[Samba] Samba4 AD sssd or pam_krb

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 30 05:46:53 MST 2013


On 30/12/13 11:38, Chan Min Wai wrote:
> Dear Rowland,
>
> Sorry if I've confused you.

No, you didn't confuse me, but I think that you are confusing yourself 
with the way that you are doing your tests.

> You are correct to say that I've an ldap and also Samba AD setup.
> But only one are running at anytime.
>
Have you looked at 'samba-tool domain classicupgrade' ? This will take 
the info from your existing S3 system and upgrade you to S4 AD, there is 
info about this on the samba wiki.

> At the time being I'm switching to Samba AD (So that it can replace my 
> LDAP)
>
> You are correct saying that this might be a OS specified issue.
> I'm looking on how people would use it is other OS. As nss_ldap or etc 
> should be working similarly in all Linux (the different are how we set 
> it up)
>
> I'm thinking that as Samba AD are also running as an LDAP server
> I should be able to run nss_ldap and connect to it.
nss_ldap is old hat, it had problems and has been replaced with 
nss_ldapd, you could also use nslcd or winbind or (if you changed OS) sssd.

Rowland

>
> Well, my last test show that it is working. Just that it have some 
> glitch...
>
> Thank you.
>
>
> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 30/12/13 06:19, Chan Min Wai wrote:
>>     Dear Rowland
>>
>>     You are correct.
>>     by change the server and also setting in ldap.conf and also
>>     change back the nsswitch.conf
>>
>>     I can login as user which is already in the AD.
>>
>>     There are a few note, by the setup of my ldap.conf users and
>>     group and computer need to be on a different OU and ldap read
>>     from this OU with different nss_base
>>
>>     if using the base DN (location1.domain.com
>>     <http://location1.domain.com>) will mixed up all users computer
>>     and group will have issue.
>>
>>     Possible need to setup filter on nss_base_xxx (but not sure yet)
>>
>>     One issue I face is that when su to the username it show..
>>
>>     I have no name!@server1/var/log $
>>     Which is strange...
>>     Checking on log show this.
>>
>>     Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
>>     Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session):
>>     session opened for user dcmwai by root(uid=0)
>>     Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP
>>     server (sleeping 1 seconds)...
>>     Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP
>>     server (sleeping 2 seconds)...
>>     Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP
>>     server (sleeping 4 seconds)...
>>     Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP
>>     server (sleeping 8 seconds)...
>>     Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP
>>     server - Server is unavailable
>>     Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session):
>>     session closed for user dcmwai
>>
>>     Any suggestion on what to look at?
>>
>>     getent password, shadow, group seem to be showing correctly.
>>
>>     Thank You.
>>
>>
>>
>>
>>     On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny
>>     <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>         On 29/12/13 19:02, Chan Min Wai wrote:
>>>         Dear Rowland,
>>>
>>>         I think that it does have it if they are same as what
>>>         windows AD have according to the link below.
>>
>>         All samba4 AD attributes are the same as windows AD
>>         attributes, because they ARE windows AD attributes
>>
>>
>>>
>>>         http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>>         <http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787%28v=vs.85%29.aspx>
>>>
>>>         Yes these are the attribute that I use.
>>>
>>>         winbind might have a weakness on it home and also shell as
>>>         it was not from AD but by smb.conf.
>>>         Also without userPassword you will need to change pam config
>>>          to work with winbind.
>>
>>         I think that you are falling into the 'lets put everything on
>>         the AD server' trap, it would be better if you just use the
>>         S4 AD server for authentication and then set up another
>>         server as a fileserver.
>>
>>         You would also need to change the pam config if you used
>>         sssd, so cannot see your problem here.
>>
>>
>>>
>>>         With shadow in AD, your changes on that part will only be on
>>>         ldap.conf which is just uncomment :)
>>
>>         If you use S4 AD as it is meant to be used, you do not need
>>         the shadow atributes.
>>
>>         Rowland
>>
>>
>>>
>>>
>>>
>>>         On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny
>>>         <rowlandpenny at googlemail.com
>>>         <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>>             On 28/12/13 14:38, Chan Min Wai wrote:
