[Samba] Samba4 AD sssd or pam_krb

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 30 04:14:28 MST 2013


On 30/12/13 06:19, Chan Min Wai wrote:
> Dear Rowland
>
> You are correct.
> by change the server and also setting in ldap.conf and also change 
> back the nsswitch.conf
>
> I can login as user which is already in the AD.
>
> There are a few note, by the setup of my ldap.conf users and group and 
> computer need to be on a different OU and ldap read from this OU with 
> different nss_base
>
> if using the base DN (location1.domain.com 
> <http://location1.domain.com>) will mixed up all users computer
> and group will have issue.
>
> Possible need to setup filter on nss_base_xxx (but not sure yet)
>
> One issue I face is that when su to the username it show..
>
> I have no name!@server1/var/log $
> Which is strange...
> Checking on log show this.
>
> Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
> Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session): session 
> opened for user dcmwai by root(uid=0)
> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP server 
> (sleeping 1 seconds)...
> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP server 
> (sleeping 2 seconds)...
> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP server 
> (sleeping 4 seconds)...
> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP server 
> (sleeping 8 seconds)...
> Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP server 
> - Server is unavailable
> Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session): session 
> closed for user dcmwai
>
> Any suggestion on what to look at?
>
> getent password, shadow, group seem to be showing correctly.
>
> Thank You.
>
>
>
>
> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 29/12/13 19:02, Chan Min Wai wrote:
>>     Dear Rowland,
>>
>>     I think that it does have it if they are same as what windows AD
>>     have according to the link below.
>
>     All samba4 AD attributes are the same as windows AD attributes,
>     because they ARE windows AD attributes
>
>
>>
>>     http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>     <http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787%28v=vs.85%29.aspx>
>>
>>     Yes these are the attribute that I use.
>>
>>     winbind might have a weakness on it home and also shell as it was
>>     not from AD but by smb.conf.
>>     Also without userPassword you will need to change pam config  to
>>     work with winbind.
>
>     I think that you are falling into the 'lets put everything on the
>     AD server' trap, it would be better if you just use the S4 AD
>     server for authentication and then set up another server as a
>     fileserver.
>
>     You would also need to change the pam config if you used sssd, so
>     cannot see your problem here.
>
>
>>
>>     With shadow in AD, your changes on that part will only be on
>>     ldap.conf which is just uncomment :)
>
>     If you use S4 AD as it is meant to be used, you do not need the
>     shadow atributes.
>
>     Rowland
>
>
>>
>>
>>
>>     On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny
>>     <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>         On 28/12/13 14:38, Chan Min Wai wrote:
>>
>>             Dear Michael,
>>
>>             I'm on gentoo, as far as I know sssd required mit-krb5
>>             and wouldn't compile
>>             heimdal...
>>
>>             I do hope we can directly use shadow attribute from Samba
>>             AD and make it
>>             work like ldap...
>>
>>         The hint is in the name, Samba 4 is an implementation of
>>         Active Directory, it is not at this time LDAP. Having said
>>         that, it does have the 'User' objectClass which has the
>>         auxiliaryClasses, shadowAccount & posixAccount. The
>>         attributes of shadowAccount are:
>>           uid, userPassword, description, shadowLastChange,shadowMin,
>>         shadowMax, shadowWarning, shadowInactive, shadowExpire,shadowFlag
>>
>>         Are these of any use to you ?
>>
>>         Also if you cannot use sssd, then why not try winbind ?
>>
>>         Rowland
>>
>>             But it is missing the access to userpasswd or shadow*
>>             attribute...
>>
>>
>>             On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood
>>             <esiotrot at gmail.com <mailto:esiotrot at gmail.com>> wrote:
>>
>>                 Hi
>>
>>                 On 24 December 2013 14:12, Chan Min Wai
>>                 <dcmwai at gmail.com <mailto:dcmwai at gmail.com>> wrote:
>>
>>                     Dear All,
>>
>>                     I was using Samba3 + LDAP central authentication
>>                     for the pass 5 years.
>>
>>                     And since need to move to Samba4 AD was wonder if
>>                     there is a way to do
>>                     linux central authentication without sssd but
>>                     using pam_krb
>>                     I'm asking this because I've removed mit-krb5 on
>>                     my testing machine as
>>                     required by samba4 in my gentoo.
>>
>>                 Samba 4 AD includes its own KDC (based on Heimdal),
>>                 but you should be able
>>                 to install the MIT krb5 client libs which are what
>>                 sssd or pam_krb would
>>                 require.  Otherwise, surely they would also work with
>>                 the heimdal client
>>                 libs?
>>
>>                 I don't know how gentoo packages Samba 4, so it might
>>                 be more or less
>>                 tricky, but the main thing to do is avoid installing
>>                 the MIT KDC.
>>
>>                 So without mit-krb5 sssd don't compile.
>>
>>                     So was wonder if there any other solution and how
>>                     hard it will be.
>>
>>                     I've 2 linux gentoo server will dependent on this
>>                     central authentication
>>                     (at lease the user Id and the GID have to be correct)
>>
>>                     without the proper UID and GID display, I can
>>                     still see the number just
>>                     very not convenient and hard to see what I'm doing...
>>
>>
>>                     Thank You
>>
>>
>>                 --
>>                 Michael Wood <esiotrot at gmail.com
>>                 <mailto:esiotrot at gmail.com>>
>>
>>
>>
>
>
  By reading your last post, it would seem that you are trying to store 
your users etc in the AD database and also in an LDAP database, why? you 
only need one.

Your main problem here (as far as I see it) is that you do not seem to 
understand how Active Directory works. For instance, users, groups and 
computers are all treated as objects and as such can be stored in the 
same place or 'OU'. Your problems are further compounded by using an OS 
that very few others use for a server, so the number of people that can 
help with your OS specific problems is extremely limited.

Bearing in mind all the problems that you have had to get to here (and 
it is still not working correctly), have you considered using a main 
stream OS such as Centos, Debian, Ubuntu etc ? By using a main stream 
OS, you do not have to keep an eye out for security fixes that you would 
have to apply yourself, you would get them in an update from the OS. The 
other benefit is that you can create a new server very quickly, far 
faster than setting up a Gentoo machine.

Rowland


More information about the samba mailing list