Re: [Samba] Samba file server using ldap backend without AD or PDC?
On Fri, 2012-11-30 at 08:28 -0500, Brian Gold wrote: Hi all, I've been using samba for a few years now on a couple of file servers with a tdbsam backend for our user accounts. We use openldap for the vast majority of our identity management, so I would love to be able to tie into this. We recently started using sambaNTPassword in openldap for radius authentication, so this is populated for most of our users now. From reading through some of the documentation though, I'm a bit confused as to how this would be implemented. We don't currently have Active Directory and don't have any samba PDC/BDCs set up. Would it be necessary for us to have a PDC/BDC in order to use openldap as our backend? Yes, if you have multiple servers that you wish to use this for. Essentially you make your file servers DCs, even if you don't ever join clients to the domain. That way, they have the same SID, which is stored in LDAP (normally the domain SID is per-machine). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba file server using ldap backend without AD or PDC?
Hi all, I've been using samba for a few years now on a couple of file servers with a tdbsam backend for our user accounts. We use openldap for the vast majority of our identity management, so I would love to be able to tie into this. We recently started using sambaNTPassword in openldap for radius authentication, so this is populated for most of our users now. From reading through some of the documentation though, I'm a bit confused as to how this would be implemented. We don't currently have Active Directory and don't have any samba PDC/BDCs set up. Would it be necessary for us to have a PDC/BDC in order to use openldap as our backend? Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
Can you clarify one thing - why are you using the sambaNTPassword in openldap if openldap is not currently used samba authentication? I would have thought that you would use the standard password field. I use Samba 3.x DC's with an ldap back end. I also use the ldap backend for unix authentication as well as authentication to various other systems that support LDAP authentication. If you are using one or more BDC's you really do have to use an LDAP back end. But there is no reason why member server's can use an LDAP backend. If the underlying unix account for each samba account is in /etc/passwd and not LDAP, you should consolidate it all into LDAP. Do the sambaNTPassword (and other samba attributes) in LDAP match those in the tdb backend?You may find you want to blast away the existing sambaNTPassword entries in LDAP before you migrate the TDB data to LDAP. On 11/30/12 08:28, Brian Gold wrote: Hi all, I've been using samba for a few years now on a couple of file servers with a tdbsam backend for our user accounts. We use openldap for the vast majority of our identity management, so I would love to be able to tie into this. We recently started using sambaNTPassword in openldap for radius authentication, so this is populated for most of our users now. From reading through some of the documentation though, I'm a bit confused as to how this would be implemented. We don't currently have Active Directory and don't have any samba PDC/BDCs set up. Would it be necessary for us to have a PDC/BDC in order to use openldap as our backend? Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 2012-11-30 9:22 am, Gaiseric Vandal wrote: Can you clarify one thing - why are you using the sambaNTPassword in openldap if openldap is not currently used samba authentication? I would have thought that you would use the standard password field. We are using the standard userPassword field for most things, but for radius authentication via PEAP/MSCHAPv2, we needed to use sambaNTPassword instead. I use Samba 3.x DC's with an ldap back end. I also use the ldap backend for unix authentication as well as authentication to various other systems that support LDAP authentication. If you are using one or more BDC's you really do have to use an LDAP back end. But there is no reason why member server's can use an LDAP backend. If the underlying unix account for each samba account is in /etc/passwd and not LDAP, you should consolidate it all into LDAP. We currently don't want to deploy a PDC or BDC if we don't need to. All we want to do is have a file server that can authenticate using the username/password stored in openldap. Do the sambaNTPassword (and other samba attributes) in LDAP match those in the tdb backend?You may find you want to blast away the existing sambaNTPassword entries in LDAP before you migrate the TDB data to LDAP. No, our current Samba file server has a totally separate set of