[Samba] Samba4 AD sssd or pam_krb
Rowland Penny
rowlandpenny at googlemail.com
Tue Dec 31 05:40:32 MST 2013
On 31/12/13 11:31, Chan Min Wai wrote:
> Thank you for the help.
>
> I'm trying with nslcd.
> That seem to be better than what nss_ldap or nss_pam can do.
> Much better...
>
> But I've a question according to the setup page.
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
> According to method 2 using kerbeos.
> I was trying that I've get method 1 running successfully...
>
> https://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO
>
> Just trying to write another wiki for gentoo with this.
>
> But it seem that this kerberos on the guide was using mit-krb and not
> heimdal.
>
> So would like to ask the hemidal expert on the following:
>
> "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
> /tmp/nslcd.tkt"
Seeing as k5start is supposed to work with both mit-krb5 & heimdal, then
I suppose the answer to your question is:
"k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k /tmp/nslcd.tkt"
Did you try this?
Rowland
>
> How can I change this to heimdal base.
> I try
> kinit --cache=/var/run/nslcd/nslcd.tkt --keytab=/etc/krb5.nslcd.keytab
> ldapbind at EXAMPLE.COM <mailto:ldapbind at EXAMPLE.COM> nslcd
>
> but get some error like
>
> nslcd: failed to bind to LDAP server ldap://127.0.0.1/
> <http://127.0.0.1/>: Local error: SASL(-1): generic failure: GSSAPI
> Error: Miscellaneous failure (see text) (Server
> (ldap/localhost at EXAMPLE) unknown)
>
>
>
> Thank you.
>
>
> On Mon, Dec 30, 2013 at 8:46 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 30/12/13 11:38, Chan Min Wai wrote:
>> Dear Rowland,
>>
>> Sorry if I've confused you.
>
> No, you didn't confuse me, but I think that you are confusing
> yourself with the way that you are doing your tests.
>
>
>> You are correct to say that I've an ldap and also Samba AD setup.
>> But only one are running at anytime.
>>
> Have you looked at 'samba-tool domain classicupgrade' ? This will
> take the info from your existing S3 system and upgrade you to S4
> AD, there is info about this on the samba wiki.
>
>
>> At the time being I'm switching to Samba AD (So that it can
>> replace my LDAP)
>>
>> You are correct saying that this might be a OS specified issue.
>> I'm looking on how people would use it is other OS. As nss_ldap
>> or etc should be working similarly in all Linux (the different
>> are how we set it up)
>>
>> I'm thinking that as Samba AD are also running as an LDAP server
>> I should be able to run nss_ldap and connect to it.
> nss_ldap is old hat, it had problems and has been replaced with
> nss_ldapd, you could also use nslcd or winbind or (if you changed
> OS) sssd.
>
> Rowland
>
>
>>
>> Well, my last test show that it is working. Just that it have
>> some glitch...
>>
>> Thank you.
>>
>>
>> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>> On 30/12/13 06:19, Chan Min Wai wrote:
>>> Dear Rowland
>>>
>>> You are correct.
>>> by change the server and also setting in ldap.conf and also
>>> change back the nsswitch.conf
>>>
>>> I can login as user which is already in the AD.
>>>
>>> There are a few note, by the setup of my ldap.conf users and
>>> group and computer need to be on a different OU and ldap
>>> read from this OU with different nss_base
>>>
>>> if using the base DN (location1.domain.com
>>> <http://location1.domain.com>) will mixed up all users computer
>>> and group will have issue.
>>>
>>> Possible need to setup filter on nss_base_xxx (but not sure yet)
>>>
>>> One issue I face is that when su to the username it show..
>>>
>>> I have no name!@server1/var/log $
>>> Which is strange...
>>> Checking on log show this.
>>>
>>> Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
>>> Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session):
>>> session opened for user dcmwai by root(uid=0)
>>> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to
>>> LDAP server (sleeping 1 seconds)...
>>> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to
>>> LDAP server (sleeping 2 seconds)...
>>> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to
>>> LDAP server (sleeping 4 seconds)...
>>> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to
>>> LDAP server (sleeping 8 seconds)...
>>> Dec 30 14:18:04 localhost -su: nss_ldap: could not search
>>> LDAP server - Server is unavailable
>>> Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session):
>>> session closed for user dcmwai
>>>
>>> Any suggestion on what to look at?
>>>
>>> getent password, shadow, group seem to be showing correctly.
>>>
>>> Thank You.
>>>
>>>
>>>
>>>
>>> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>> On 29/12/13 19:02, Chan Min Wai wrote:
>>>> Dear Rowland,
>>>>
>>>> I think that it does have it if they are same as what
>>>> windows AD have according to the link below.
>>>
>>> All samba4 AD attributes are the same as windows AD
>>> attributes, because they ARE windows AD attributes
>>>
>>>
>>>>
>>>> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>>> <http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787%28v=vs.85%29.aspx>
>>>>
>>>> Yes these are the attribute that I use.
