[Samba] Samba4 AD sssd or pam_krb

Tue Dec 31 06:33:17 MST 2013

I've try but my heimdal don't have k5start.
According to chat log
http://users.ece.cmu.edu/~allbery/lambdabot/logs/kerberos/2010-07-19.txt
Very long time ago.

It seem that kinit should have the k5start function.

Thank you.

On Tue, Dec 31, 2013 at 8:40 PM, Rowland Penny
<rowlandpenny at googlemail.com>wrote:

>  On 31/12/13 11:31, Chan Min Wai wrote:
>
> Thank you for the help.
>
>  I'm trying with nslcd.
> That seem to be better than what nss_ldap or nss_pam can do.
> Much better...
>
>  But I've a question according to the setup page.
>
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>  According to method 2 using kerbeos.
> I was trying that I've get method 1 running successfully...
>
>
> https://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO
>
>  Just trying to write another wiki for gentoo with this.
>
>  But it seem that this kerberos on the guide was using mit-krb and not
> heimdal.
>
>  So would like to ask the hemidal expert on the following:
>
>  "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
> /tmp/nslcd.tkt"
>
>
> Seeing as k5start is supposed to work with both mit-krb5 & heimdal, then I
> suppose the answer to your question is:
>
>
> "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
> /tmp/nslcd.tkt"
>
> Did you try this?
>
> Rowland
>
>
>
>  How can I change this to heimdal base.
> I try
> kinit --cache=/var/run/nslcd/nslcd.tkt --keytab=/etc/krb5.nslcd.keytab
> ldapbind at EXAMPLE.COM nslcd
>
>  but get some error like
>
>  nslcd: failed to bind to LDAP server ldap://127.0.0.1/: Local error:
> SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text)
> (Server (ldap/localhost at EXAMPLE) unknown)
>
>
>
>  Thank you.
>
>
> On Mon, Dec 30, 2013 at 8:46 PM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>>  On 30/12/13 11:38, Chan Min Wai wrote:
>>
>> Dear Rowland,
>>
>>  Sorry if I've confused you.
>>
>>
>>  No, you didn't confuse me, but I think that you are confusing yourself
>> with the way that you are doing your tests.
>>
>>
>>  You are correct to say that I've an ldap and also Samba AD setup.
>> But only one are running at anytime.
>>
>>   Have you looked at 'samba-tool domain classicupgrade' ? This will take
>> the info from your existing S3 system and upgrade you to S4 AD, there is
>> info about this on the samba wiki.
>>
>>
>>  At the time being I'm switching to Samba AD (So that it can replace my
>> LDAP)
>>
>>  You are correct saying that this might be a OS specified issue.
>> I'm looking on how people would use it is other OS. As nss_ldap or etc
>> should be working similarly in all Linux (the different are how we set it
>> up)
>>
>>  I'm thinking that as Samba AD are also running as an LDAP server
>> I should be able to run nss_ldap and connect to it.
>>
>>  nss_ldap is old hat, it had problems and has been replaced with
>> nss_ldapd, you could also use nslcd or winbind or (if you changed OS) sssd.
>>
>> Rowland
>>
>>
>>
>>  Well, my last test show that it is working. Just that it have some
>> glitch...
>>
>>  Thank you.
>>
>>
>> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny <
>> rowlandpenny at googlemail.com> wrote:
>>
>>>   On 30/12/13 06:19, Chan Min Wai wrote:
>>>
>>> Dear Rowland
>>>
>>>  You are correct.
>>> by change the server and also setting in ldap.conf and also change back
>>> the nsswitch.conf
>>>
>>>  I can login as user which is already in the AD.
>>>
>>>  There are a few note, by the setup of my ldap.conf users and group and
>>> computer need to be on a different OU and ldap read from this OU with
>>> different nss_base
>>>
>>>  if using the base DN (location1.domain.com) will mixed up all users
>>> computer
>>> and group will have issue.
>>>
>>>  Possible need to setup filter on nss_base_xxx (but not sure yet)
>>>
>>>  One issue I face is that when su to the username it show..
>>>
>>>  I have no name!@server1/var/log $
>>>
>>> Which is strange...
>>> Checking on log show this.
>>>
>>>  Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1 root:dcmwai
>>>  Dec 30 14:17:48 localhost su[10561]: pam_unix(su:session): session
>>> opened for user dcmwai by root(uid=0)
>>> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP server
>>> (sleeping 1 seconds)...
>>> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP server
>>> (sleeping 2 seconds)...
>>> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP server
>>> (sleeping 4 seconds)...
>>> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP server
>>> (sleeping 8 seconds)...
>>> Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP server -
>>> Server is unavailable
>>> Dec 30 14:18:06 localhost su[10561]: pam_unix(su:session): session
>>> closed for user dcmwai
>>>
>>>  Any suggestion on what to look at?
>>>
>>>  getent password, shadow, group seem to be showing correctly.
>>>
>>>  Thank You.
>>>
>>>
>>>
>>>
>>> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny <
>>> rowlandpenny at googlemail.com> wrote:
>>>
>>>>  On 29/12/13 19:02, Chan Min Wai wrote:
