[Samba] Samba4 AD sssd or pam_krb

Rowland Penny rowlandpenny at googlemail.com
Tue Dec 31 08:42:39 MST 2013


On 31/12/13 13:33, Chan Min Wai wrote:
> I've try but my heimdal don't have k5start.
> According to chat log 
> http://users.ece.cmu.edu/~allbery/lambdabot/logs/kerberos/2010-07-19.txt 
> <http://users.ece.cmu.edu/%7Eallbery/lambdabot/logs/kerberos/2010-07-19.txt>
> Very long time ago.
>
> It seem that kinit should have the k5start function.
>
> Thank you.
>
>
> On Tue, Dec 31, 2013 at 8:40 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 31/12/13 11:31, Chan Min Wai wrote:
>>     Thank you for the help.
>>
>>     I'm trying with nslcd.
>>     That seem to be better than what nss_ldap or nss_pam can do.
>>     Much better...
>>
>>     But I've a question according to the setup page.
>>     https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>>
>>     According to method 2 using kerbeos.
>>     I was trying that I've get method 1 running successfully...
>>
>>     https://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO
>>
>>     Just trying to write another wiki for gentoo with this.
>>
>>     But it seem that this kerberos on the guide was using mit-krb and
>>     not heimdal.
>>
>>     So would like to ask the hemidal expert on the following:
>>
>>     "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
>>     /tmp/nslcd.tkt"
>
>     Seeing as k5start is supposed to work with both mit-krb5 &
>     heimdal, then I suppose the answer to your question is:
>
>
>     "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
>     /tmp/nslcd.tkt"
>
>     Did you try this?
>
>     Rowland
>
>
>>
>>     How can I change this to heimdal base.
>>     I try
>>     kinit --cache=/var/run/nslcd/nslcd.tkt
>>     --keytab=/etc/krb5.nslcd.keytab ldapbind at EXAMPLE.COM
>>     <mailto:ldapbind at EXAMPLE.COM> nslcd
>>
>>     but get some error like
>>
>>     nslcd: failed to bind to LDAP server ldap://127.0.0.1/
>>     <http://127.0.0.1/>: Local error: SASL(-1): generic failure:
>>     GSSAPI Error:  Miscellaneous failure (see text) (Server
>>     (ldap/localhost at EXAMPLE) unknown)
>>
>>
>>
>>     Thank you.
>>
>>
>>     On Mon, Dec 30, 2013 at 8:46 PM, Rowland Penny
>>     <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>         On 30/12/13 11:38, Chan Min Wai wrote:
>>>         Dear Rowland,
>>>
>>>         Sorry if I've confused you.
>>
>>         No, you didn't confuse me, but I think that you are confusing
>>         yourself with the way that you are doing your tests.
>>
>>
>>>         You are correct to say that I've an ldap and also Samba AD
>>>         setup.
>>>         But only one are running at anytime.
>>>
>>         Have you looked at 'samba-tool domain classicupgrade' ? This
>>         will take the info from your existing S3 system and upgrade
>>         you to S4 AD, there is info about this on the samba wiki.
>>
>>
>>>         At the time being I'm switching to Samba AD (So that it can
>>>         replace my LDAP)
>>>
>>>         You are correct saying that this might be a OS specified issue.
>>>         I'm looking on how people would use it is other OS. As
>>>         nss_ldap or etc should be working similarly in all Linux
>>>         (the different are how we set it up)
>>>
>>>         I'm thinking that as Samba AD are also running as an LDAP server
>>>         I should be able to run nss_ldap and connect to it.
>>         nss_ldap is old hat, it had problems and has been replaced
>>         with nss_ldapd, you could also use nslcd or winbind or (if
>>         you changed OS) sssd.
>>
>>         Rowland
>>
>>
>>>
>>>         Well, my last test show that it is working. Just that it
>>>         have some glitch...
>>>
>>>         Thank you.
>>>
>>>
>>>         On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny
>>>         <rowlandpenny at googlemail.com
>>>         <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>>             On 30/12/13 06:19, Chan Min Wai wrote:
>>>>             Dear Rowland
>>>>
>>>>             You are correct.
>>>>             by change the server and also setting in ldap.conf and
>>>>             also change back the nsswitch.conf
>>>>
>>>>             I can login as user which is already in the AD.
>>>>
>>>>             There are a few note, by the setup of my ldap.conf
>>>>             users and group and computer need to be on a different
>>>>             OU and ldap read from this OU with different nss_base
>>>>
>>>>             if using the base DN (location1.domain.com
>>>>             <http://location1.domain.com>) will mixed up all users
>>>>             computer
>>>>             and group will have issue.
>>>>
>>>>             Possible need to setup filter on nss_base_xxx (but not
>>>>             sure yet)
>>>>
>>>>             One issue I face is that when su to the username it show..
>>>>
>>>>             I have no name!@server1/var/log $
>>>>             Which is strange...
>>>>             Checking on log show this.
>>>>
>>>>             Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1
>>>>             root:dcmwai
>>>>             Dec 30 14:17:48 localhost su[10561]:
>>>>             pam_unix(su:session): session opened for user dcmwai by
>>>>             root(uid=0)
>>>>             Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting
>>>>             to LDAP server (sleeping 1 seconds)...
>>>>             Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting
>>>>             to LDAP server (sleeping 2 seconds)...
>>>>             Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting
>>>>             to LDAP server (sleeping 4 seconds)...
>>>>             Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting
>>>>             to LDAP server (sleeping 8 seconds)...
>>>>             Dec 30 14:18:04 localhost -su: nss_ldap: could not
>>>>             search LDAP server - Server is unavailable
>>>>             Dec 30 14:18:06 localhost su[10561]:
>>>>             pam_unix(su:session): session closed for user dcmwai
>>>>
>>>>             Any suggestion on what to look at?
>>>>
>>>>             getent password, shadow, group seem to be showing
>>>>             correctly.
>>>>
>>>>             Thank You.
>>>>
>>>>
>>>>
>>>>
>>>>             On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny
>>>>             <rowlandpenny at googlemail.com
>>>>             <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>>                 On 29/12/13 19:02, Chan Min Wai wrote:
>>>>>                 Dear Rowland,
>>>>>
>>>>>                 I think that it does have it if they are same as
>>>>>                 what windows AD have according to the link below.
>>>>
>>>>                 All samba4 AD attributes are the same as windows AD
>>>>                 attributes, because they ARE windows AD attributes
>>>>
>>>>
>>>>>
>>>>>                 http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>>>>                 <http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787%28v=vs.85%29.aspx>
>>>>>
>>>>>                 Yes these are the attribute that I use.
>>>>>
>>>>>                 winbind might have a weakness on it home and also
>>>>>                 shell as it was not from AD but by smb.conf.
>>>>>                 Also without userPassword you will need to change
>>>>>                 pam config  to work with winbind.
>>>>
>>>>                 I think that you are falling into the 'lets put
>>>>                 everything on the AD server' trap, it would be
>>>>                 better if you just use the S4 AD server for
>>>>                 authentication and then set up another server as a
>>>>                 fileserver.
>>>>
>>>>                 You would also need to change the pam config if you
>>>>                 used sssd, so cannot see your problem here.
>>>>
>>>>
>>>>>
>>>>>                 With shadow in AD, your changes on that part will
>>>>>                 only be on ldap.conf which is just uncomment :)
>>>>
>>>>                 If you use S4 AD as it is meant to be used, you do
>>>>                 not need the shadow atributes.
>>>>
>>>>                 Rowland
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>                 On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny
>>>>>                 <rowlandpenny at googlemail.com
>>>>>                 <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>>
>>>>>                     On 28/12/13 14:38, Chan Min Wai wrote:
>>>>>
>>>>>                         Dear Michael,
>>>>>
>>>>>                         I'm on gentoo, as far as I know sssd
>>>>>                         required mit-krb5 and wouldn't compile
>>>>>                         heimdal...
>>>>>
>>>>>                         I do hope we can directly use shadow
>>>>>                         attribute from Samba AD and make it
>>>>>                         work like ldap...
>>>>>
>>>>>                     The hint is in the name, Samba 4 is an
>>>>>                     implementation of Active Directory, it is not
>>>>>                     at this time LDAP. Having said that, it does
>>>>>                     have the 'User' objectClass which has the
>>>>>                     auxiliaryClasses, shadowAccount &
>>>>>                     posixAccount. The attributes of shadowAccount are:
>>>>>                       uid, userPassword, description,
>>>>>                     shadowLastChange,shadowMin, shadowMax,
>>>>>                     shadowWarning, shadowInactive,
>>>>>                     shadowExpire,shadowFlag
>>>>>
>>>>>                     Are these of any use to you ?
