[Samba] Samba4 AD sssd or pam_krb

Mon Dec 30 04:38:39 MST 2013

Dear Rowland,

Sorry if I've confused you.
You are correct to say that I've an ldap and also Samba AD setup.
But only one are running at anytime.

At the time being I'm switching to Samba AD (So that it can replace my LDAP)

You are correct saying that this might be a OS specified issue.
I'm looking on how people would use it is other OS. As nss_ldap or etc
should be working similarly in all Linux (the different are how we set it
up)

I'm thinking that as Samba AD are also running as an LDAP server
I should be able to run nss_ldap and connect to it.

Well, my last test show that it is working. Just that it have some glitch...

Thank you.

On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny
<rowlandpenny at googlemail.com>wrote:

>  On 30/12/13 06:19, Chan Min Wai wrote:
>
> Dear Rowland
>
>  You are correct.
> by change the server and also setting in ldap.conf and also change back
> the nsswitch.conf
>
>  I can login as user which is already in the AD.
>
>  There are a few note, by the setup of my ldap.conf users and group and
> computer need to be on a different OU and ldap read from this OU with
> different nss_base
>
>  if using the base DN (location1.domain.com) will mixed up all users
> computer
> and group will have issue.
>
>  Possible need to setup filter on nss_base_xxx (but not sure yet)
>
>  One issue I face is that when su to the username it show..
>
>  I have no name!@server1/var/log $
>
> Which is strange...
> Checking on log show this.
>
>  Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
>  Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session): session opened
> for user dcmwai by root(uid=0)
> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP server
> (sleeping 1 seconds)...
> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP server
> (sleeping 2 seconds)...
> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP server
> (sleeping 4 seconds)...
> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP server
> (sleeping 8 seconds)...
> Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP server -
> Server is unavailable
> Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session): session closed
> for user dcmwai
>
>  Any suggestion on what to look at?
>
>  getent password, shadow, group seem to be showing correctly.
>
>  Thank You.
>
>
>
>
> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>>  On 29/12/13 19:02, Chan Min Wai wrote:
>>
>> Dear Rowland,
>>
>>  I think that it does have it if they are same as what windows AD have
>> according to the link below.
>>
>>
>>  All samba4 AD attributes are the same as windows AD attributes, because
>> they ARE windows AD attributes
>>
>>
>>
>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>
>>  Yes these are the attribute that I use.
>>
>>  winbind might have a weakness on it home and also shell as it was not
>> from AD but by smb.conf.
>> Also without userPassword you will need to change pam config  to work
>> with winbind.
>>
>>
>>  I think that you are falling into the 'lets put everything on the AD
>> server' trap, it would be better if you just use the S4 AD server for
>> authentication and then set up another server as a fileserver.
>>
>> You would also need to change the pam config if you used sssd, so cannot
>> see your problem here.
>>
>>
>>
>>
>>  With shadow in AD, your changes on that part will only be on ldap.conf
>> which is just uncomment :)
>>
>>
>>  If you use S4 AD as it is meant to be used, you do not need the shadow
>> atributes.
>>
>> Rowland
>>
>>
>>
>>
>>
>> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny <
>> rowlandpenny at googlemail.com> wrote:
>>
>>> On 28/12/13 14:38, Chan Min Wai wrote:
>>>
>>>> Dear Michael,
>>>>
>>>> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't
>>>> compile
>>>> heimdal...
>>>>
>>>> I do hope we can directly use shadow attribute from Samba AD and make it
>>>> work like ldap...
>>>>
>>>  The hint is in the name, Samba 4 is an implementation of Active
>>> Directory, it is not at this time LDAP. Having said that, it does have the
>>> 'User' objectClass which has the auxiliaryClasses, shadowAccount &
>>> posixAccount. The attributes of shadowAccount are:
>>>   uid, userPassword, description, shadowLastChange,shadowMin, shadowMax,
>>> shadowWarning, shadowInactive, shadowExpire,shadowFlag
>>>
>>> Are these of any use to you ?
>>>
>>> Also if you cannot use sssd, then why not try winbind ?
>>>
>>> Rowland
>>>
>>>  But it is missing the access to userpasswd or shadow* attribute...
>>>>
>>>>
>>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com>
>>>> wrote:
>>>>
>>>>  Hi
>>>>>
>>>>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
>>>>>
>>>>>  Dear All,
>>>>>>
>>>>>> I was using Samba3 + LDAP central authentication for the pass 5 years.
>>>>>>
>>>>>> And since need to move to Samba4 AD was wonder if there is a way to do
>>>>>> linux central authentication without sssd but using pam_krb
>>>>>> I'm asking this because I've removed mit-krb5 on my testing machine as
>>>>>> required by samba4 in my gentoo.
>>>>>>
>>>>>>  Samba 4 AD includes its own KDC (based on Heimdal), but you should
>>>>> be able
>>>>> to install the MIT krb5 client libs which are what sssd or pam_krb
>>>>> would
>>>>> require.  Otherwise, surely they would also work with the heimdal
>>>>> client
>>>>> libs?
>>>>>
>>>>> I don't know how gentoo packages Samba 4, so it might be more or less
>>>>> tricky, but the main thing to do is avoid installing the MIT KDC.
>>>>>
>>>>> So without mit-krb5 sssd don't compile.
>>>>>
>>>>>> So was wonder if there any other solution and how hard it will be.
>>>>>>
>>>>>> I've 2 linux gentoo server will dependent on this central
>>>>>> authentication
>>>>>> (at lease the user Id and the GID have to be correct)
>>>>>>
>>>>>> without the proper UID and GID display, I can still see the number
>>>>>> just
>>>>>> very not convenient and hard to see what I'm doing...
>>>>>>
>>>>>>
>>>>>> Thank You
>>>>>>
>>>>>
>>>>> --
>>>>> Michael Wood <esiotrot at gmail.com>
>>>>>
>>>>>
>>>
>>
>>
>   By reading your last post, it would seem that you are trying to store
> your users etc in the AD database and also in an LDAP database, why? you
> only need one.
>
> Your main problem here (as far as I see it) is that you do not seem to
> understand how Active Directory works. For instance, users, groups and
> computers are all treated as objects and as such can be stored in the same
> place or 'OU'. Your problems are further compounded by using an OS that
> very few others use for a server, so the number of people that can help
> with your OS specific problems is extremely limited.
>
> Bearing in mind all the problems that you have had to get to here (and it
> is still not working correctly), have you considered using a main stream OS
> such as Centos, Debian, Ubuntu etc ? By using a main stream OS, you do not
> have to keep an eye out for security fixes that you would have to apply
> yourself, you would get them in an update from the OS. The other benefit is
> that you can create a new server very quickly, far faster than setting up a
> Gentoo machine.
>
> Rowland
>