[Samba] Samba4 AD sssd or pam_krb

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Dec 30 05:00:29 MST 2013


I don't use sssd, I use nslcd maybe look in wiki how it work : 
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd




-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 30/12/2013 12:38:39:

> De : Chan Min Wai <dcmwai at gmail.com>
> A : Rowland Penny <rowlandpenny at googlemail.com>, 
> Cc : "samba at lists.samba.org" <samba at lists.samba.org>
> Date : 30/12/2013 12:39
> Objet : Re: [Samba] Samba4 AD sssd or pam_krb
> Envoyé par : samba-bounces at lists.samba.org
> 
> Dear Rowland,
> 
> Sorry if I've confused you.
> You are correct to say that I've an ldap and also Samba AD setup.
> But only one are running at anytime.
> 
> At the time being I'm switching to Samba AD (So that it can replace my 
LDAP)
> 
> You are correct saying that this might be a OS specified issue.
> I'm looking on how people would use it is other OS. As nss_ldap or etc
> should be working similarly in all Linux (the different are how we set 
it
> up)
> 
> I'm thinking that as Samba AD are also running as an LDAP server
> I should be able to run nss_ldap and connect to it.
> 
> Well, my last test show that it is working. Just that it have some 
glitch...
> 
> Thank you.
> 
> 
> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny
> <rowlandpenny at googlemail.com>wrote:
> 
> >  On 30/12/13 06:19, Chan Min Wai wrote:
> >
> > Dear Rowland
> >
> >  You are correct.
> > by change the server and also setting in ldap.conf and also change 
back
> > the nsswitch.conf
> >
> >  I can login as user which is already in the AD.
> >
> >  There are a few note, by the setup of my ldap.conf users and group 
and
> > computer need to be on a different OU and ldap read from this OU with
> > different nss_base
> >
> >  if using the base DN (location1.domain.com) will mixed up all users
> > computer
> > and group will have issue.
> >
> >  Possible need to setup filter on nss_base_xxx (but not sure yet)
> >
> >  One issue I face is that when su to the username it show..
> >
> >  I have no name!@server1/var/log $
> >
> > Which is strange...
> > Checking on log show this.
> >
> >  Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
> >  Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session): session 
opened
> > for user dcmwai by root(uid=0)
> > Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP server
> > (sleeping 1 seconds)...
> > Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP server
> > (sleeping 2 seconds)...
> > Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP server
> > (sleeping 4 seconds)...
> > Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP server
> > (sleeping 8 seconds)...
> > Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP server 
-
> > Server is unavailable
> > Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session): session 
closed
> > for user dcmwai
> >
> >  Any suggestion on what to look at?
> >
> >  getent password, shadow, group seem to be showing correctly.
> >
> >  Thank You.
> >
> >
> >
> >
> > On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny <
> > rowlandpenny at googlemail.com> wrote:
> >
> >>  On 29/12/13 19:02, Chan Min Wai wrote:
> >>
> >> Dear Rowland,
> >>
> >>  I think that it does have it if they are same as what windows AD 
have
> >> according to the link below.
> >>
> >>
> >>  All samba4 AD attributes are the same as windows AD attributes, 
because
> >> they ARE windows AD attributes
> >>
> >>
> >>
> >>
> >> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787
> (v=vs.85).aspx
> >>
> >>  Yes these are the attribute that I use.
> >>
> >>  winbind might have a weakness on it home and also shell as it was 
not
> >> from AD but by smb.conf.
> >> Also without userPassword you will need to change pam config  to work
> >> with winbind.
> >>
> >>
> >>  I think that you are falling into the 'lets put everything on the AD
> >> server' trap, it would be better if you just use the S4 AD server for
> >> authentication and then set up another server as a fileserver.
> >>
> >> You would also need to change the pam config if you used sssd, so 
cannot
