[Samba] Domain trusts in samba3 with openLDAP
John H Terpstra
jht at samba.org
Wed Jun 11 22:35:24 GMT 2008
On Wednesday 11 June 2008 17:14:43 Charlie wrote:
> The Samba Team does not support a unified AAAA system backing multiple
> domains controlled by samba at this time (even though that's arguably
> the Holy Grail of corporate computing). You have to roll your own.
> Here's how I did it (with much help from several members of the Samba
> Team, gratefully appreciated):
>
> WARNING THIS IS A HACK. IF YOU ARE READING THIS AFTER 2008-06-15 IT
> MAY BE OBSOLETE BY NOW. DO NOT PROPAGATE THIS FOREVER AS FOLK WISDOM.
> Thanks.
Charlie: Thanks for posting this.
Everyone:
Please note the above proviso - DO NOT PROPOGATE THIS AS FOLKLORE!!!!!!
I promised a few people I will update the Samba3-HOWTO documentation on
Interdomain trusts. Before doing so, I'd like to obtain feedback from others
regarding their experiences and practices in establishing interdomain trusts
with Samba3 releases that are more recent than 3.0.20.
If anyone is willing to provide background info I this will be most
appreciated. If you regard your information as too confidential for a public
list, please contact me off-list at jht at samba.org - I will anonymize and
document _AND_ report back on this mailing list.
Cheers,
John T.
> First of all, you need a working WINS architecture. This is harder
> than it sounds but not too hard.
>
> #1 Shut down samba
> #2 Turn off port 445 in smb.conf
> #3 configure each of your PDCs to be a WINS server
> #4 edit wins.dat with a unix text editor adding records for each remote
> PDC
>
> "DOMAIN_B#1b" 0 ip.ad.dr.ess 66R
> "DOMAIN_B#1c" 0 ip.ad.dr.ess 66R
> "DOMAIN_B#1d" 0 ip.ad.dr.ess 66R
> "DOMAIN_B#1e" 0 ip.ad.dr.ess 66R
> "DOMAIN_B#00" 0 ip.ad.dr.ess 66R
> (etc. etc. etc. for all non-local domains and PDC addresses)
>
> #5 turn samba back on
> #6 use "net cache list", "net cache add" and "net cache del" to fix
> any problems
>
> I have been unable to establish interdomain trusts without WINS
> working. Period.
>
> OK, now you need to run winbind (smbd and nmbd used to be able to do
> this stuff without winbind, but not any more) and more importantly you
> need to strongly segregate your LDAP container objects.
>
> You see, when you try to establish an interdomain trust, samba no
> longer allows you to specify the name of the account that must exist
> on the remote PDC. The name of that trust *must* be the name of the
> requesting domain. This works fine until you have more than two
> domains, at which point it completely breaks down, because the trust
> account must have the SID of the local domain and the name of the
> remote domain (draw this out on paper if you don't see why it cannot
> work for more than two domains.)
>
> So, you need to build container objects for each of your domains,
> something like "ou=DOMAIN_A,dc=example,dc=com" and
> "ou=DOMAIN_B,dc=example,dc=com" and put all the machine and domain
> trust accounts into the appropriate container. Everything in the
> Domain_A container should have a sambaSID attribute that works for
> Domain_A, etc. and so forth for Domains B through Z.