>>>
>>>                 Dear Michael,
>>>
>>>                 I'm on gentoo, as far as I know sssd required
>>>                 mit-krb5 and wouldn't compile
>>>                 heimdal...
>>>
>>>                 I do hope we can directly use shadow attribute from
>>>                 Samba AD and make it
>>>                 work like ldap...
>>>
>>>             The hint is in the name, Samba 4 is an implementation of
>>>             Active Directory, it is not at this time LDAP. Having
>>>             said that, it does have the 'User' objectClass which has
>>>             the auxiliaryClasses, shadowAccount & posixAccount. The
>>>             attributes of shadowAccount are:
>>>               uid, userPassword, description,
>>>             shadowLastChange,shadowMin, shadowMax, shadowWarning,
>>>             shadowInactive, shadowExpire,shadowFlag
>>>
>>>             Are these of any use to you ?
>>>
>>>             Also if you cannot use sssd, then why not try winbind ?
>>>
>>>             Rowland
>>>
>>>                 But it is missing the access to userpasswd or
>>>                 shadow* attribute...
>>>
>>>
>>>                 On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood
>>>                 <esiotrot at gmail.com <mailto:esiotrot at gmail.com>> wrote:
>>>
>>>                     Hi
>>>
>>>                     On 24 December 2013 14:12, Chan Min Wai
>>>                     <dcmwai at gmail.com <mailto:dcmwai at gmail.com>> wrote:
>>>
>>>                         Dear All,
>>>
>>>                         I was using Samba3 + LDAP central
>>>                         authentication for the pass 5 years.
>>>
>>>                         And since need to move to Samba4 AD was
>>>                         wonder if there is a way to do
>>>                         linux central authentication without sssd
>>>                         but using pam_krb
>>>                         I'm asking this because I've removed
>>>                         mit-krb5 on my testing machine as
>>>                         required by samba4 in my gentoo.
>>>
>>>                     Samba 4 AD includes its own KDC (based on
>>>                     Heimdal), but you should be able
>>>                     to install the MIT krb5 client libs which are
>>>                     what sssd or pam_krb would
>>>                     require.  Otherwise, surely they would also work
>>>                     with the heimdal client
>>>                     libs?
>>>
>>>                     I don't know how gentoo packages Samba 4, so it
>>>                     might be more or less
>>>                     tricky, but the main thing to do is avoid
>>>                     installing the MIT KDC.
>>>
>>>                     So without mit-krb5 sssd don't compile.
>>>
>>>                         So was wonder if there any other solution
>>>                         and how hard it will be.
>>>
>>>                         I've 2 linux gentoo server will dependent on
>>>                         this central authentication
>>>                         (at lease the user Id and the GID have to be
>>>                         correct)
>>>
>>>                         without the proper UID and GID display, I
>>>                         can still see the number just
>>>                         very not convenient and hard to see what I'm
>>>                         doing...
>>>
>>>
>>>                         Thank You
>>>
>>>
>>>                     --
>>>                     Michael Wood <esiotrot at gmail.com
>>>                     <mailto:esiotrot at gmail.com>>
>>>
>>>
>>>
>>
>>
>      By reading your last post, it would seem that you are trying to
>     store your users etc in the AD database and also in an LDAP
>     database, why? you only need one.
>
>     Your main problem here (as far as I see it) is that you do not
>     seem to understand how Active Directory works. For instance,
>     users, groups and computers are all treated as objects and as such
>     can be stored in the same place or 'OU'. Your problems are further
>     compounded by using an OS that very few others use for a server,
>     so the number of people that can help with your OS specific
>     problems is extremely limited.
>
>     Bearing in mind all the problems that you have had to get to here
>     (and it is still not working correctly), have you considered using
>     a main stream OS such as Centos, Debian, Ubuntu etc ? By using a
>     main stream OS, you do not have to keep an eye out for security
>     fixes that you would have to apply yourself, you would get them in
>     an update from the OS. The other benefit is that you can create a
>     new server very quickly, far faster than setting up a Gentoo machine.
>
>     Rowland
>
>



More information about the samba mailing list