> >> see your problem here.
> >>
> >>
> >>
> >>
> >>  With shadow in AD, your changes on that part will only be on 
ldap.conf
> >> which is just uncomment :)
> >>
> >>
> >>  If you use S4 AD as it is meant to be used, you do not need the 
shadow
> >> atributes.
> >>
> >> Rowland
> >>
> >>
> >>
> >>
> >>
> >> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny <
> >> rowlandpenny at googlemail.com> wrote:
> >>
> >>> On 28/12/13 14:38, Chan Min Wai wrote:
> >>>
> >>>> Dear Michael,
> >>>>
> >>>> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't
> >>>> compile
> >>>> heimdal...
> >>>>
> >>>> I do hope we can directly use shadow attribute from Samba AD and 
make it
> >>>> work like ldap...
> >>>>
> >>>  The hint is in the name, Samba 4 is an implementation of Active
> >>> Directory, it is not at this time LDAP. Having said that, it does 
have the
> >>> 'User' objectClass which has the auxiliaryClasses, shadowAccount &
> >>> posixAccount. The attributes of shadowAccount are:
> >>>   uid, userPassword, description, shadowLastChange,shadowMin, 
shadowMax,
> >>> shadowWarning, shadowInactive, shadowExpire,shadowFlag
> >>>
> >>> Are these of any use to you ?
> >>>
> >>> Also if you cannot use sssd, then why not try winbind ?
> >>>
> >>> Rowland
> >>>
> >>>  But it is missing the access to userpasswd or shadow* attribute...
> >>>>
> >>>>
> >>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com>
> >>>> wrote:
> >>>>
> >>>>  Hi
> >>>>>
> >>>>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
> >>>>>
> >>>>>  Dear All,
> >>>>>>
> >>>>>> I was using Samba3 + LDAP central authentication for the pass 5 
years.
> >>>>>>
> >>>>>> And since need to move to Samba4 AD was wonder if there is a way 
to do
> >>>>>> linux central authentication without sssd but using pam_krb
> >>>>>> I'm asking this because I've removed mit-krb5 on my testing 
machine as
> >>>>>> required by samba4 in my gentoo.
> >>>>>>
> >>>>>>  Samba 4 AD includes its own KDC (based on Heimdal), but you 
should
> >>>>> be able
> >>>>> to install the MIT krb5 client libs which are what sssd or pam_krb
> >>>>> would
> >>>>> require.  Otherwise, surely they would also work with the heimdal
> >>>>> client
> >>>>> libs?
> >>>>>
> >>>>> I don't know how gentoo packages Samba 4, so it might be more or 
less
> >>>>> tricky, but the main thing to do is avoid installing the MIT KDC.
> >>>>>
> >>>>> So without mit-krb5 sssd don't compile.
> >>>>>
> >>>>>> So was wonder if there any other solution and how hard it will 
be.
> >>>>>>
> >>>>>> I've 2 linux gentoo server will dependent on this central
> >>>>>> authentication
> >>>>>> (at lease the user Id and the GID have to be correct)
> >>>>>>
> >>>>>> without the proper UID and GID display, I can still see the 
number
> >>>>>> just
> >>>>>> very not convenient and hard to see what I'm doing...
> >>>>>>
> >>>>>>
> >>>>>> Thank You
> >>>>>>
> >>>>>
> >>>>> --
> >>>>> Michael Wood <esiotrot at gmail.com>
> >>>>>
> >>>>>
> >>>
> >>
> >>
> >   By reading your last post, it would seem that you are trying to 
store
> > your users etc in the AD database and also in an LDAP database, why? 
you
> > only need one.
> >
> > Your main problem here (as far as I see it) is that you do not seem to
> > understand how Active Directory works. For instance, users, groups and
> > computers are all treated as objects and as such can be stored in the 
same
> > place or 'OU'. Your problems are further compounded by using an OS 
that
> > very few others use for a server, so the number of people that can 
help
> > with your OS specific problems is extremely limited.
> >
> > Bearing in mind all the problems that you have had to get to here (and 
it
> > is still not working correctly), have you considered using a main 
stream OS
> > such as Centos, Debian, Ubuntu etc ? By using a main stream OS, you do 
not
> > have to keep an eye out for security fixes that you would have to 
apply
> > yourself, you would get them in an update from the OS. The other 
benefit is
> > that you can create a new server very quickly, far faster than setting 
up a
> > Gentoo machine.
> >
> > Rowland
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list