[Samba] Samba4 AD sssd or pam_krb
Rowland Penny
rowlandpenny at googlemail.com
Tue Dec 31 08:42:39 MST 2013
On 31/12/13 13:33, Chan Min Wai wrote:
> I've try but my heimdal don't have k5start.
> According to chat log
> http://users.ece.cmu.edu/~allbery/lambdabot/logs/kerberos/2010-07-19.txt
> <http://users.ece.cmu.edu/%7Eallbery/lambdabot/logs/kerberos/2010-07-19.txt>
> Very long time ago.
>
> It seem that kinit should have the k5start function.
>
> Thank you.
>
>
> On Tue, Dec 31, 2013 at 8:40 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 31/12/13 11:31, Chan Min Wai wrote:
>> Thank you for the help.
>>
>> I'm trying with nslcd.
>> That seem to be better than what nss_ldap or nss_pam can do.
>> Much better...
>>
>> But I've a question according to the setup page.
>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>>
>> According to method 2 using kerbeos.
>> I was trying that I've get method 1 running successfully...
>>
>> https://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO
>>
>> Just trying to write another wiki for gentoo with this.
>>
>> But it seem that this kerberos on the guide was using mit-krb and
>> not heimdal.
>>
>> So would like to ask the hemidal expert on the following:
>>
>> "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
>> /tmp/nslcd.tkt"
>
> Seeing as k5start is supposed to work with both mit-krb5 &
> heimdal, then I suppose the answer to your question is:
>
>
> "k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 360 -b -k
> /tmp/nslcd.tkt"
>
> Did you try this?
>
> Rowland
>
>
>>
>> How can I change this to heimdal base.
>> I try
>> kinit --cache=/var/run/nslcd/nslcd.tkt
>> --keytab=/etc/krb5.nslcd.keytab ldapbind at EXAMPLE.COM
>> <mailto:ldapbind at EXAMPLE.COM> nslcd
>>
>> but get some error like
>>
>> nslcd: failed to bind to LDAP server ldap://127.0.0.1/
>> <http://127.0.0.1/>: Local error: SASL(-1): generic failure:
>> GSSAPI Error: Miscellaneous failure (see text) (Server
>> (ldap/localhost at EXAMPLE) unknown)
>>
>>
>>
>> Thank you.
>>
>>
>> On Mon, Dec 30, 2013 at 8:46 PM, Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>> On 30/12/13 11:38, Chan Min Wai wrote:
>>> Dear Rowland,
>>>
>>> Sorry if I've confused you.
>>
>> No, you didn't confuse me, but I think that you are confusing
>> yourself with the way that you are doing your tests.
>>
>>
>>> You are correct to say that I've an ldap and also Samba AD
>>> setup.
>>> But only one are running at anytime.
>>>
>> Have you looked at 'samba-tool domain classicupgrade' ? This
>> will take the info from your existing S3 system and upgrade
>> you to S4 AD, there is info about this on the samba wiki.
>>
>>
>>> At the time being I'm switching to Samba AD (So that it can
>>> replace my LDAP)
>>>
>>> You are correct saying that this might be a OS specified issue.
>>> I'm looking on how people would use it is other OS. As
>>> nss_ldap or etc should be working similarly in all Linux
>>> (the different are how we set it up)
>>>
>>> I'm thinking that as Samba AD are also running as an LDAP server
>>> I should be able to run nss_ldap and connect to it.
>> nss_ldap is old hat, it had problems and has been replaced
>> with nss_ldapd, you could also use nslcd or winbind or (if
>> you changed OS) sssd.
>>
>> Rowland
>>
>>
>>>
>>> Well, my last test show that it is working. Just that it
>>> have some glitch...
>>>
>>> Thank you.
>>>
>>>
>>> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny
>>> <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>> On 30/12/13 06:19, Chan Min Wai wrote:
>>>> Dear Rowland
>>>>
>>>> You are correct.
