[Samba] TLS between winbind and openldap

thierry DeTheGeek dethegeek at gmail.com
Wed Aug 7 01:50:22 MDT 2013


Hi
No, I did not try LDAPS because it is deprecated. That's why I tried
StartTLS. I had far more headaches when searching for idmap related
configuration.

I found a working workaround before you answer me, which seems to be
working (see my previous message). However, I'd rather not use environment
variables, if possible. I need some more time to validate it.
I disabled /root/ldaprc, and replaced these settings by environment
variables as described in ldap.conf(5) manpages.

Environment Variables

LDAPNOINIT
disable all defaulting LDAPCONF path of a configuration file LDAPRC

basename of ldaprc file in $HOME or $CWD
LDAP<option-name> Set <option-name> as from ldap.conf
The environment variables are exported from /etc/default/winbind :

# Winbind configuration
#WINBINDD_OPTS="-n"
export LDAPTLS_CERT="/etc/ssl/certs/omv-domain-local.crt"
export LDAPTLS_KEY="/etc/ssl/private/omv-domain-local.key"


I reproduced for you the broken configuration in order to show logs from
openLDAP and winbind.

Here is the log from Winbind when I run it from command line (SID
obsfucated). The mapping is initiated by wbinfo -i <user>

root at omv:~# winbindd -i -d idmap:10
winbindd version 3.5.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
initialize_winbindd_cache: clearing cache and re-creating with version
number 1
[LDAP] ldap_build_search_req ATTRS: currentTime
[LDAP] ldap_build_search_req ATTRS: supportedSASLMechanisms
[LDAP] ldap_build_search_req ATTRS: highestCommittedUSN
[LDAP] ldap_build_search_req ATTRS: *
idmap_sid_to_uid: sid = [S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116],
domain = ''
idmap_backends_sid_to_unixid: domain = '', sid =
[S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116]
idmap_find_domain called for domain ''
idmap_init_default_domain: calling static_init_idmap
calling idmap_tdb_init
Successfully added idmap alloc backend 'tdb'
Successfully added idmap backend 'tdb'
Successfully added idmap backend 'passdb'
Successfully added idmap backend 'nss'
idmap_init: using 'ldap' as remote backend
idmap backend ldap not found
Successfully added idmap alloc backend 'ldap'
Successfully added idmap backend 'ldap'
Filter:
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116))]
[LDAP] ldap_build_search_req ATTRS: supportedControl
[LDAP] ldap_build_search_req ATTRS: sambaSID uidNumber gidNumber objectClass
Mapped S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116 -> 16777217 (1)
idmap_sid_to_gid: sid = [S-1-5-21-2758072649-2694028996-xxxxxxxxxx-513],
domain = ''
idmap_backends_sid_to_unixid: domain = '', sid =
[S-1-5-21-2758072649-2694028996-xxxxxxxxxx-513]
idmap_find_domain called for domain ''
Filter:
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xxxxxxxxxx-513))]
[LDAP] ldap_build_search_req ATTRS: sambaSID uidNumber gidNumber objectClass
Mapped S-1-5-21-2758072649-2694028996-xxxxxxxxxx-513 -> 16777216 (2)

As you can see, this is working like a charm.


Here are the logs from winbind and openLDAP when winbind runs as a service.
The mapping is initiated by wbinfo -i <user>.
I changed /etc/default/winbind to show logs:
root at omv:~# cat /etc/default/winbind
# Winbind configuration
WINBINDD_OPTS="-d idmap:10 -i"

root at omv:~# service winbind start
Starting the Winbind daemon: winbindwinbindd version 3.5.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
initialize_winbindd_cache: clearing cache and re-creating with version
number 1
[LDAP] ldap_build_search_req ATTRS: currentTime
[LDAP] ldap_build_search_req ATTRS: supportedSASLMechanisms
[LDAP] ldap_build_search_req ATTRS: highestCommittedUSN
[LDAP] ldap_build_search_req ATTRS: *
idmap_sid_to_uid: sid = [S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116],
domain = ''
idmap_backends_sid_to_unixid: domain = '', sid =
[S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116]
idmap_find_domain called for domain ''
idmap_init_default_domain: calling static_init_idmap
calling idmap_tdb_init
Successfully added idmap alloc backend 'tdb'
Successfully added idmap backend 'tdb'
Successfully added idmap backend 'passdb'
Successfully added idmap backend 'nss'
idmap_init: using 'ldap' as remote backend
idmap backend ldap not found
Successfully added idmap alloc backend 'ldap'
Successfully added idmap backend 'ldap'
Filter:
[(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-2758072649-2694028996-xxxxxxxxxx-1116))]
[LDAP] TLS: can't connect: Error in the push function..
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
[LDAP] TLS: can't connect: Error in the push function..
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 2 try!
[LDAP] TLS: can't connect: Error in the push function..
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 3 try!
[...continues until timeout...]