passwords. When we transition over to this new Samba file server, we will be having all our users use their openldap password instead. We do not want to sync their existing tdb passwords over to LDAP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 11/30/12 09:42, Brian Gold wrote: On 2012-11-30 9:22 am, Gaiseric Vandal wrote: Can you clarify one thing - why are you using the sambaNTPassword in openldap if openldap is not currently used samba authentication? I would have thought that you would use the standard password field. We are using the standard userPassword field for most things, but for radius authentication via PEAP/MSCHAPv2, we needed to use sambaNTPassword instead. That makes sense I use Samba 3.x DC's with an ldap back end. I also use the ldap backend for unix authentication as well as authentication to various other systems that support LDAP authentication. If you are using one or more BDC's you really do have to use an LDAP back end. But there is no reason why member server's can use an LDAP backend. If the underlying unix account for each samba account is in /etc/passwd and not LDAP, you should consolidate it all into LDAP. We currently don't want to deploy a PDC or BDC if we don't need to. All we want to do is have a file server that can authenticate using the username/password stored in openldap. Should be no problem. Do the sambaNTPassword (and other samba attributes) in LDAP match those in the tdb backend?You may find you want to blast away the existing sambaNTPassword entries in LDAP before you migrate the TDB data to LDAP. No, our current Samba file server has a totally separate set of passwords. When we transition over to this new Samba file server, we will be having all our users use their openldap password instead. We do not want to sync their existing tdb passwords over to LDAP. No, you wouldn't sync passwords to TDB. Does your LDAP entry for each user currently have a SambaSID value? Also, when you type pdbedit -Lv someuser you should see the unix account for the user. The unix account is either explicitly created (e.g. in /etc/passwd or ldap or nis) or dynamically created by winbind. # pdbedit -Lv someuser Unix username:someuser NT username: someuser Account Flags:[U ] User SID: S-1-5-21-x Primary Group SID:S-1-5-21-xxx Full Name:Some User Home Directory: \\someserver\users\someuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: Domain: SOMEDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: 0 Password last set:Fri, 30 Sep 2011 09:40:43 EDT Password can change: Fri, 30 Sep 2011 09:40:43 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # Assuming you are not using winbind to allocate uid's and gid's for samba users, your LDAP user entry will eventually look something like dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Some User gidNumber: xx homeDirectory: /home/someuser sambaSID: S-1-5-21- sn: UserLastName uid: someuser uidNumber: 123 displayName: Some User gecos: Some User givenName: Some User loginShell: /bin/tcsh sambaAcctFlags: [UX ] sambaHomeDrive: X: sambaHomePath: \\someserver\users\someuser sambaLogonScript: logon.bat sambaNTPassword: sambaPasswordHistory: 00 00 sambaPwdLastSet: 1291843237 st: xx street: x telephoneNumber: x userPassword:: Although the login script and network home directory probably not relevant in a non-DC setup. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 2012-11-30 11:15 am, Gaiseric Vandal wrote: No, you wouldn't sync passwords to TDB. Does your LDAP entry for each user currently have a SambaSID value? Also, when you type pdbedit -Lv someuser you should see the unix account for the user. The unix account is either explicitly created (e.g. in /etc/passwd or ldap or nis) or dynamically created by winbind. No, currently our users do not have SambaSID values in ldap. # pdbedit -Lv someuser Unix username:someuser NT username: someuser Account Flags:[U ] User SID: S-1-5-21-x Primary Group SID:S-1-5-21-xxx Full Name:Some User Home Directory: \\someserver\users\someuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: Domain: SOMEDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: 0 Password last set:Fri, 30 Sep 2011 09:40:43 EDT Password can change: Fri, 30 Sep 2011 09:40:43 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # Assuming you are not using winbind to allocate uid's and gid's for samba users, your LDAP user entry will eventually look something like dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Some User gidNumber: xx homeDirectory: /home/someuser sambaSID: S-1-5-21- sn: UserLastName uid: someuser uidNumber: 123 displayName: Some User gecos: Some User givenName: Some User loginShell: /bin/tcsh sambaAcctFlags: [UX ] sambaHomeDrive: X: sambaHomePath: \\someserver\users\someuser sambaLogonScript: logon.bat sambaNTPassword: sambaPasswordHistory: 00 00 sambaPwdLastSet: 1291843237 st: xx street: x telephoneNumber: x userPassword:: Although the login script and network home directory probably not relevant in a non-DC setup. We are not using winbind at all currently. Here is a sample user's ldap data: dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu uid: tstaff sn: Staff uinSR: tstaff-false givenName: Test genderSR: m loginShell: /bin/false cn: Test Staff gecos: Test Staff mailSR: test...