>
> Now rig up your idmapping to look across the containers by putting
> this sort of stuff in smb.conf:
>
> # These are the domains we will talk to
> # one of them will be designated the default
>
> idmap domains = DOMAIN_A DOMAIN_B DOMAIN_C
> #
> # This is the domain that we can write uid/guid maps for
> #
> idmap alloc backend = ldap
> idmap alloc config:ldap_base_dn = ou=DOMAIN_A,dc=example,dc=com
> idmap alloc config:ldap_user_dn =
> cn=smbd,ou=DOMAIN_A,dc=example,dc=com idmap alloc config:ldap_url =
> ldaps://master.ldap.server.example.com/
> idmap alloc config:range = 405000 - 409999
> #
> # These are all the domain maps we have read access to
> #
> idmap config DOMAIN_A:default = yes
> idmap config DOMAIN_A:backend = ldap
> idmap config DOMAIN_A:ldap_user_dn =
> cn=smbd,ou=DOMAIN_A,dc=example,dc=com
> idmap config DOMAIN_A:ldap_base_dn = ou=DOMAIN_A,dc=example,dc=com
> idmap config DOMAIN_A:ldap_url = ldap://127.0.0.1/
> idmap config DOMAIN_A:range = 405000 - 409999
> #
> idmap config DOMAIN_B:readonly = yes
> idmap config DOMAIN_B:backend = ldap
> idmap config DOMAIN_B:ldap_user_dn =
> cn=smbd,ou=DOMAIN_B,dc=example,dc=com
> idmap config DOMAIN_B:ldap_base_dn = ou=DOMAIN_B,dc=example,dc=com
> idmap config DOMAIN_B:ldap_url = ldap://127.0.0.1/
> idmap config DOMAIN_B:range = 415000 - 419999
> #
> idmap config DOMAIN_C:readonly = yes
> idmap config DOMAIN_C:backend = ldap
> idmap config DOMAIN_C:ldap_user_dn =
> cn=smbd,ou=DOMAIN_C,dc=example,dc=com
> idmap config DOMAIN_C:ldap_base_dn = ou=DOMAIN_C,dc=example,dc=com
> idmap config DOMAIN_C:ldap_url = ldap://127.0.0.1/
> idmap config DOMAIN_C:range = 425000 - 429999
> #
>
> You're going to have to do this on all the PDCs with appropriate
> modifications (mostly just changing the "readonly" and "default"
> clauses, but also making your "alloc" section match your default
> domain) and then you'll have to set the password for the bind DNs in
> /etc/secrets.tdb using a bunch of "net idmap secret DOMAIN <password>"
> commands and one "net idmap secret alloc <password>".
>
> Then you'll be OK, right? Not so fast. Although you have specified
> in your smb.conf file the appropriate container for machine trusts
> ("ldap machine suffix = ou=Windows_Domain_A" for example) the code
> that looks for domain trusts does not use this parameter. Instead, it
> starts from the top of your tree (as specified by ldap suffix in
> smb.conf) and works down. If it finds more than one object with the
> name it's looking for it simply breaks, instead of checking to see if
> one of them might be appropriate or using a filter that references the
> sambaSID. Trust no workee. You'll need to use ACLs in your
> /etc/openldap/slapd.conf and separate bind DNs for each domain.
>
> At this point I have to caution you against making your LDAP tree too
> tidy. Many of the LDAP calls being made from samba have a "scope 2"
> parameter on them, at least according to OpenLDAP's logs. That means
> subtree searches will stop after going 2 levels deep on some calls,
> but perhaps not on others. You may need to have all your objects
> within 2 levels of the ldap_suffix if you want everything to work
> properly. I simply put all the samba objects for each domain (other
> than People and Groups, that is) in the domain-specific containers and
> that seems to work.
>
> Also be careful with your ACLs in slapd.conf... ACL processing is
> resource-intensive, and samba doesn't make particularly efficient
> queries. You can easily build ACLs that will ruin the performance of
> your LDAP service, possibly causing problems in the *nix name service
> switch entirely outside samba. Try several different approaches and
> test, test, test.
>
> Once you have an ACL-restricted LDAP tree that lets your samba PDCs
> see only the stuff that is relevant to the local domain (test
> *thoroughly* with ldapsearch) you will be able to establish and
> maintain interdomain trusts for any number of domains. Or, at least
> four, that's how many I have.
>
> Good luck; I apologize for the sketchiness of this information, but I
> am pressed for time.
