jan 2015, Raoul Becke wrote: Alexander Bokovoy abokovoy at ... writes: Thank you very much for this detailed instructions. It seems not to be too complicated and I think giving it a 2nd try - the only thing that worries me a bit is: This would work more or less same in 3.0 but you would need to add permissions differently because 3.x doesn't have as easy permission constructing means as 4.0 has. Is there a document that describes how to do this in: Name: ipa-server Arch: x86_64 Version : 3.3.3 Or a document that describes the differences then I can take it from there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
On Wed, 14 Jan 2015, Raoul Becke wrote:
Alexander Bokovoy abokovoy@... writes:
On Fri, 28 Mar 2014, Jason Woods wrote:
Hi
(Apologies - resending to the list - I'm so used to the Reply-To already
set but it appears not to be here my bad.)
On 28 Mar 2014, at 11:32, Petr Spacek pspacek@... wrote:
Please let us know if it worked for you or not. I'm curious!
I'm pretty curious too.
I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I
needed to add two patches though to 3.0 to fix 'valid users' group
resolution and also performance. They're merged into master and 3.3
and will be in RHEL 7.
Apart from the patching it was easy to do - just needed ipa-server and
ipa-server-adtrust installed and setup and it did all the config for me
(the adtrust part sets up samba with ipasam.so for you).
Problem is running ipasam.so without the ipa-server locally - is how to
get it so the host can see ipaNTHash in the schema to check password.
If ipa-server is local the host has access, otherwise it doesn't.
So be good to find out what aci or service principal stuff makes that
available in an elegant and secure way.
We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it
all and may be creating a simple configuration tool.
Timing is not yet defined.
Is there any news on this issue?
Yes, the solution based on SSSD providing a winbindd-compatible
interface is available in Fedora 21 and RHEL7.1beta.
I tried the following work-around which unfortunately did not work.
1. On the IPA Server:
]# yum install ipa-server-trust-ad
2. On the IPA Server: Run ipa-adtrust-install
]# ipa-adtrust-install
3. On ipa-server: Copy ipasam.so to samba server:
]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/
4. On ipa-server:Create the following CIFS service:
]# ipa service-add cifs/file--s0-v1.becke...@becke.ch
you also need to add cifs/file--s0-v1.becke...@beck.ch to an ACI that
would allow it to read ipaNTHash attribute.
5. On ipa-server: Create keytab for samba server and copy over to samba server
]# ipa-getkeytab -s directory--s0-v1.becke.ch -p
cifs/file--s0-v1.becke...@becke.ch -k /tmp/samba.keytab
]# scp /tmp/samba.keytab r...@file--s0-v1.becke.ch:/etc/samba/samba.keytab
6. On samba server:
vi /etc/samba/smb.conf
...
[global]
workgroup = BECKECH
server string = Samba Server Version %v
netbios name = FILES0V1
log file = /var/log/samba/%m.log
max log size = 50
realm = BECKE.CH
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
#passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket
passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch
ldapsam:trusted=yes
ldap ssl = off
ldap suffix = dc=becke,dc=ch
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
...
But all this did not help and I always get:
]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10
...
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
...
Doing the same against the IPA Server everything works fine:
# smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10
... Maybe there is something wrong in: cli_init_creds ... but now after
hours of research, debugging and testing I will give up and switch to
tdbsam which is not optimal but should at least work ...
As I said above, your cifs/file-* service is unable to read out password
values from ipaNTHash attribute of a user entry. It has to be added
to a pre-defined group first. That group is then added into a
specialized ACI granting access to the attributes required by Samba.