>>>> by change the server and also setting in ldap.conf and
>>>> also change back the nsswitch.conf
>>>>
>>>> I can login as user which is already in the AD.
>>>>
>>>> There are a few note, by the setup of my ldap.conf
>>>> users and group and computer need to be on a different
>>>> OU and ldap read from this OU with different nss_base
>>>>
>>>> if using the base DN (location1.domain.com
>>>> <http://location1.domain.com>) will mixed up all users
>>>> computer
>>>> and group will have issue.
>>>>
>>>> Possible need to setup filter on nss_base_xxx (but not
>>>> sure yet)
>>>>
>>>> One issue I face is that when su to the username it show..
>>>>
>>>> I have no name!@server1/var/log $
>>>> Which is strange...
>>>> Checking on log show this.
>>>>
>>>> Dec 30 14:17:48 localhost su[10561]: + /dev/pts/1
>>>> root:dcmwai
>>>> Dec 30 14:17:48 localhost su[10561]:
>>>> pam_unix(su:session): session opened for user dcmwai by
>>>> root(uid=0)
>>>> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting
>>>> to LDAP server (sleeping 1 seconds)...
>>>> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting
>>>> to LDAP server (sleeping 2 seconds)...
>>>> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting
>>>> to LDAP server (sleeping 4 seconds)...
>>>> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting
>>>> to LDAP server (sleeping 8 seconds)...
>>>> Dec 30 14:18:04 localhost -su: nss_ldap: could not
>>>> search LDAP server - Server is unavailable
>>>> Dec 30 14:18:06 localhost su[10561]:
>>>> pam_unix(su:session): session closed for user dcmwai
>>>>
>>>> Any suggestion on what to look at?
>>>>
>>>> getent password, shadow, group seem to be showing
>>>> correctly.
>>>>
>>>> Thank You.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com
>>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>> On 29/12/13 19:02, Chan Min Wai wrote:
>>>>> Dear Rowland,
>>>>>
>>>>> I think that it does have it if they are same as
>>>>> what windows AD have according to the link below.
>>>>
>>>> All samba4 AD attributes are the same as windows AD
>>>> attributes, because they ARE windows AD attributes
>>>>
>>>>
>>>>>
>>>>> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx
>>>>> <http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787%28v=vs.85%29.aspx>
>>>>>
>>>>> Yes these are the attribute that I use.
>>>>>
>>>>> winbind might have a weakness on it home and also
>>>>> shell as it was not from AD but by smb.conf.
>>>>> Also without userPassword you will need to change
>>>>> pam config to work with winbind.
>>>>
>>>> I think that you are falling into the 'lets put
>>>> everything on the AD server' trap, it would be
>>>> better if you just use the S4 AD server for
>>>> authentication and then set up another server as a
>>>> fileserver.
>>>>
>>>> You would also need to change the pam config if you
>>>> used sssd, so cannot see your problem here.
>>>>
>>>>
>>>>>
>>>>> With shadow in AD, your changes on that part will
>>>>> only be on ldap.conf which is just uncomment :)
>>>>
>>>> If you use S4 AD as it is meant to be used, you do
>>>> not need the shadow atributes.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny
>>>>> <rowlandpenny at googlemail.com
>>>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>>
>>>>> On 28/12/13 14:38, Chan Min Wai wrote:
>>>>>
>>>>> Dear Michael,
>>>>>
>>>>> I'm on gentoo, as far as I know sssd
>>>>> required mit-krb5 and wouldn't compile
>>>>> heimdal...
>>>>>
>>>>> I do hope we can directly use shadow
>>>>> attribute from Samba AD and make it
>>>>> work like ldap...