> --Charlie
>
> On Mon, Jun 2, 2008 at 9:30 AM, Alex Crow <acrow at integrafin.co.uk> wrote:
> > Hi,
> >
> > I am having the exact same problem as the user quoted below - I have
> > 3.0.28a installed at both ends (I've tried 3.0.30 but that seems to make
> > wbinfo -t fail with "DOMAIN CONTROLLER NOT FOUND" errors). It's a
> > bidirectional trust - the end remote to me works fine but the local end
> > reports as below. wbinfo -u/g fails on both ends with "Error looking up
> > domain users".
> >
> > Here is the relevant part of my smb.conf on the local end:
> >
> > [global]
> > unix charset = LOCALE
> > workgroup = IFA_NET
> > netbios name = PDC
> > interfaces = eth0, lo
> > bind interfaces only = Yes
> > passdb backend = ldapsam:ldap://127.0.0.1
> > username map = /etc/samba/smbusers
> > syslog = 0
> > log file = /var/log/samba/%m
> > max log size = 0
> > smb ports = 139 445
> > name resolve order = wins lmhosts bcast hosts
> > time server = no
> > #printcap name = CUPS
> > show add printer wizard = Yes
> > enable privileges = yes
> > ldap suffix = dc=ifa,dc=net
> > ldap machine suffix = ou=Computers
> > ldap user suffix = ou=People
> > ldap group suffix = ou=Groups
> > ldap idmap suffix = ou=Idmap
> > ldap admin dn = cn=manager,dc=ifa,dc=net
> > ldap ssl = no
> > ldap timeout = 20
> > idmap backend = ldap:ldap://127.0.0.1
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind nested groups = yes
> > winbind trusted domains only = yes
> > winbind use default domain = no
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind cache time = 6000
> > allow trusted domains = yes
> > map acl inherit = Yes
> > ea support = Yes
> > #printing = cups
> > # printer admin = root
> > wins support = yes
> > log level = 3
> > domain logons = yes
> > domain master = yes
> > preferred master = yes
> > logon drive = H:
> > #os level = 35
> > passdb expand explicit = yes
> > add user script = /usr/sbin/smbldap-useradd -m '%u'
> > delete user script = /usr/sbin/smbldap-userdel %u
> > add group script = /usr/sbin/smbldap-groupadd -p '%g'
> > delete group script = /usr/sbin/smbldap-groupdel '%g'
> > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
> > enable privileges = Yes
> > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> >
> > and remote:
> > [global]
> > #unix charset = LOCALE
> > workgroup = INTEGRALIFE_NET
> > netbios name = DC
> > interfaces = eth1, lo
> > bind interfaces only = Yes
> > passdb backend = ldapsam:ldap://127.0.0.1
> > logon drive = H:
> > logon home = \\%L\%U
> > logon path = \\%L\%U\profile
> > os level = 33
> > #auth methods = guest sam winbind
> > username map = /etc/samba/smbusers
> > log level = 1
> > syslog = 0
> > log file = /var/log/samba/%m
> > max log size = 0
> > smb ports = 139
> > name resolve order = wins lmhosts bcast hosts
> > time server = Yes
> > printcap name = CUPS
> > show add printer wizard = Yes
> > #add user script = /usr/sbin/smbldap-useradd -m '%u'
> > delete user script = /usr/sbin/smbldap-userdel %u
> > add group script = /usr/sbin/smbldap-groupadd -p '%g'
> > delete group script = /usr/sbin/smbldap-groupdel '%g'
> > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
> > enable privileges = Yes
> > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> > add machine script = /usr/sbin/smbldap-useradd -a -w '%u'
> > logon drive = H:
> > domain logons = Yes
> > preferred master = Yes
> > domain master = Yes
> > #wins support = Yes
> > wins server = 192.168.20.137
> > wins proxy = no
> > ldap suffix = dc=integralife,dc=net
> > ldap machine suffix = ou=Computers,ou=Accounts
> > ldap user suffix = ou=People,ou=Accounts
> > ldap group suffix = ou=Groups
> > ldap idmap suffix = ou=Idmap
> > ldap admin dn = cn=Manager,dc=integralife,dc=net
> > ldap ssl = no
> > ldap timeout = 20
> > idmap backend = ldap:ldap://127.0.0.1
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind nested groups = yes
> > winbind use default domain = no
> > winbind trusted domains only = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > allow trusted domains = Yes
> > map acl inherit = Yes
> > ea support = Yes
> > disable spoolss = No
> > printing = cups
> > printer admin = root
> >
> > Any help I can get gratefully received!