@simons-rock.edu homeDirectory: /home/testaff objectClass: person objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: personSR objectClass: extensibleObject objectClass: posixAccount objectClass: shadowAccount shadowLastChange: 11551 shadowWarning: 7 gidNumber: 100 shadowMax: 9 uidNumber: 7391 mail: test...@simons-rock.edu groupSR: staff groupSR: hidden employeeNumber: 991991991 sambaNTPassword: REDACTED sambaPwdLastSet: 1354296936 userPassword:: REDACTED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
So when you run pdbedit -Lv for a user, is the Unix user name is an account in ldap? If that is the case, then you probably just want to have a script that runs that runs thru a list of user names and they runs ldapmodify to add the appropriate samba attributes.In theory you can use pdbedit to export the data, then change the backend, then import it back. I found that didn't quite work. I had originally used nis backend for unix accounts and TBD backend for samba. I moved from NIS to LDAP for unix accounts. Then when I added a BDC I moved the samba data into ldap.I had used smbpasswd to dump the data to a text file, then wrote a perl script to parse the file into user name, samba SID, and samba password and then rewrite it into an ldapmodify ldif file. I used this file to update the existing LDAP accounts. You MAYBE can use smbpasswd or pdbedit to create the samba accounts in LDAP but I suspect that either it won't preserve the existing password OR it may refuse to create the account. On 11/30/12 12:38, Brian Gold wrote: On 2012-11-30 11:15 am, Gaiseric Vandal wrote: No, you wouldn't sync passwords to TDB. Does your LDAP entry for each user currently have a SambaSID value? Also, when you type pdbedit -Lv someuser you should see the unix account for the user. The unix account is either explicitly created (e.g. in /etc/passwd or ldap or nis) or dynamically created by winbind. No, currently our users do not have SambaSID values in ldap. # pdbedit -Lv someuser Unix username:someuser NT username: someuser Account Flags:[U ] User SID: S-1-5-21-x Primary Group SID:S-1-5-21-xxx Full Name:Some User Home Directory: \\someserver\users\someuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: Domain: SOMEDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: 0 Password last set:Fri, 30 Sep 2011 09:40:43 EDT Password can change: Fri, 30 Sep 2011 09:40:43 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # Assuming you are not using winbind to allocate uid's and gid's for samba users, your LDAP user entry will eventually look something like dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Some User gidNumber: xx homeDirectory: /home/someuser sambaSID: S-1-5-21- sn: UserLastName uid: someuser uidNumber: 123 displayName: Some User gecos: Some User givenName: Some User loginShell: /bin/tcsh sambaAcctFlags: [UX ] sambaHomeDrive: X: sambaHomePath: \\someserver\users\someuser sambaLogonScript: logon.bat sambaNTPassword: sambaPasswordHistory: 00 00 sambaPwdLastSet: 1291843237 st: xx street: x telephoneNumber: x userPassword:: Although the login script and network home directory probably not relevant in a non-DC setup. We are not using winbind at all currently. Here is a sample user's ldap data: dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu uid: tstaff sn: Staff uinSR: tstaff-false givenName: Test genderSR: m loginShell: /bin/false cn: Test Staff gecos: Test Staff mailSR: test...@simons-rock.edu homeDirectory: /home/testaff objectClass: person objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: personSR objectClass: extensibleObject objectClass: posixAccount objectClass: shadowAccount shadowLastChange: 11551 shadowWarning: 7 gidNumber: 100 shadowMax: 9 uidNumber: 7391 mail: test...