To have more details, I have to show logs frop openLDAP produced at the
same time:

root at omv:~# slapd -d 1
slap_listener_activate(7):
>>> slap_listener(ldap:///)
connection_get(13): got connid=1048
connection_read(13): checking for input on id=1048
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
op tag 0x77, time 1375858194
ber_get_next
conn=1048 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
connection_get(13): got connid=1048
connection_read(13): checking for input on id=1048
connection_get(13): got connid=1048
connection_read(13): checking for input on id=1048
TLS: can't accept: The peer did not send any certificate..
connection_read(13): TLS accept failure error=-1 id=1048, closing
connection_close: conn=1048 sd=13e

If OpenLDAP refuses to talk to winbind without a valid certificate, this is
the behavior I want. Why winbind does not send his certificate when run the
"normal" way ??



Le 6 août 2013 21:51, "Gaiseric Vandal" <gaiseric.vandal at gmail.com> a
écrit :

> Did you try using LDAPS (ldap over SSL, typically on port 636.)     I
> can't speak specifically about it with winbind BUT I have found that in
> other situations LDAPS creates less headaches with CA cert issues.
>
> at
>
> On 08/06/13 05:27, thierry DeTheGeek wrote:
>
>> Hi,
>>
>> I found a possible workaround to my issue myself. It seems to be working.
>>
>> After reading one more time about ldap.conf I tried to export environment
>> variables to set my private key and my certificate.
>>
>> This seems to be working on both debian 6 and debian 7:
>>
>> I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that
>> winbind cannot work with OpenLDAP in debug mode, as expected.
>>
>> I edited /etc/defaults/winbind and added the following lines
>>
>> export LDAPTLS_CERT="/etc/ssl/certs/**omv-domain-local.crt"
>> export LDAPTLS_KEY="/etc/ssl/private/**omv-domain-local.key"
>>
>> I restarted winbind with the command line service winbind restart. Now
>> wbinfo -i user is working and I get an uid for the user.
>>
>> I will check further to ensure there is no more related issue.
>>
>>
>>
>> 2013/8/5 thierry DeTheGeek <dethegeek at gmail.com>
>>
>>  Hi,
>>>
>>> I'm working hard to setup winbind and openLDAP work together with TLS
>>>
>>> My networks contains:
>>> - a windows server 2008 R2 domain controller
>>> - a debian 6 based file server (openmediavault v0.4) running OpenLDAP
>>> 2.4.23 and Samba v3.5.6
>>> - a debian 7 computer running winbind 3.6.6
>>>
>>> I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant
>>> uid and gid for users on all linux based computers and then use both CIFS
>>> and NFS.
>>>
>>> I'm trying to solve my issue on openmediavault (debian 6) only for now,
>>> because I get the exact same issue when trying to establish communication
>>> between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).
>>>
>>> I created a self signed certificate authority with openssl and created a
>>> private key and a certificate for te file server. I used the same
>>> certificate authority to create an other key and certificate for my
>>> debian
>>> 7 computer.
>>>
>>> OpenLDAP uses his key and is configured to check clients certificates.
>>> winbind on the same computer uses the same key and certificate to
>>> communicate with openLDAP and is configured to check the openLDAP's
>>> certificate.
>>>
>>> When running winbind in interactive debug mode everything is running file
>>> and wbinfo -i user is able to allocate an uid to the user. an other try
>>> shows the uid assigned is effectively retrived from openLDAP. The command
>>> line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried
>>> also to run openLDAP in debug mode with the command line slapd -d 1.
>>>
>>> the logs produced show that openLDAP and winbind work together with
>>> encryption in both directions.
>>>
>>> When I run winbind daemon with the command line service winbind start,
>>> the
>>> TLS connection cannot be initiated and I cannot allocate a uid to any
>>> user
>>> using wbinfo -i user.
>>>
>>> Let's see the configuration files (domain name obsfucated) :
>>>
>>> ##cn=config.ldif
>>>
>>> dn: cn=config
>>> objectClass: olcGlobal
>>> cn: config
