[Samba] login via Samba 4 LDAP

steve steve at steve-ss.com
Sat Dec 31 14:24:01 MST 2011 

On 12/31/2011 09:39 PM, Gémes Géza wrote:
> 2011-12-31 19:17 keltezéssel, steve írta:
>> On 31/12/11 17:39, steve wrote:
>>> On 31/12/11 16:14, steve wrote:
>>>> On 31/12/11 12:48, Gémes Géza wrote:
>>>>> 2011-12-30 13:21 keltezéssel, steve írta:
>>>>>> On 30/12/11 13:09, steve wrote:
>>>>>>> On 30/12/11 09:38, steve wrote:
>>>>>>>> On 29/12/11 19:14, Gémes Géza wrote:
>>>>>>>>> 2011-12-29 12:56 keltezéssel, steve írta:
>>>>>>>>>> On 29/12/11 11:58, Gémes Géza wrote:
>>>>>>>>>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>>>>>>>>>> On 29/12/11 10:00, steve wrote:
>>>>>>>>>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>>>>>>>>>> You should create a user in AD for nss-ldap and extract a
>>>>>>>>>>>>>>> keytab
>>>>>>>>>>>>>>> for it
>>>>>>>>>>>>>>> (samba-tool domain exportkeytab --principal=....) and
>>>>>>>>>>>>>>> configure
>>>>>>>>>>>>>>> nss-ldap
>>>>>>>>>>>>>>> to use that keytab for authenticating. Most probably you
>>>>>>>>>>>>>>> aren't
>>>>>>>>>>>>>>> allowed
>>>>>>>>>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>>>>>>>>>> ldapsearch -x)
>>>>>>>>>>>>>> LDAP works with an anonymous bind. You need the Kerberos
>>>>>>>>>>>>>> keytab for
>>>>>>>>>>>>>> authentication though.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> steve at hh3:~>     ldapsearch -x
>>>>>>>>>>>>> # extended LDIF
>>>>>>>>>>>>> #
>>>>>>>>>>>>> # LDAPv3
>>>>>>>>>>>>> # base<DC=hh3,DC=site>     (default) with scope subtree
>>>>>>>>>>>>> # filter: (objectclass=*)
>>>>>>>>>>>>> # requesting: ALL
>>>>>>>>>>>>> #
>>>>>>>>>>>>>
>>>>>>>>>>>>> # search result
>>>>>>>>>>>>> search: 2
>>>>>>>>>>>>> result: 1 Operations error
>>>>>>>>>>>>> text: 00002020: Operation unavailable without authentication
>>>>>>>>>>>>>
>>>>>>>>>>>>> # numResponses: 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I found this usage:
>>>>>>>>>>>>>
>>>>>>>>>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>>>>>>>>>
>>>>>>>>>>>>> How can I find my PATH_TO_KEYTAB
>>>>>>>>>>>>> ?
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>> Can't get the syntax right:
>>>>>>>>>>>>
>>>>>>>>>>>>      samba-tool domain exportkeytab  /var/lib/named/master
>>>>>>>>>>>> --principal
>>>>>>>>>>>>
>>>>>>>>>>>> Usage: samba-tool domain exportkeytab<keytab>     [options]
>>>>>>>>>>>>
>>>>>>>>>>>> samba-tool domain exportkeytab: error: --principal option
>>>>>>>>>>>> requires an
>>>>>>>>>>>> argument
>>>>>>>>>>>>
>>>>>>>>>>> samba-tool domain exportkeytab
>>>>>>>>>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>>>>>>>>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>>
>>>>>>>>>>> Geza
>>>>>>>>>> Tried:
>>>>>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>>>>> --principal=steve4
>>>>>>>>>>
>>>>>>>>>> restarted samba but:
>>>>>>>>>>
>>>>>>>>>> su steve4
>>>>>>>>>> su: user steve4 does not exist
>>>>>>>>>>
>>>>>>>>>> Am I getting close or should I give up now?!
>>>>>>>>>>
>>>>>>>>>> Steve
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> You still need to configure nss-ldap to do a kerberized bind.
>>>>>>>>> I've found example configurations for nslcd (the daemon part of
>>>>>>>>> nss-ldapd a fork of nss-ldap) at:
>>>>>>>>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>>>>>>>>>
>>>>>>>>> http://ubuntuforums.org/archive/index.php/t-1335022.html
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Geza
>>>>>>>> phew. That's a biggie.
>>>>>>>>
>>>>>>>> I have nslcd installed. I've looked at the links and it seems as
>>>>>>>> though I need this in /etc/nslcd.conf
>>>>>>>>
>>>>>>>> uri ldap://127.0.0.1/
>>>>>>>> base dc=hh3,dc=site
>>>>>>>> sasl_mech GSSAPI
>>>>>>>> sasl_realm HH3.SITE
>>>>>>>> krb5_ccname /dont/know
>>>>>>>>
>>>>>>>> It's the krb5_ccname I can't get.
>>>>>>>>
>>>>>>>> I have:
>>>>>>>>    klist
>>>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>>> Default principal: steve4 at HH3.SITE
>>>>>>>>
>>>>>>>> Valid starting     Expires            Service principal
>>>>>>>> 12/30/11 09:27:15  12/30/11 19:27:15  krbtgt/HH3.SITE at HH3.SITE
>>>>>>>>       renew until 12/31/11 09:27:12
>>>>>>>>
>>>>>>>> The link you gave suggests:
>>>>>>>>
>>>>>>>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>>>>>>>
>>>>>>>> But doesn't say where that came from.
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>>
>>>>>>>> Saludos
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Well, using nslcd, I have finally got through to the Samba 4 LDAP (
>>>>>>>
>>>>>>> getent passwd works and steve4 can finally login
>>>>>>>
>>>>>>> The next bit is this:
>>>>>>>
>>>>>>> getent passwd does not show the home directory:
>>>>>>> steve4:x:3000019:100:steve4::/bin/bash
