[Samba] samba3 and heimdal: both using ldap as backends
Gémes Géza
geza at kzsdabas.sulinet.hu
Sat Mar 18 16:54:58 GMT 2006
Andreas Hasenack írta:
>samba-3.0.21c, heimdal-0.7.2
>
>The heimdal documentation[1] talks about a samba integration when both
>samba and heimdal are using ldap as their backends. I quote:
>
>"Now you can proceed as in See Using LDAP to store the database. Heimdal
>will pick up the Samba LDAP entries if they are in the same search space
>as the Kerberos entries."
>
>There is absolutely no further documentation.
>I tried with this tree:
>
>dc=mycnc,dc=com
>ou=People,dc=mycnc,dc=com
>
>heimdal is configured to use ou=people (I also tried with
>ou=KerberosPrincipals), where I already have some entries.
>
>My goal is to use only one password to avoid the
>sambaNTPassword/userPassword/kerberos mess (three passwords). I was
>under the impression that this setup should get me that.
>
>If I add a principal with a name that is already in ou=people as a posix
>and samba account, I get this:
>(...)
>joao at MYCNC.COM's Password:
>Verifying - joao at MYCNC.COM's Password:
>kadmin: kadm5_create_principal: ldap_search_s: No such object
>kadmin: adding joao: Principal or policy already exists
>
>The ldap logs show these queries (first collumn is the number of entries returned):
>1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default at MYCNC.COM))"
>0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)"
>1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default at MYCNC.COM))"
>0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)"
>0 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)(krb5PrincipalName=joao at MYCNC.COM))"
>1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))"
>
>A few questions:
>a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's
>the binddn after authz-regexp;
>
>b) It found my user's entry (last search), why doesn't it add the kerberos attributes
>to it? Or, better yet, what is supposed to be happening?
>
>
>If I run kadmin to add an user that doesn't exist with
>posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created,
>which samba doesn't see.
>
>
>
My config:
Debian Sarge
with:
heimdal 0.7.1-3.1 from testing rebuilt on sarge
libsasl2 2.1.19-1.9 from testing rebuilt on sarge
slapd 2.2.23-8 from sarge
slapd.conf:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/hdb.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 256
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# SASL related options
sasl-realm example.net
sasl-host devel.example.net
sasl-authz-policy both
sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
"cn=admin,dc=example,dc=net"
sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?uid=$1
sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?uid=$1
sasl-secprops minssf=0
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=example,dc=net"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass,uid,krb5PrincipalName,cn eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=net" write
by dn="uid=root,ou=users,dc=example,dc=net" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=example,dc=net" write
by dn="cn=admin,dc=example,dc=net" write
by dn="uid=root,ou=users,dc=example,dc=net" write
by * read
my hdb.schema:
# $Id: hdb.schema,v 1.3 2000/02/22 21:51:53 lukeh Exp $
# Definitions for a Kerberos V KDC schema
# OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(532
2) kdcSchema(10)
#
# Syntaxes are under 1.3.6.1.4.1.5322.10.0
# Attributes types are under 1.3.6.1.4.1.5322.10.1
# Object classes are under 1.3.6.1.4.1.5322.10.2
# Syntax definitions
#krb5KDCFlagsSyntax SYNTAX ::= {
# WITH SYNTAX INTEGER
#-- initial(0), -- require as-req
#-- forwardable(1), -- may issue forwardable
#-- proxiable(2), -- may issue proxiable
#-- renewable(3), -- may issue renewable
#-- postdate(4), -- may issue postdatable
#-- server(5), -- may be server
#-- client(6), -- may be client
#-- invalid(7), -- entry is invalid
#-- require-preauth(8), -- must use preauth
#-- change-pw(9), -- change password service
#-- require-hwauth(10), -- must use hwauth