@simons-rock.edu groupSR: staff groupSR: hidden employeeNumber: 991991991 sambaNTPassword: REDACTED sambaPwdLastSet: 1354296936 userPassword:: REDACTED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 2012-11-30 4:01 pm, Gaiseric Vandal wrote: So when you run pdbedit -Lv for a user, is the Unix user name is an account in ldap? If that is the case, then you probably just want to have a script that runs that runs thru a list of user names and they runs ldapmodify to add the appropriate samba attributes.In theory you can use pdbedit to export the data, then change the backend, then import it back. I found that didn't quite work. I had originally used nis backend for unix accounts and TBD backend for samba. I moved from NIS to LDAP for unix accounts. Then when I added a BDC I moved the samba data into ldap.I had used smbpasswd to dump the data to a text file, then wrote a perl script to parse the file into user name, samba SID, and samba password and then rewrite it into an ldapmodify ldif file. I used this file to update the existing LDAP accounts. You MAYBE can use smbpasswd or pdbedit to create the samba accounts in LDAP but I suspect that either it won't preserve the existing password OR it may refuse to create the account. Here is the output for that same user when I do a pdbedit. The unix username is being pulled from ldap. pdbedit -Lv testaff Unix username:testaff NT username: Account Flags:[U ] User SID: S-1-5-21-2531268310-2106678637-3833209162-15782 Primary Group SID:S-1-5-21-2531268310-2106678637-3833209162-513 Full Name:Test Staff Home Directory: \\elephant\testaff HomeDir Drive: Logon Script: Profile Path: \\elephant\testaff\profile Domain: ELEPHANT Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fri, 27 Jun 2008 16:50:45 EDT Password can change: Fri, 27 Jun 2008 16:50:45 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF Worth a try I guess. As it is, I'm planning on totally scrapping this existing samba file server when we move to using ldap passwords. The only things that need to carry over are the files on the file server itself. I'm totally fine with not using any of the data that is in tbd currently. Is there a way to autogenerate the samba SID (since I don't necessarily need the one that is being used in my current samba file server) and whatever other samba fields might be needed for all of my existing ldap accounts? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 11/30/12 16:11, Brian Gold wrote: On 2012-11-30 4:01 pm, Gaiseric Vandal wrote: So when you run pdbedit -Lv for a user, is the Unix user name is an account in ldap? If that is the case, then you probably just want to have a script that runs that runs thru a list of user names and they runs ldapmodify to add the appropriate samba attributes.In theory you can use pdbedit to export the data, then change the backend, then import it back. I found that didn't quite work. I had originally used nis backend for unix accounts and TBD backend for samba. I moved from NIS to LDAP for unix accounts. Then when I added a BDC I moved the samba data into ldap.I had used smbpasswd to dump the data to a text file, then wrote a perl script to parse the file into user name, samba SID, and samba password and then rewrite it into an ldapmodify ldif file. I used this file to update the existing LDAP accounts. You MAYBE can use smbpasswd or pdbedit to create the samba accounts in LDAP but I suspect that either it won't preserve the existing password OR it may refuse to create the account. Here is the output for that same user when I do a pdbedit. The unix username is being pulled from ldap. pdbedit -Lv testaff Unix username:testaff NT username: Account Flags:[U ] User SID: S-1-5-21-2531268310-2106678637-3833209162-15782 Primary Group SID: S-1-5-21-2531268310-2106678637-3833209162-513 Full Name:Test Staff Home Directory: \\elephant\testaff HomeDir Drive: Logon Script: Profile Path: \\elephant\testaff\profile Domain: ELEPHANT Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fri, 27 Jun 2008 16:50:45 EDT Password can change: Fri, 27 Jun 2008 16:50:45 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF Worth a try I guess. As it is, I'm planning on totally scrapping this existing samba file server when we move to using ldap passwords. The only things that need to carry over are the files on the file server itself. I'm totally fine with not using any of the data that is in tbd currently. Is there a way to autogenerate the samba SID (since I don't necessarily need the one that is being used in my current samba file server) and whatever other samba fields might be needed for all of my existing ldap accounts? If you write a script you could probably increment the SID for each entry. The pdbedit and smbpasswd commands will create all the necessary fields , including automatically creating a unique SID. But I just know if it will complain the account already exsits. I think it won't complain the account exists (since not all the necessary fields are there) BUT it will probably complain that the account could not be created.I don't think you will know til you test it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba