[Samba] Samba4 AD sssd or pam_krb

Chan Min Wai dcmwai at gmail.com
Tue Dec 31 04:31:34 MST 2013 

Thank you for the help.

I'm trying with nslcd.
That seem to be better than what nss_ldap or nss_pam can do.
Much better...

But I've a question according to the setup page.
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

According to method 2 using kerbeos.
I was trying that I've get method 1 running successfully...

https://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO

Just trying to write another wiki for gentoo with this.

But it seem that this kerberos on the guide was using mit-krb and not
heimdal.

So would like to ask the hemidal expert on the following:

"k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt"

How can I change this to heimdal base.
I try
kinit --cache=/var/run/nslcd/nslcd.tkt --keytab=/etc/krb5.nslcd.keytab
ldapbind at EXAMPLE.COM nslcd

but get some error like

nslcd: failed to bind to LDAP server ldap://127.0.0.1/: Local error:
SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text)
(Server (ldap/localhost at EXAMPLE) unknown)



Thank you.


On Mon, Dec 30, 2013 at 8:46 PM, Rowland Penny
<rowlandpenny at googlemail.com>wrote:

>  On 30/12/13 11:38, Chan Min Wai wrote:
>
> Dear Rowland,
>
>  Sorry if I've confused you.
>
>
> No, you didn't confuse me, but I think that you are confusing yourself
> with the way that you are doing your tests.
>
>
>  You are correct to say that I've an ldap and also Samba AD setup.
> But only one are running at anytime.
>
>   Have you looked at 'samba-tool domain classicupgrade' ? This will take
> the info from your existing S3 system and upgrade you to S4 AD, there is
> info about this on the samba wiki.
>
>
>  At the time being I'm switching to Samba AD (So that it can replace my
> LDAP)
>
>  You are correct saying that this might be a OS specified issue.
> I'm looking on how people would use it is other OS. As nss_ldap or etc
> should be working similarly in all Linux (the different are how we set it
> up)
>
>  I'm thinking that as Samba AD are also running as an LDAP server
> I should be able to run nss_ldap and connect to it.
>
> nss_ldap is old hat, it had problems and has been replaced with nss_ldapd,
> you could also use nslcd or winbind or (if you changed OS) sssd.
>
> Rowland
>
>
>
>  Well, my last test show that it is working. Just that it have some
> glitch...
>
>  Thank you.
>
>
> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>>   On 30/12/13 06:19, Chan Min Wai wrote:
>>
>> Dear Rowland
>>
>>  You are correct.
>> by change the server and also setting in ldap.conf and also change back
>> the nsswitch.conf
>>
>>  I can login as user which is already in the AD.
>>
>>  There are a few note, by the setup of my ldap.conf users and group and
>> computer need to be on a different OU and ldap read from this OU with
>> different nss_base
>>
>>  if using the base DN (location1.domain.com) will mixed up all users
>> computer
>> and group will have issue.
>>
>>  Possible need to setup filter on nss_base_xxx (but not sure yet)
>>
>>  One issue I face is that when su to the username it show..
>>
>>  I have no name!@server1/var/log $
>>
>> Which is strange...
>> Checking on log show this.
>>
>>  Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
>>  Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session): session
>> opened for user dcmwai by root(uid=0)
>> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP server
>> (sleeping 1 seconds)...
>> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP server
>> (sleeping 2 seconds)...
>> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP server
>> (sleeping 4 seconds)...
>> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP server
>> (sleeping 8 seconds)...
>> Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP server -
>> Server is unavailable
>> Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session): session closed
>> for user dcmwai
>>
>>  Any suggestion on what to look at?
>>
>>  getent password, shadow, group seem to be showing correctly.
>>
>>  Thank You.
>>
>>
>>
>>
>> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny <
>> rowlandpenny at googlemail.com> wrote:
>>
>>>  On 29/12/13 19:02, Chan Min Wai wrote:
>>>
>>> Dear Rowland,
>>>
>>>  I think that it does have it if they are same as what windows AD have
>>> according to the link below.
>>>
>>>
>>>  All samba4 AD attributes are the same as windows AD attributes, because
>>> they ARE windows AD attributes
>>>
>>>
>>>
>>>
>>> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>>
>>>  Yes these are the attribute that I use.