>>>>
>>>> Dear Rowland,
>>>>
>>>>  I think that it does have it if they are same as what windows AD have
>>>> according to the link below.
>>>>
>>>>
>>>>  All samba4 AD attributes are the same as windows AD attributes,
>>>> because they ARE windows AD attributes
>>>>
>>>>
>>>>
>>>>
>>>> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>>>
>>>>  Yes these are the attribute that I use.
>>>>
>>>>  winbind might have a weakness on it home and also shell as it was not
>>>> from AD but by smb.conf.
>>>> Also without userPassword you will need to change pam config  to work
>>>> with winbind.
>>>>
>>>>
>>>>  I think that you are falling into the 'lets put everything on the AD
>>>> server' trap, it would be better if you just use the S4 AD server for
>>>> authentication and then set up another server as a fileserver.
>>>>
>>>> You would also need to change the pam config if you used sssd, so
>>>> cannot see your problem here.
>>>>
>>>>
>>>>
>>>>
>>>>  With shadow in AD, your changes on that part will only be on
>>>> ldap.conf which is just uncomment :)
>>>>
>>>>
>>>>  If you use S4 AD as it is meant to be used, you do not need the shadow
>>>> atributes.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny <
>>>> rowlandpenny at googlemail.com> wrote:
>>>>
>>>>> On 28/12/13 14:38, Chan Min Wai wrote:
>>>>>
>>>>>> Dear Michael,
>>>>>>
>>>>>> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't
>>>>>> compile
>>>>>> heimdal...
>>>>>>
>>>>>> I do hope we can directly use shadow attribute from Samba AD and make
>>>>>> it
>>>>>> work like ldap...
>>>>>>
>>>>>  The hint is in the name, Samba 4 is an implementation of Active
>>>>> Directory, it is not at this time LDAP. Having said that, it does have the
>>>>> 'User' objectClass which has the auxiliaryClasses, shadowAccount &
>>>>> posixAccount. The attributes of shadowAccount are:
>>>>>   uid, userPassword, description, shadowLastChange,shadowMin,
>>>>> shadowMax, shadowWarning, shadowInactive, shadowExpire,shadowFlag
>>>>>
>>>>> Are these of any use to you ?
>>>>>
>>>>> Also if you cannot use sssd, then why not try winbind ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>  But it is missing the access to userpasswd or shadow* attribute...
>>>>>>
>>>>>>
>>>>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>  Hi
>>>>>>>
>>>>>>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
>>>>>>>
>>>>>>>  Dear All,
>>>>>>>>
>>>>>>>> I was using Samba3 + LDAP central authentication for the pass 5
>>>>>>>> years.
>>>>>>>>
>>>>>>>> And since need to move to Samba4 AD was wonder if there is a way to
>>>>>>>> do
>>>>>>>> linux central authentication without sssd but using pam_krb
>>>>>>>> I'm asking this because I've removed mit-krb5 on my testing machine
>>>>>>>> as
>>>>>>>> required by samba4 in my gentoo.
>>>>>>>>
>>>>>>>>  Samba 4 AD includes its own KDC (based on Heimdal), but you should
>>>>>>> be able
>>>>>>> to install the MIT krb5 client libs which are what sssd or pam_krb
>>>>>>> would
>>>>>>> require.  Otherwise, surely they would also work with the heimdal
>>>>>>> client
>>>>>>> libs?
>>>>>>>
>>>>>>> I don't know how gentoo packages Samba 4, so it might be more or less
>>>>>>> tricky, but the main thing to do is avoid installing the MIT KDC.
>>>>>>>
>>>>>>> So without mit-krb5 sssd don't compile.
>>>>>>>
>>>>>>>> So was wonder if there any other solution and how hard it will be.
>>>>>>>>
>>>>>>>> I've 2 linux gentoo server will dependent on this central
>>>>>>>> authentication
>>>>>>>> (at lease the user Id and the GID have to be correct)
>>>>>>>>
>>>>>>>> without the proper UID and GID display, I can still see the number
>>>>>>>> just
>>>>>>>> very not convenient and hard to see what I'm doing...
>>>>>>>>
>>>>>>>>
>>>>>>>> Thank You
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Michael Wood <esiotrot at gmail.com>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>>
>>>    By reading your last post, it would seem that you are trying to
>>> store your users etc in the AD database and also in an LDAP database, why?
>>> you only need one.
>>>
>>> Your main problem here (as far as I see it) is that you do not seem to
>>> understand how Active Directory works. For instance, users, groups and
>>> computers are all treated as objects and as such can be stored in the same
>>> place or 'OU'. Your problems are further compounded by using an OS that
>>> very few others use for a server, so the number of people that can help
>>> with your OS specific problems is extremely limited.
>>>
>>> Bearing in mind all the problems that you have had to get to here (and
>>> it is still not working correctly), have you considered using a main stream
>>> OS such as Centos, Debian, Ubuntu etc ? By using a main stream OS, you do
>>> not have to keep an eye out for security fixes that you would have to apply
>>> yourself, you would get them in an update from the OS. The other benefit is
>>> that you can create a new server very quickly, far faster than setting up a
>>> Gentoo machine.
>>>
>>> Rowland
>>>
>>
>>
>>
>
>