Re: [Samba] TLS between winbind and openldap
Hi No, I did not try LDAPS because it is deprecated. That's why I tried StartTLS. I had far more headaches when searching for idmap related configuration. I found a working workaround before you answer me, which seems to be working (see my previous message). However, I'd rather not use environment variables, if possible. I need some more time to validate it. I disabled /root/ldaprc, and replaced these settings by environment variables as described in ldap.conf(5) manpages. Environment Variables LDAPNOINIT disable all defaulting LDAPCONF path of a configuration file LDAPRC basename of ldaprc file in $HOME or $CWD LDAPoption-name Set option-name as from ldap.conf The environment variables are exported from /etc/default/winbind : # Winbind configuration #WINBINDD_OPTS=-n export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I reproduced for you the broken configuration in order to show logs from openLDAP and winbind. Here is the log from Winbind when I run it from command line (SID obsfucated). The mapping is initiated by wbinfo -i user root@omv:~# winbindd -i -d idmap:10 winbindd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 initialize_winbindd_cache: clearing cache and re-creating with version number 1 [LDAP] ldap_build_search_req ATTRS: currentTime [LDAP] ldap_build_search_req ATTRS: supportedSASLMechanisms [LDAP] ldap_build_search_req ATTRS: highestCommittedUSN [LDAP] ldap_build_search_req ATTRS: * idmap_sid_to_uid: sid = [S-1-5-21-2758072649-2694028996-xx-1116], domain = '' idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-2758072649-2694028996-xx-1116] idmap_find_domain called for domain '' idmap_init_default_domain: calling static_init_idmap calling idmap_tdb_init Successfully added idmap alloc backend 'tdb' Successfully added idmap backend 'tdb' Successfully added idmap backend 'passdb' Successfully added idmap backend 'nss' idmap_init: using 'ldap' as remote backend idmap backend ldap not found Successfully added idmap alloc backend 'ldap' Successfully added idmap backend 'ldap' Filter: [((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xx-1116))] [LDAP] ldap_build_search_req ATTRS: supportedControl [LDAP] ldap_build_search_req ATTRS: sambaSID uidNumber gidNumber objectClass Mapped S-1-5-21-2758072649-2694028996-xx-1116 - 16777217 (1) idmap_sid_to_gid: sid = [S-1-5-21-2758072649-2694028996-xx-513], domain = '' idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-2758072649-2694028996-xx-513] idmap_find_domain called for domain '' Filter: [((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xx-513))] [LDAP] ldap_build_search_req ATTRS: sambaSID uidNumber gidNumber objectClass Mapped S-1-5-21-2758072649-2694028996-xx-513 - 16777216 (2) As you can see, this is working like a charm. Here are the logs from winbind and openLDAP when winbind runs as a service. The mapping is initiated by wbinfo -i user. I changed /etc/default/winbind to show logs: root@omv:~# cat /etc/default/winbind # Winbind configuration WINBINDD_OPTS=-d idmap:10 -i root@omv:~# service winbind start Starting the Winbind daemon: winbindwinbindd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 initialize_winbindd_cache: clearing cache and re-creating with version number 1 [LDAP] ldap_build_search_req ATTRS: currentTime [LDAP] ldap_build_search_req ATTRS: supportedSASLMechanisms [LDAP] ldap_build_search_req ATTRS: highestCommittedUSN [LDAP] ldap_build_search_req ATTRS: * idmap_sid_to_uid: sid = [S-1-5-21-2758072649-2694028996-xx-1116], domain = '' idmap_backends_sid_to_unixid: domain = '', sid = [S-1-5-21-2758072649-2694028996-xx-1116] idmap_find_domain called for domain '' idmap_init_default_domain: calling static_init_idmap calling idmap_tdb_init Successfully added idmap alloc backend 'tdb' Successfully added idmap backend 'tdb' Successfully added idmap backend 'passdb' Successfully added idmap backend 'nss' idmap_init: using 'ldap' as remote backend idmap backend ldap not found Successfully added idmap alloc backend 'ldap' Successfully added idmap backend 'ldap' Filter: [((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xx-1116))] [LDAP] TLS: can't connect: Error in the push function.. Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 1 try! [LDAP] TLS: can't connect: Error in the push function.. Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 2 try! [LDAP] TLS: can't connect: Error in the push function.. Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 3 try! [...continues until timeout...] To have more details, I have to show logs frop openLDAP produced at the same time: root@omv:~# slapd -d 1
Re: [Samba] TLS between winbind and openldap
Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config * : range =
Re: [Samba] TLS between winbind and openldap
Did you try using LDAPS (ldap over SSL, typically on port 636.) I can't speak specifically about it with winbind BUT I have found that in other situations LDAPS creates less headaches with CA cert issues. On 08/06/13 05:27, thierry DeTheGeek wrote: Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap
[Samba] TLS between winbind and openldap
Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config * : range = 16777216-5000 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://omv.domain.local idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local winbind use default domain = true winbind offline logon = false ; disable enum users/groups on medium or large organization (affects performance) ; if disabled this will disable domain users/groups enumeration with getent winbind enum users = yes winbind enum groups = yes winbind separator = / winbind nested groups = yes ;winbind normalize names = yes winbind refresh tickets = yes ;template primary group = users template shell = /bin/bash template homedir = /home/%D/%U socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes client use spnego = yes #=== Share Definitions === #=== Home
