[Samba] Tangential Issue: idmap backend = ad and Active Directory 2008R2

Rue, Randy randyrue at gmail.com
Thu May 31 12:25:01 MDT 2012


Tried single quotes on Domain Admins in the pam.d file as well as a backslash on the space with no effect. I've found several references that just say "no spaces in group names." Is there really no way to do this?

Also, most references I find to using these lines in pam.d say that "sufficient" should work, but I'm finding that users in the named group can then log in with or without their correct password. Do I understand correctly that "sufficient" means "hey, this user is in this group, good enough even if their password is bogus?" What needs to change?

Is this the right forum for these questions?

Randy



-----Original Message-----
From: Randy Rue [mailto:rrue at fhcrc.org] 
Sent: Thursday, May 31, 2012 8:23 AM
To: 'samba at lists.samba.org'
Subject: RE: [Samba] idmap backend = ad and Active Directory 2008R2

I've swapped in my domain name/etc and commented the lines that I believe
don't apply to my environment, if I disabled something necessary please
let me know. Here's the smb.conf I tried:
[global]
        netbios name = HAPPYTOBEHERE
        security = ads
        workgroup = FOO
        realm = FOO.ORG
        password server = dcx.foo.org dcy.foo.org dcz.foo.org
<----I also tried it with a single DC entry
        preferred master = no
        encrypt passwords = yes
        kerberos method = secrets only

# general options
#        vfs objects = shadow_copy2 fileid gpfs
#        unix extensions = no
#        mangled names = no
#        case sensitive = no
#        map untrusted to domain = yes
        deadtime = 0
        log level = 1
        log file = /var/log/samba/%I.log
        max log size = 100
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE

# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
#        ea support = yes
#        store dos attributes = yes
#        map readonly = no
#        map archive = no
#        map system = no

# the ctdb clustering and GPFS stuff
#        clustering = yes
#        ctdbd socket = /tmp/ctdb.socket
#        fileid : algorithm = fsname
#        gpfs : sharemodes = yes
#        gpfs : winattr = yes
#        force unknown acl user = yes
#        nfs4 : mode = special
#        nfs4 : chown = no
#        nfs4 : acedup = merge

# enable shadow copies
#        shadow : snapdir = /happytobehere/.snapshots
#        shadow : basedir = /happytobehere
#        shadow : fixinodes = yes

# silence warnings about CUPS 
#        printing = bsd
#        printcap name = /etc/printcap
#        load printers = yes
        cups options = raw

# stuff necessary for guest logins to work where required
#        guest account = nobody
#        map to guest = bad user

# fake the dfree information to match the fileset quota if it exists
#        dfree cache time = 15
#        dfree command = /var/lib/samba/scripts/mmdfree

# deal with NSS and the whole UID/SID id mapping stuff
        idmap backend = tdb
        idmap uid = 2000000 - 2999999 
        idmap gid = 2000000 - 2999999
        idmap config FOO : backend = ad
        idmap config FOO : schema_mode = rfc2307
        idmap config FOO : readonly = yes
        idmap config FOO : range = 500 - 1999999
        idmap cache time = 604800
        idmap negative cache time = 20
        winbind cache time = 600
        winbind nss info = rfc2307
        winbind expand groups = 2
        winbind nested groups = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind offline logon = false

Here's /etc/pam.d/password-auth-ac if that helps:
[root at happytobehere samba]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_succeed_if.so user ingroup
adm_it_sops_lessadmins_mod
auth        sufficient    pam_succeed_if.so user ingroup "domain admins"
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     sufficient      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

[BTW, when this does work I still see errors in syslog about accounts I
know are Domain Admins still not being recognized as members of the group
"domain," do I need to do something else to escape that space in the group
name? Maybe a backslash?]

And here's what syslog sees for an attempt via SSH:
May 31 08:11:54 happytobehere sshd[12713]: Invalid user should_work from
www.xxx.yyy.zzz May 31 08:11:54 happytobehere sshd[12716]:
input_userauth_request: invalid user should_work May 31 08:12:01
happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving
information about user should_work May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:01 happytobehere sshd[12713]:
pam_unix(sshd:auth): check pass; user unknown May 31 08:12:01
happytobehere sshd[12713]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=machineX.foo.org May 31
08:12:01 happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error
retrieving information about user should_work May 31 08:12:03
happytobehere sshd[12713]: Failed password for invalid user should_work
from www.xxx.yyy.zzz port 51602 ssh2 May 31 08:12:06 happytobehere
sshd[12716]: Received disconnect from www.xxx.yyy.zzz: 13: Unable to
authenticate


Grateful for you help...

Randy Rue


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Thursday, May 31, 2012 5:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2

This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6
configuration against a Windows 2008R2 domain. Note we are using GPFS as
our underlying file system and CTDB. All I have changed is the names

[global]
        netbios name = NEMO
        security = ads
        workgroup = MYDOMAIN
        realm = MYDOMAIN.MEGACORP.COM
        password server = *
        preferred master = no
        encrypt passwords = yes
        kerberos method = secrets only

# general options
        vfs objects = shadow_copy2 fileid gpfs
        unix extensions = no
        mangled names = no
        case sensitive = no
        map untrusted to domain = yes
        deadtime = 0
        log level = 1
        log file = /var/log/samba/%I.log
        max log size = 100
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE

# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
        ea support = yes
        store dos attributes = yes
        map readonly = no
        map archive = no
        map system = no

# the ctdb clustering and GPFS stuff
        clustering = yes
        ctdbd socket = /tmp/ctdb.socket
        fileid : algorithm = fsname
        gpfs : sharemodes = yes
        gpfs : winattr = yes
        force unknown acl user = yes
        nfs4 : mode = special
        nfs4 : chown = no
        nfs4 : acedup = merge

# enable shadow copies
        shadow : snapdir = /nemo/.snapshots
        shadow : basedir = /nemo
        shadow : fixinodes = yes

# silence warnings about CUPS 
        printing = bsd
        printcap name = /etc/printcap
        load printers = yes
        cups options = raw

# stuff necessary for guest logins to work where required
        guest account = nobody
        map to guest = bad user

# fake the dfree information to match the fileset quota if it exists
        dfree cache time = 15
        dfree command = /var/lib/samba/scripts/mmdfree

# deal with NSS and the whole UID/SID id mapping stuff
        idmap backend = tdb
        idmap uid = 2000000 - 2999999 
        idmap gid = 2000000 - 2999999
        idmap config MYDOMAIN : backend = ad
        idmap config MYDOMAIN : schema_mode = rfc2307
        idmap config MYDOMAIN : readonly = yes
        idmap config MYDOMAIN : range = 500 - 1999999
        idmap cache time = 604800
        idmap negative cache time = 20
        winbind cache time = 600
        winbind nss info = rfc2307
        winbind expand groups = 2
        winbind nested groups = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind offline logon = false

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list