>>>>>
>>>>>                     Also if you cannot use sssd, then why not try
>>>>>                     winbind ?
>>>>>
>>>>>                     Rowland
>>>>>
>>>>>                         But it is missing the access to userpasswd
>>>>>                         or shadow* attribute...
>>>>>
>>>>>
>>>>>                         On Sat, Dec 28, 2013 at 4:54 PM, Michael
>>>>>                         Wood <esiotrot at gmail.com
>>>>>                         <mailto:esiotrot at gmail.com>> wrote:
>>>>>
>>>>>                             Hi
>>>>>
>>>>>                             On 24 December 2013 14:12, Chan Min
>>>>>                             Wai <dcmwai at gmail.com
>>>>>                             <mailto:dcmwai at gmail.com>> wrote:
>>>>>
>>>>>                                 Dear All,
>>>>>
>>>>>                                 I was using Samba3 + LDAP central
>>>>>                                 authentication for the pass 5 years.
>>>>>
>>>>>                                 And since need to move to Samba4
>>>>>                                 AD was wonder if there is a way to do
>>>>>                                 linux central authentication
>>>>>                                 without sssd but using pam_krb
>>>>>                                 I'm asking this because I've
>>>>>                                 removed mit-krb5 on my testing
>>>>>                                 machine as
>>>>>                                 required by samba4 in my gentoo.
>>>>>
>>>>>                             Samba 4 AD includes its own KDC (based
>>>>>                             on Heimdal), but you should be able
>>>>>                             to install the MIT krb5 client libs
>>>>>                             which are what sssd or pam_krb would
>>>>>                             require.  Otherwise, surely they would
>>>>>                             also work with the heimdal client
>>>>>                             libs?
>>>>>
>>>>>                             I don't know how gentoo packages Samba
>>>>>                             4, so it might be more or less
>>>>>                             tricky, but the main thing to do is
>>>>>                             avoid installing the MIT KDC.
>>>>>
>>>>>                             So without mit-krb5 sssd don't compile.
>>>>>
>>>>>                                 So was wonder if there any other
>>>>>                                 solution and how hard it will be.
>>>>>
>>>>>                                 I've 2 linux gentoo server will
>>>>>                                 dependent on this central
>>>>>                                 authentication
>>>>>                                 (at lease the user Id and the GID
>>>>>                                 have to be correct)
>>>>>
>>>>>                                 without the proper UID and GID
>>>>>                                 display, I can still see the
>>>>>                                 number just
>>>>>                                 very not convenient and hard to
>>>>>                                 see what I'm doing...
>>>>>
>>>>>
>>>>>                                 Thank You
>>>>>
>>>>>
>>>>>                             --
>>>>>                             Michael Wood <esiotrot at gmail.com
>>>>>                             <mailto:esiotrot at gmail.com>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>              By reading your last post, it would seem that you are
>>>             trying to store your users etc in the AD database and
>>>             also in an LDAP database, why? you only need one.
>>>
>>>             Your main problem here (as far as I see it) is that you
>>>             do not seem to understand how Active Directory works.
>>>             For instance, users, groups and computers are all
>>>             treated as objects and as such can be stored in the same
>>>             place or 'OU'. Your problems are further compounded by
>>>             using an OS that very few others use for a server, so
>>>             the number of people that can help with your OS specific
>>>             problems is extremely limited.
>>>
>>>             Bearing in mind all the problems that you have had to
>>>             get to here (and it is still not working correctly),
>>>             have you considered using a main stream OS such as
>>>             Centos, Debian, Ubuntu etc ? By using a main stream OS,
>>>             you do not have to keep an eye out for security fixes
>>>             that you would have to apply yourself, you would get
>>>             them in an update from the OS. The other benefit is that
>>>             you can create a new server very quickly, far faster
>>>             than setting up a Gentoo machine.
>>>
>>>             Rowland
>>>
>>>
>>
>>
>
>
k5start is a separate program, try an internet search on kstart.

Rowland


More information about the samba mailing list