#-- ok-as-delegate(11), -- as in TicketFlags
#-- user-to-user(12), -- may use user-to-user auth
#-- immutable(13) -- may not be deleted
# ID { 1.3.6.1.4.1.5322.10.0.1 }
#}
#krb5PrincipalNameSyntax SYNTAX ::= {
# WITH SYNTAX OCTET STRING
#-- String representations of distinguished names as per RFC1510
# ID { 1.3.6.1.4.1.5322.10.0.2 }
#}
# Attribute type definitions
attributetype ( 1.3.6.1.4.1.5322.10.1.1
NAME 'krb5PrincipalName'
DESC 'The unparsed Kerberos principal name'
EQUALITY caseExactIA5Match
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.5322.10.1.2
NAME 'krb5KeyVersionNumber'
EQUALITY integerMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.5322.10.1.3
NAME 'krb5MaxLife'
EQUALITY integerMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.5322.10.1.4
NAME 'krb5MaxRenew'
EQUALITY integerMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.5322.10.1.5
NAME 'krb5KDCFlags'
EQUALITY integerMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.5322.10.1.6
NAME 'krb5EncryptionType'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.5322.10.1.7
NAME 'krb5ValidStart'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
# ORDERING generalizedTimeOrderingMatch
attributetype ( 1.3.6.1.4.1.5322.10.1.8
NAME 'krb5ValidEnd'
SINGLE-VALUE )
# ORDERING generalizedTimeOrderingMatch
attributetype ( 1.3.6.1.4.1.5322.10.1.9
NAME 'krb5PasswordEnd'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
# ORDERING generalizedTimeOrderingMatch
# this is temporary; keys will eventually
# be child entries or compound attributes.
attributetype ( 1.3.6.1.4.1.5322.10.1.10
NAME 'krb5Key'
DESC 'Encoded ASN1 Key as an octet string'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 1.3.6.1.4.1.5322.10.1.11
NAME 'krb5PrincipalRealm'
DESC 'Distinguished name of krb5Realm entry'
SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.5322.10.1.12
NAME 'krb5RealmName'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
# Object class definitions
objectclass ( 1.3.6.1.4.1.5322.10.2.1
NAME 'krb5Principal'
SUP top
AUXILIARY
MUST ( krb5PrincipalName )
MAY ( cn $ krb5PrincipalRealm ) )
objectclass ( 1.3.6.1.4.1.5322.10.2.2
NAME 'krb5KDCEntry'
SUP krb5Principal
AUXILIARY
MUST ( krb5KeyVersionNumber )
MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $
krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $
krb5EncryptionType $ krb5Key ) )
objectclass ( 1.3.6.1.4.1.5322.10.2.3
NAME 'krb5Realm'
SUP top
AUXILIARY
MUST ( krb5RealmName ) )
my slapd also listens at /var/run/ldapi
my krb5.conf:
[libdefaults]
default_realm = EXAMPLE.NET
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = false
[realms]
EXAMPLE.NET = {
kdc = kdc.example.net
admin_server = kdc.example.net
}
[domain_realm]
.example.net = EXAMPLE.NET
[login]
krb4_convert = true
krb4_get_tickets = true
[kdc]
database = {
# The first dbname is used for the realm init, then change to the second.
# dbname = ldap:ou=KerberosPrincipals,dc=example,dc=net
dbname = ldap:dc=example,dc=net
}
An example ldif:
dn: uid=test,ou=users,dc=example,dc=net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: krb5Principal
sn: Account
userPassword: {SASL}test at EXAMPLE.NET
displayName: Account
gidNumber: 4
loginShell: /bin/bash
gecos: Account
shadowLastChange: 13555
shadowMax: 60
shadowWarning: 7
shadowInactive: 30
sambaSID: S-1-5-21-...
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXREMOVEDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXREMOVEDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdMustChange: 1173725355
sambaPwdLastSet: 1080799858
sambaLogonTime: 2147483647
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1080799858
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-...
uidNumber: 1000
cn: Account
cn: test
mail: test at example.net
uid: test
homeDirectory: /home/test
krb5PrincipalName: test
Hope that it helps.
I've also switched dbname temporary to ou=services,...
for creating few host/... like accounts, then switched it back and then
copied the existing ones and changed the password under kadmin.
Regards,
Geza
More information about the samba
mailing list