>>> olcArgsFile: /var/run/slapd/slapd.args
>>> olcLogLevel: none
>>> olcPidFile: /var/run/slapd/slapd.pid
>>> olcToolThreads: 1
>>> structuralObjectClass: olcGlobal
>>> entryUUID: e61f99ae-9076-1032-9144-**9f2ad5621c65
>>> creatorsName: cn=config
>>> createTimestamp: 20130803105505Z
>>> olcTLSCACertificateFile: /etc/ssl/certs/ca-**certificates.crt
>>> olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-**local.key
>>> olcTLSCertificateFile: /etc/ssl/certs/omv-domain-**local.crt
>>> olcTLSVerifyClient: demand
>>> entryCSN: 20130803125708.704922Z#000000#**000#000000
>>> modifiersName: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth
>>> modifyTimestamp: 20130803125708Z
>>>
>>> ##smb.conf
>>> #======================= Global Settings =======================
>>> [global]
>>> workgroup = DOMAIN
>>> server string = %h server
>>> include = /etc/samba/dhcp.conf
>>> dns proxy = no
>>> log level = 0
>>> syslog = 0
>>> log file = /var/log/samba/log.%m
>>> max log size = 1000
>>> syslog only = yes
>>> panic action = /usr/share/samba/panic-action %d
>>> encrypt passwords = true
>>> passdb backend = tdbsam
>>> obey pam restrictions = yes
>>> unix password sync = no
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
>>> %n\n *password\supdated\**ssuccessfully* .
>>> pam password change = yes
>>> socket options = TCP_NODELAY IPTOS_LOWDELAY
>>> guest account = nobody
>>> load printers = no
>>> disable spoolss = yes
>>> printing = bsd
>>> printcap name = /dev/null
>>> unix extensions = yes
>>> wide links = no
>>> create mask = 0777
>>> directory mask = 0777
>>> use sendfile = no
>>> null passwords = no
>>> local master = yes
>>> time server = no
>>> wins support = no
>>> password server = *
>>> realm = DOMAIN.LOCAL
>>> security = ads
>>> allow trusted domains = no
>>>
>>> ;
>>> ; samba 3.5.6 idmap configuration
>>> ;
>>>
>>> idmap backend = ldap:ldap://omv.domain.local
>>> ldap admin dn = cn=winbind-idmap,dc=domain,dc=**local
>>> ldap idmap suffix = ou=Idmap
>>> ldap suffix = dc=domain,dc=local
>>> ldap ssl = start tls
>>> ldap debug level = 4
>>> ldap debug threshold = 1
>>>
>>> idmap uid = 16777216-50000000
>>> idmap gid = 16777216-50000000
>>> idmap config * : backend = ldap
>>> idmap config * : ldap_url = ldap://omv.domain.local
>>> idmap config * : ldap_anon = no
>>> idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local
>>> idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=**local
>>> idmap config * : range = 16777216-50000000
>>>
>>> idmap alloc backend = ldap
>>> idmap alloc config : ldap_url = ldap://omv.domain.local
>>> idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local
>>> idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=**
>>> local
>>>
>>> winbind use default domain = true
>>> winbind offline logon = false
>>>
>>> ; disable enum users/groups on medium or large organization (affects
>>> performance)
>>> ; if disabled this will disable domain users/groups enumeration with
>>> getent
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>>
>>> winbind separator = /
>>> winbind nested groups = yes
>>> ;winbind normalize names = yes
>>> winbind refresh tickets = yes
>>> ;template primary group = users
>>> template shell = /bin/bash
>>> template homedir = /home/%D/%U
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> client ntlmv2 auth = yes
>>> client use spnego = yes
>>>
>>> #======================= Share Definitions =======================
>>> #======================= Home Directories =======================
>>> [homes]
>>> comment = Home directories
>>> browseable = yes
>>> writable = yes
>>> create mask = 0640
>>> directory mask = 0750
>>> valid users = %S
>>>
>>> ##/etc/ldap/ldap.conf
>>> URI     ldap://omv.domain.local
>>> TLS_CACERT /etc/ssl/certs/ca-**certificates.crt
>>>
>>> TLS_REQCERT demand
>>>
>>> ##/root/ldaprc
>>>
>>> TLS_CERT /etc/ssl/certs/omv-domain-**local.crt
>>> TLS_KEY /etc/ssl/private/omv-domain-**local.key
>>>
>>> Let me say also that ca-certificates.crt contains the certificate for my
>>> self signed authority.
>>>
>>> What am I missing to make it run smootly ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>


More information about the samba mailing list