[Samba] Samba4 AD sssd or pam_krb

Sun Dec 29 23:19:06 MST 2013

Dear Rowland

You are correct.
by change the server and also setting in ldap.conf and also change back the
nsswitch.conf

I can login as user which is already in the AD.

There are a few note, by the setup of my ldap.conf users and group and
computer need to be on a different OU and ldap read from this OU with
different nss_base

if using the base DN (location1.domain.com) will mixed up all users
computer
and group will have issue.

Possible need to setup filter on nss_base_xxx (but not sure yet)

One issue I face is that when su to the username it show..

I have no name!@server1/var/log $

Which is strange...
Checking on log show this.

Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session): session opened
for user dcmwai by root(uid=0)
Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP server
(sleeping 1 seconds)...
Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP server
(sleeping 2 seconds)...
Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP server -
Server is unavailable
Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session): session closed
for user dcmwai

Any suggestion on what to look at?

getent password, shadow, group seem to be showing correctly.

Thank You.

On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny
<rowlandpenny at googlemail.com>wrote:

>  On 29/12/13 19:02, Chan Min Wai wrote:
>
> Dear Rowland,
>
>  I think that it does have it if they are same as what windows AD have
> according to the link below.
>
>
> All samba4 AD attributes are the same as windows AD attributes, because
> they ARE windows AD attributes
>
>
>
>
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>
>  Yes these are the attribute that I use.
>
>  winbind might have a weakness on it home and also shell as it was not
> from AD but by smb.conf.
> Also without userPassword you will need to change pam config  to work with
> winbind.
>
>
> I think that you are falling into the 'lets put everything on the AD
> server' trap, it would be better if you just use the S4 AD server for
> authentication and then set up another server as a fileserver.
>
> You would also need to change the pam config if you used sssd, so cannot
> see your problem here.
>
>
>
>
>  With shadow in AD, your changes on that part will only be on ldap.conf
> which is just uncomment :)
>
>
> If you use S4 AD as it is meant to be used, you do not need the shadow
> atributes.
>
> Rowland
>
>
>
>
>
> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>> On 28/12/13 14:38, Chan Min Wai wrote:
>>
>>> Dear Michael,
>>>
>>> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't
>>> compile
>>> heimdal...
>>>
>>> I do hope we can directly use shadow attribute from Samba AD and make it
>>> work like ldap...
>>>
>>  The hint is in the name, Samba 4 is an implementation of Active
>> Directory, it is not at this time LDAP. Having said that, it does have the
>> 'User' objectClass which has the auxiliaryClasses, shadowAccount &
>> posixAccount. The attributes of shadowAccount are:
>>   uid, userPassword, description, shadowLastChange,shadowMin, shadowMax,
>> shadowWarning, shadowInactive, shadowExpire,shadowFlag
>>
>> Are these of any use to you ?
>>
>> Also if you cannot use sssd, then why not try winbind ?
>>
>> Rowland
>>
>>  But it is missing the access to userpasswd or shadow* attribute...
>>>
>>>
>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com>
>>> wrote:
>>>
>>>  Hi
>>>>
>>>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
>>>>
>>>>  Dear All,
>>>>>
>>>>> I was using Samba3 + LDAP central authentication for the pass 5 years.
>>>>>
>>>>> And since need to move to Samba4 AD was wonder if there is a way to do
>>>>> linux central authentication without sssd but using pam_krb
>>>>> I'm asking this because I've removed mit-krb5 on my testing machine as
>>>>> required by samba4 in my gentoo.
>>>>>
>>>>>  Samba 4 AD includes its own KDC (based on Heimdal), but you should be
>>>> able
>>>> to install the MIT krb5 client libs which are what sssd or pam_krb would
>>>> require.  Otherwise, surely they would also work with the heimdal client
>>>> libs?
>>>>
>>>> I don't know how gentoo packages Samba 4, so it might be more or less
>>>> tricky, but the main thing to do is avoid installing the MIT KDC.
>>>>
>>>> So without mit-krb5 sssd don't compile.
>>>>
>>>>> So was wonder if there any other solution and how hard it will be.
>>>>>
>>>>> I've 2 linux gentoo server will dependent on this central
>>>>> authentication
>>>>> (at lease the user Id and the GID have to be correct)
>>>>>
>>>>> without the proper UID and GID display, I can still see the number just
>>>>> very not convenient and hard to see what I'm doing...
>>>>>
>>>>>
>>>>> Thank You
>>>>>
>>>>
>>>> --
>>>> Michael Wood <esiotrot at gmail.com>
>>>>
>>>>
>>
>
>