>>>>
>>>> winbind might have a weakness on it home and also shell
>>>> as it was not from AD but by smb.conf.
>>>> Also without userPassword you will need to change pam
>>>> config to work with winbind.
>>>
>>> I think that you are falling into the 'lets put
>>> everything on the AD server' trap, it would be better if
>>> you just use the S4 AD server for authentication and
>>> then set up another server as a fileserver.
>>>
>>> You would also need to change the pam config if you used
>>> sssd, so cannot see your problem here.
>>>
>>>
>>>>
>>>> With shadow in AD, your changes on that part will only
>>>> be on ldap.conf which is just uncomment :)
>>>
>>> If you use S4 AD as it is meant to be used, you do not
>>> need the shadow atributes.
>>>
>>> Rowland
>>>
>>>
>>>>
>>>>
>>>>
>>>> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com
>>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>> On 28/12/13 14:38, Chan Min Wai wrote:
>>>>
>>>> Dear Michael,
>>>>
>>>> I'm on gentoo, as far as I know sssd required
>>>> mit-krb5 and wouldn't compile
>>>> heimdal...
>>>>
>>>> I do hope we can directly use shadow attribute
>>>> from Samba AD and make it
>>>> work like ldap...
>>>>
>>>> The hint is in the name, Samba 4 is an
>>>> implementation of Active Directory, it is not at
>>>> this time LDAP. Having said that, it does have the
>>>> 'User' objectClass which has the auxiliaryClasses,
>>>> shadowAccount & posixAccount. The attributes of
>>>> shadowAccount are:
>>>> uid, userPassword, description,
>>>> shadowLastChange,shadowMin, shadowMax,
>>>> shadowWarning, shadowInactive, shadowExpire,shadowFlag
>>>>
>>>> Are these of any use to you ?
>>>>
>>>> Also if you cannot use sssd, then why not try winbind ?
>>>>
>>>> Rowland
>>>>
>>>> But it is missing the access to userpasswd or
>>>> shadow* attribute...
>>>>
>>>>
>>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood
>>>> <esiotrot at gmail.com
>>>> <mailto:esiotrot at gmail.com>> wrote:
>>>>
>>>> Hi
>>>>
>>>> On 24 December 2013 14:12, Chan Min Wai
>>>> <dcmwai at gmail.com
>>>> <mailto:dcmwai at gmail.com>> wrote:
>>>>
>>>> Dear All,
>>>>
>>>> I was using Samba3 + LDAP central
>>>> authentication for the pass 5 years.
>>>>
>>>> And since need to move to Samba4 AD was
>>>> wonder if there is a way to do
>>>> linux central authentication without
>>>> sssd but using pam_krb
>>>> I'm asking this because I've removed
>>>> mit-krb5 on my testing machine as
>>>> required by samba4 in my gentoo.
>>>>
>>>> Samba 4 AD includes its own KDC (based on
>>>> Heimdal), but you should be able
>>>> to install the MIT krb5 client libs which
>>>> are what sssd or pam_krb would
>>>> require. Otherwise, surely they would also
>>>> work with the heimdal client
>>>> libs?
>>>>
>>>> I don't know how gentoo packages Samba 4,
>>>> so it might be more or less
>>>> tricky, but the main thing to do is avoid
>>>> installing the MIT KDC.
>>>>
>>>> So without mit-krb5 sssd don't compile.
>>>>
>>>> So was wonder if there any other
>>>> solution and how hard it will be.
>>>>
>>>> I've 2 linux gentoo server will
>>>> dependent on this central authentication
>>>> (at lease the user Id and the GID have
>>>> to be correct)
>>>>
>>>> without the proper UID and GID display,
>>>> I can still see the number just
>>>> very not convenient and hard to see
>>>> what I'm doing...
>>>>
>>>>
>>>> Thank You
>>>>
>>>>
>>>> --
>>>> Michael Wood <esiotrot at gmail.com
>>>> <mailto:esiotrot at gmail.com>>
>>>>
>>>>
>>>>
>>>
>>>
>> By reading your last post, it would seem that you are trying
>> to store your users etc in the AD database and also in an
>> LDAP database, why? you only need one.
>>
>> Your main problem here (as far as I see it) is that you do
>> not seem to understand how Active Directory works. For
>> instance, users, groups and computers are all treated as
>> objects and as such can be stored in the same place or 'OU'.
>> Your problems are further compounded by using an OS that very
>> few others use for a server, so the number of people that can
>> help with your OS specific problems is extremely limited.
>>
>> Bearing in mind all the problems that you have had to get to
>> here (and it is still not working correctly), have you
>> considered using a main stream OS such as Centos, Debian,
>> Ubuntu etc ? By using a main stream OS, you do not have to
>> keep an eye out for security fixes that you would have to
>> apply yourself, you would get them in an update from the OS.
>> The other benefit is that you can create a new server very
>> quickly, far faster than setting up a Gentoo machine.
>>
>> Rowland
>>
>>
>
>
More information about the samba
mailing list