It could be done through role/privilege/permission process in IPA 4.0+:
0. Add service on host foo.bar:
# ipa service-add cifs/foo.bar
1. Add permission:
# ipa permission-add CIFS server can read user passwords \
--attrs={ipaNTHash,ipaNTSecurityIdentifier} \
--type=user --right={read,search,compare} --bindtype=permission
2. Add privilege:
# ipa privilege-add-permission 'CIFS server privilege' --permission='CIFS
server can read user passwords'
3. Add role to bind privilege to specific services:
# ipa role-add 'CIFS server'
# ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege'
# ipa role-add-member 'CIFS server' --services=cifs/foo.bar
If you have keytab for the service cifs/foo.bar, you can verify that it
indeed can read ipaNTHash:
[root@master ~]# kdestroy -A
[root@master ~]# kinit -kt foobar.keytab cifs/foo.bar
[root@master ~]# ldapsearch -Y GSSAPI uid=admin ipaNTHash
SASL/GSSAPI authentication started
SASL username: cifs/foo@f21.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base dc=f21,dc=test (default) with scope
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
Alexander Bokovoy abokovoy@... writes: On Fri, 28 Mar 2014, Jason Woods wrote: Hi (Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.) On 28 Mar 2014, at 11:32, Petr Spacek pspacek@... wrote: Please let us know if it worked for you or not. I'm curious! I'm pretty curious too. I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I needed to add two patches though to 3.0 to fix 'valid users' group resolution and also performance. They're merged into master and 3.3 and will be in RHEL 7. Apart from the patching it was easy to do - just needed ipa-server and ipa-server-adtrust installed and setup and it did all the config for me (the adtrust part sets up samba with ipasam.so for you). Problem is running ipasam.so without the ipa-server locally - is how to get it so the host can see ipaNTHash in the schema to check password. If ipa-server is local the host has access, otherwise it doesn't. So be good to find out what aci or service principal stuff makes that available in an elegant and secure way. We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it all and may be creating a simple configuration tool. Timing is not yet defined. Is there any news on this issue? I tried the following work-around which unfortunately did not work. 1. On the IPA Server: ]# yum install ipa-server-trust-ad 2. On the IPA Server: Run ipa-adtrust-install ]# ipa-adtrust-install 3. On ipa-server: Copy ipasam.so to samba server: ]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/ 4. On ipa-server:Create the following CIFS service: ]# ipa service-add cifs/file--s0-v1.becke...@becke.ch 5. On ipa-server: Create keytab for samba server and copy over to samba server ]# ipa-getkeytab -s directory--s0-v1.becke.ch -p cifs/file--s0-v1.becke...@becke.ch -k /tmp/samba.keytab ]# scp /tmp/samba.keytab r...@file--s0-v1.becke.ch:/etc/samba/samba.keytab 6. On samba server: vi /etc/samba/smb.conf ... [global] workgroup = BECKECH server string = Samba Server Version %v netbios name = FILES0V1 log file = /var/log/samba/%m.log max log size = 50 realm = BECKE.CH kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user #passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch ldapsam:trusted=yes ldap ssl = off ldap suffix = dc=becke,dc=ch ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ... But all this did not help and I always get: ]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 ... NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE ... Doing the same against the IPA Server everything works fine: # smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 ... Maybe there is something wrong in: cli_init_creds ... but now after hours of research, debugging and testing I will give up and switch to tdbsam which is not optimal but should at least work ... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
On 28.3.2014 09:56, Sandor Juhasz wrote: Hello, i am ok to compile it myself, looking for source code. I hope that way i will be able to avoid messing around with the ldap tree. Any help/documentation is appreciated. Basically, documentation on http://www.freeipa.org/page/Contribute/Code and linked pages apply to your situation. You will face dependency problems because you are going to build it on Ubuntu. Don't give up and persist :-) I would recommend you a non-standard procedure: - clone the git repo: $ git clone git://git.fedorahosted.org/git/freeipa.git - enter the cloned tree: $ cd freeipa.git - $ make version-update -- This command will fail (for sure) because of dependency problems. However, it could be enough to proceed with ipasam build. You just need to generate version.h and similar useless files. - Enter daemons sub-directory in the cloned tree: $ cd daemons - $ autoreconf -fiv - $ ./configure - $ make This should build freeipa.git/daemons/ipa-sam/.libs/ipasam.so library without building rest of FreeIPA so dependency problems should be limited only to this sub-tree. Note that this procedure is completely untested. Please let us know if it worked for you or not. I'm curious! :-) Petr^2 Spacek Thanks. s - Original Message - From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Sent: Thursday, March 27, 2014 5:51:23 PM Subject: Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa On 27.3.2014 14:36, Sandor Juhasz wrote: Hello, what is the best practice to authenticate samba file sharing with freeipa as auth service. Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not domain service. Our ipa service is hosted on CentOS 6.5. The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS. Found 3 methods, but all seem to have their issues. 1. LDAP, ldapsam passdb backend. - needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin 2. IPA, ipasam passdb backend - did not find a working version from ipasam.so for ubuntu, mostly i did not find any The only how-to I'm aware of is: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Let us know if you are going to compile it, we can provide you some guidance. See the thread 'IPA - Samba / Redmine / Disable Kerberos?'. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