>>>>>
>>>>> The hint is in the name, Samba 4 is an
>>>>> implementation of Active Directory, it is not
>>>>> at this time LDAP. Having said that, it does
>>>>> have the 'User' objectClass which has the
>>>>> auxiliaryClasses, shadowAccount &
>>>>> posixAccount. The attributes of shadowAccount are:
>>>>> uid, userPassword, description,
>>>>> shadowLastChange,shadowMin, shadowMax,
>>>>> shadowWarning, shadowInactive,
>>>>> shadowExpire,shadowFlag
>>>>>
>>>>> Are these of any use to you ?
>>>>>
>>>>> Also if you cannot use sssd, then why not try
>>>>> winbind ?
>>>>>
>>>>> Rowland
>>>>>
>>>>> But it is missing the access to userpasswd
>>>>> or shadow* attribute...
>>>>>
>>>>>
>>>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael
>>>>> Wood <esiotrot at gmail.com
>>>>> <mailto:esiotrot at gmail.com>> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> On 24 December 2013 14:12, Chan Min
>>>>> Wai <dcmwai at gmail.com
>>>>> <mailto:dcmwai at gmail.com>> wrote:
>>>>>
>>>>> Dear All,
>>>>>
>>>>> I was using Samba3 + LDAP central
>>>>> authentication for the pass 5 years.
>>>>>
>>>>> And since need to move to Samba4
>>>>> AD was wonder if there is a way to do
>>>>> linux central authentication
>>>>> without sssd but using pam_krb
>>>>> I'm asking this because I've
>>>>> removed mit-krb5 on my testing
>>>>> machine as
>>>>> required by samba4 in my gentoo.
>>>>>
>>>>> Samba 4 AD includes its own KDC (based
>>>>> on Heimdal), but you should be able
>>>>> to install the MIT krb5 client libs
>>>>> which are what sssd or pam_krb would
>>>>> require. Otherwise, surely they would
>>>>> also work with the heimdal client
>>>>> libs?
>>>>>
>>>>> I don't know how gentoo packages Samba
>>>>> 4, so it might be more or less
>>>>> tricky, but the main thing to do is
>>>>> avoid installing the MIT KDC.
>>>>>
>>>>> So without mit-krb5 sssd don't compile.
>>>>>
>>>>> So was wonder if there any other
>>>>> solution and how hard it will be.
>>>>>
>>>>> I've 2 linux gentoo server will
>>>>> dependent on this central
>>>>> authentication
>>>>> (at lease the user Id and the GID
>>>>> have to be correct)
>>>>>
>>>>> without the proper UID and GID
>>>>> display, I can still see the
>>>>> number just
>>>>> very not convenient and hard to
>>>>> see what I'm doing...
>>>>>
>>>>>
>>>>> Thank You
>>>>>
>>>>>
>>>>> --
>>>>> Michael Wood <esiotrot at gmail.com
>>>>> <mailto:esiotrot at gmail.com>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> By reading your last post, it would seem that you are
>>> trying to store your users etc in the AD database and
>>> also in an LDAP database, why? you only need one.
>>>
>>> Your main problem here (as far as I see it) is that you
>>> do not seem to understand how Active Directory works.
>>> For instance, users, groups and computers are all
>>> treated as objects and as such can be stored in the same
>>> place or 'OU'. Your problems are further compounded by
>>> using an OS that very few others use for a server, so
>>> the number of people that can help with your OS specific
>>> problems is extremely limited.
>>>
>>> Bearing in mind all the problems that you have had to
>>> get to here (and it is still not working correctly),
>>> have you considered using a main stream OS such as
>>> Centos, Debian, Ubuntu etc ? By using a main stream OS,
>>> you do not have to keep an eye out for security fixes
>>> that you would have to apply yourself, you would get
>>> them in an update from the OS. The other benefit is that
>>> you can create a new server very quickly, far faster
>>> than setting up a Gentoo machine.
>>>
>>> Rowland
>>>
>>>
>>
>>
>
>
k5start is a separate program, try an internet search on kstart.
Rowland
More information about the samba
mailing list