>>>>>>>
>>>>>>> even though I can see it in the ldap ldif
>>>>>>>
>>>>>>> steve4 gets logged into / but changing to /home/CACTUS/steve4 allows
>>>>>>> him to create and edit files correctly and with the correct
>>>>>>> permissions.
>>>>>>>
>>>>>>> Any ideas?
>>>>>>> Thanks
>>>>>>> Steve.
>>>>>>>
>>>>>> Found it:
>>>>>>
>>>>>> map    passwd homeDirectory    unixHomeDirectory
>>>>>>
>>>>>> so /etc/nslcd.conf looks like this:
>>>>>>
>>>>>> uri ldap://127.0.0.1/
>>>>>> base dc=hh3,dc=site
>>>>>> map    passwd homeDirectory    unixHomeDirectory
>>>>>> sasl_mech GSSAPI
>>>>>> sasl_realm HH3.SITE
>>>>>> krb5_ccname /tmp/krb5cc_0
>>>>>>
>>>>>> Cheers,
>>>>>> Steve
>>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm glad it works now
>>>>> Sorry for the late answer yesterday my ISPs (I have two just to be
>>>>> sure)
>>>>> both decided at the same time to redo the routing of their networks
>>>>> ==>
>>>>> got off-line for most of the day :-(.
>>>>>
>>>>> Happy New Year!
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza
>>>> Hi Geza
>>>> Nearly works. Getent passwd works and su user works from root but
>>>> the user can't login unless he's in a root shell. I think this has
>>>> something to do with pam. I had it working fine this morning until I
>>>> disabled the ldap client in opensuse having thought that it would be
>>>> affecting the process. Now no logins apart from in a root shell. I
>>>> played around with some pam libraries a few weeks ago:
>>>>
>>>> Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting
>>>> Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections
>>>> Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service
>>>> Daemon..done
>>>> Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0
>>>> Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1
>>>> FOR steve2, Authentication failure
>>>> Dec 31 16:10:17 hh3 systemd[1]: getty at tty1.service holdoff time
>>>> over, scheduling restart.
>>>> Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not
>>>> search LDAP server - Server is unavailable
>>>> Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting
>>>> to LDAP server (sleeping 4 seconds)...
>>>> Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting
>>>> to LDAP server (sleeping 8 seconds)...
>>>> Dec 31 16:10:39 hh3 polkitd(authority=local): nss_ldap: reconnecting
>>>> to LDAP server (sleeping 16 seconds)...
>>>> Dec 31 16:10:55 hh3 polkitd(authority=local): nss_ldap: reconnecting
>>>> to LDAP server (sleeping 32 seconds)...
>>>> Dec 31 16:11:20 hh3 su: FAILED SU (to steve5) steve on /dev/pts/0
>>>> Dec 31 16:11:27 hh3 polkitd(authority=local): nss_ldap: reconnecting
>>>> to LDAP server (sleeping 64 seconds)...
>>>>
>>>> Am so close on this I feel.
>>>> Any ideas where to look?
>>>>
>>>> Que nos traigan suerte las uvas!!
>>>> Feliz 2012
>>>> Steve
>>> It does seem to be to do with pam:
>>>
>>> Dec 31 17:34:24 hh3 su: pam_unix(su:auth): authentication failure;
>>> logname=steve uid=1000 euid=0 tty=pts/1 ruser=steve rhost=  user=lynn2
>>>
>>> steve is the logged in local user,  lynn2 the samba4/ldap user
>>>
>>> Ahggh!!
>>> Where do I change that?
>>>
>>> Steve
>>>
>> Hi Geza, hi everyone
>>
>> Sorry 2 b such a pain. It was a pam problem. I logged off and could
>> not get back in. Fortunately I could overwrite pam.d with a copy from
>> a working machine that also had ldap.
>>
>> So, its not been easy but that's win 7 domain logons, linux logons and
>> nfs4 file server all from the same Samba 4 box. Is this good enough to
>> join Samba Technical and argue my point about Samba4/rfc2307 for Linux
>> clients? I'll blog my findings anyway. I just don't want to trouble
>> anyone.
>>
>> Steve
>>
>>
>> Steve
>>
> Congrats!
>
> You weren't a pain. We are here to help, and to get helped as well, that
> is called community support (in my experience it works lot more reliable
> than some commercial one).
> IMHO a head-ups about winbind4 in the samba-technical mailing list
> wouldn't hurt.
>
> Happy New Year!
>
> Geza
Thanks for the encouragement and yes, I agree. The support offered here 
is way better than anything you can get commercially. I'll think about 
winbind and what I've done here instead and how I could make my feelings 
felt to the Samba guys. Meanwhile, I bundled together something, mainly 
so that I myself don't miss anything out: 
http://linuxcostablanca.blogspot.com It's not complete and it needs 
tidying up/correcting. . .Maybe a few screenshots. Hopefully it may help 
us argue our case and help others. My closing thought for the year would 
be, 'It serves Windows out of the box. Why not Linux?'

Happy new 2012!

Steve

More information about the samba mailing list