On 28.3.2014 12:32, Petr Spacek wrote: On 28.3.2014 09:56, Sandor Juhasz wrote: Hello, i am ok to compile it myself, looking for source code. I hope that way i will be able to avoid messing around with the ldap tree. Any help/documentation is appreciated. Basically, documentation on http://www.freeipa.org/page/Contribute/Code and linked pages apply to your situation. You will face dependency problems because you are going to build it on Ubuntu. Don't give up and persist :-) I would recommend you a non-standard procedure: - clone the git repo: $ git clone git://git.fedorahosted.org/git/freeipa.git - enter the cloned tree: $ cd freeipa.git - $ make version-update -- This command will fail (for sure) because of dependency problems. However, it could be enough to proceed with ipasam build. You just need to generate version.h and similar useless files. - Enter daemons sub-directory in the cloned tree: $ cd daemons - $ autoreconf -fiv - $ ./configure - $ make This should build freeipa.git/daemons/ipa-sam/.libs/ipasam.so library without building rest of FreeIPA so dependency problems should be limited only to this sub-tree. Note that this procedure is completely untested. Please let us know if it worked for you or not. I'm curious! :-) I'm adding output from make running on my Fedora 20 so you can easily find include paths you need to cover by packages in your distro etc. Enjoy :-) -- Petr^2 Spacek /bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -DLDAPIDIR=\/usr/local/var/run\ -DHAVE_LDAP -I ../../util -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP-DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -g -O2 -MT ipa_sam.lo -MD -MP -MF .deps/ipa_sam.Tpo -c -o ipa_sam.lo ipa_sam.c /bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -DLDAPIDIR=\/usr/local/var/run\ -DHAVE_LDAP -I ../../util -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP-DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -g -O2 -MT ipa_krb5.lo -MD -MP -MF .deps/ipa_krb5.Tpo -c -o ipa_krb5.lo `test -f '../../util/ipa_krb5.c' || echo './'`../../util/ipa_krb5.c /bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -DLDAPIDIR=\/usr/local/var/run\ -DHAVE_LDAP -I ../../util -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP-DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -g -O2 -MT ipa_pwd_ntlm.lo -MD -MP -MF .deps/ipa_pwd_ntlm.Tpo -c -o ipa_pwd_ntlm.lo `test -f '../../util/ipa_pwd_ntlm.c' || echo './'`../../util/ipa_pwd_ntlm.c libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -DLDAPIDIR=\/usr/local/var/run\ -DHAVE_LDAP -I ../../util -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -g -O2 -MT ipa_sam.lo -MD -MP -MF .deps/ipa_sam.Tpo -c ipa_sam.c -fPIC -DPIC -o .libs/ipa_sam.o libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I. -I. -I/usr/include/samba-4.0 -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -DLDAPIDIR=\/usr/local/var/run\ -DHAVE_LDAP -I ../../util -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/include/samba-4.0 -I/usr/include/nspr4 -I/usr/include/nss3
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
Hi (Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.) On 28 Mar 2014, at 11:32, Petr Spacek pspa...@redhat.com wrote: Please let us know if it worked for you or not. I'm curious! :-) I'm pretty curious too. I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I needed to add two patches though to 3.0 to fix 'valid users' group resolution and also performance. They're merged into master and 3.3 and will be in RHEL 7. Apart from the patching it was easy to do - just needed ipa-server and ipa-server-adtrust installed and setup and it did all the config for me (the adtrust part sets up samba with ipasam.so for you). Problem is running ipasam.so without the ipa-server locally - is how to get it so the host can see ipaNTHash in the schema to check password. If ipa-server is local the host has access, otherwise it doesn't. So be good to find out what aci or service principal stuff makes that available in an elegant and secure way. Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
On Fri, 28 Mar 2014, Jason Woods wrote: Hi (Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.) On 28 Mar 2014, at 11:32, Petr Spacek pspa...@redhat.com wrote: Please let us know if it worked for you or not. I'm curious! :-) I'm pretty curious too. I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I needed to add two patches though to 3.0 to fix 'valid users' group resolution and also performance. They're merged into master and 3.3 and will be in RHEL 7. Apart from the patching it was easy to do - just needed ipa-server and ipa-server-adtrust installed and setup and it did all the config for me (the adtrust part sets up samba with ipasam.so for you). Problem is running ipasam.so without the ipa-server locally - is how to get it so the host can see ipaNTHash in the schema to check password. If ipa-server is local the host has access, otherwise it doesn't. So be good to find out what aci or service principal stuff makes that available in an elegant and secure way. We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it all and may be creating a simple configuration tool. Timing is not yet defined. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