> >
> > Thanks
> >
> > Alex
> >
> > On Wed, 2008-05-07 at 16:43 -0400, Charlie wrote:
> >> Greetings Sambistas!
> >>
> >> I can't seem to get domain trusts to work in both directions. Details
> >> follow.
> >>
> >> I have a network running many OSes on four geographically separate
> >> sites with an OpenLDAP authentication backbone. Desktops are windows
> >> XP authenticating to samba 3.0.25b servers which in turn are
> >> configured to use LDAP. Our net has been running samba in various
> >> flavors and versions for over ten years, and we have been running
> >> OpenLDAP for about seven years.
> >>
> >> Each physical site is a separate samba domain but all use the same
> >> LDAP backend data. All linux samba servers are running 3.0.25b, some
> >> of them using Red Hat native packages on RHEL5 and others using my own
> >> backported RPMs of the same. HP-UX servers run HP's CIFS9000 product
> >> which is essentially a samba fork.
> >>
> >> Each samba server has a local LDAP replica and a local slave BIND
> >> DNS server. PAM, NSS, and samba are all configured for automatic LDAP
> >> failover, this is tested and working. We use unencrypted LDAP on
> >> 127.0.0.1 as the primary (for speed) and LDAPS to the master server as
> >> secondary (for security). If I kill the local LDAP daemon samba
> >> continues to work fine, drawing passwords etc. from the master server
> >> over SSL.
> >>
> >> From the main site, I can do this:
> >>
> >> # net rpc trustdom list -Udomadmin
> >> Password:
> >>
> >> Trusted domains list:
> >>
> >> LA S-1-5-21-laSIDredacted
> >> MD S-1-5-21-mdSIDredacted
> >> MA S-1-5-21-maSIDredacted
> >> none
> >>
> >> Trusting domains list:
> >>
> >> MAIN S-1-5-21-LocalSIDredacted
> >> MA S-1-5-21-maSIDredacted
> >> LA S-1-5-21-laSIDredacted
> >> MD S-1-5-21-mdSIDredacted
> >>
> >> But, from the MD server, if I issue the same command, I get this:
> >>
> >> # net rpc trustdom list -Umdadmin
> >> Password:
> >> Trusted domains list:
> >>
> >> MAIN S-1-5-21-LocalSIDredacted
> >> MA S-1-5-21-maSIDredacted
> >> LA S-1-5-21-laSIDredacted
> >> none
> >>
> >> Trusting domains list:
> >>
> >> [2008/05/07 16:35:35, 0] utils/net_rpc.c:rpc_trustdom_list(6208)
> >> Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED
> >>
> >> I have been unable to find anything on the net that details the LDAP
> >> entries for interdomain trust accounts. I do not know if a single
> >> LDAP dn can be used to establish the trust in both directions or if I
> >> need two for each link in the mesh. If anyone could post examples of
> >> working LDAP accounts used for interdomain trust purposes I would be
> >> tremendously grateful!
> >>
> >> Thanks,
> >> --Charlie
> >
> > --
> > This message is intended only for the addressee and may contain
> > confidential information. Unless you are that person, you may not
> > disclose its contents or use it in any way and are requested to delete
> > the message along with any attachments and notify us immediately.
> >
> > "Transact" is operated by Integrated Financial Arrangements plc
> > Domain House, 5-7 Singer Street, London EC2A 4BQ
> > Tel: (020) 7608 4900 Fax: (020) 7608 1200
> > (Registered office: as above; Registered in England and Wales under
> > number: 3727592)
> > Authorised and regulated by the Financial Services Authority (entered on
> > the FSA Register; number: 190856)
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
--
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256
Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list