>>>
>>>  winbind might have a weakness on it home and also shell as it was not
>>> from AD but by smb.conf.
>>> Also without userPassword you will need to change pam config  to work
>>> with winbind.
>>>
>>>
>>>  I think that you are falling into the 'lets put everything on the AD
>>> server' trap, it would be better if you just use the S4 AD server for
>>> authentication and then set up another server as a fileserver.
>>>
>>> You would also need to change the pam config if you used sssd, so cannot
>>> see your problem here.
>>>
>>>
>>>
>>>
>>>  With shadow in AD, your changes on that part will only be on ldap.conf
>>> which is just uncomment :)
>>>
>>>
>>>  If you use S4 AD as it is meant to be used, you do not need the shadow
>>> atributes.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>>
>>> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny <
>>> rowlandpenny at googlemail.com> wrote:
>>>
>>>> On 28/12/13 14:38, Chan Min Wai wrote:
>>>>
>>>>> Dear Michael,
>>>>>
>>>>> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't
>>>>> compile
>>>>> heimdal...
>>>>>
>>>>> I do hope we can directly use shadow attribute from Samba AD and make
>>>>> it
>>>>> work like ldap...
>>>>>
>>>>  The hint is in the name, Samba 4 is an implementation of Active
>>>> Directory, it is not at this time LDAP. Having said that, it does have the
>>>> 'User' objectClass which has the auxiliaryClasses, shadowAccount &
>>>> posixAccount. The attributes of shadowAccount are:
>>>>   uid, userPassword, description, shadowLastChange,shadowMin,
>>>> shadowMax, shadowWarning, shadowInactive, shadowExpire,shadowFlag
>>>>
>>>> Are these of any use to you ?
>>>>
>>>> Also if you cannot use sssd, then why not try winbind ?
>>>>
>>>> Rowland
>>>>
>>>>  But it is missing the access to userpasswd or shadow* attribute...
>>>>>
>>>>>
>>>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com>
>>>>> wrote:
>>>>>
>>>>>  Hi
>>>>>>
>>>>>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
>>>>>>
>>>>>>  Dear All,
>>>>>>>
>>>>>>> I was using Samba3 + LDAP central authentication for the pass 5
>>>>>>> years.
>>>>>>>
>>>>>>> And since need to move to Samba4 AD was wonder if there is a way to
>>>>>>> do
>>>>>>> linux central authentication without sssd but using pam_krb
>>>>>>> I'm asking this because I've removed mit-krb5 on my testing machine
>>>>>>> as
>>>>>>> required by samba4 in my gentoo.
>>>>>>>
>>>>>>>  Samba 4 AD includes its own KDC (based on Heimdal), but you should
>>>>>> be able
>>>>>> to install the MIT krb5 client libs which are what sssd or pam_krb
>>>>>> would
>>>>>> require.  Otherwise, surely they would also work with the heimdal
>>>>>> client
>>>>>> libs?
>>>>>>
>>>>>> I don't know how gentoo packages Samba 4, so it might be more or less
>>>>>> tricky, but the main thing to do is avoid installing the MIT KDC.
>>>>>>
>>>>>> So without mit-krb5 sssd don't compile.
>>>>>>
>>>>>>> So was wonder if there any other solution and how hard it will be.
>>>>>>>
>>>>>>> I've 2 linux gentoo server will dependent on this central
>>>>>>> authentication
>>>>>>> (at lease the user Id and the GID have to be correct)
>>>>>>>
>>>>>>> without the proper UID and GID display, I can still see the number
>>>>>>> just
>>>>>>> very not convenient and hard to see what I'm doing...
>>>>>>>
>>>>>>>
>>>>>>> Thank You
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Michael Wood <esiotrot at gmail.com>
>>>>>>
>>>>>>
>>>>
>>>
>>>
>>    By reading your last post, it would seem that you are trying to store
>> your users etc in the AD database and also in an LDAP database, why? you
>> only need one.
>>
>> Your main problem here (as far as I see it) is that you do not seem to
>> understand how Active Directory works. For instance, users, groups and
>> computers are all treated as objects and as such can be stored in the same
>> place or 'OU'. Your problems are further compounded by using an OS that
>> very few others use for a server, so the number of people that can help
>> with your OS specific problems is extremely limited.
>>
>> Bearing in mind all the problems that you have had to get to here (and it
>> is still not working correctly), have you considered using a main stream OS
>> such as Centos, Debian, Ubuntu etc ? By using a main stream OS, you do not
>> have to keep an eye out for security fixes that you would have to apply
>> yourself, you would get them in an update from the OS. The other benefit is
>> that you can create a new server very quickly, far faster than setting up a
>> Gentoo machine.
>>
>> Rowland
>>
>
>
>

More information about the samba mailing list