[Samba] Should I forget sssd ?
me at electronico.nc
me at electronico.nc
Mon Sep 30 22:48:44 MDT 2013
Hi again,
Thanks again, Denis, Steve and Rowland for your previous answers about
RFC2307 and winbind.
Maybe I'm an dreamer but here is that I wanted to achieve :
Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS
Use a windows VM (on this server) to control AD through WRAT
AD offers me the 'wishdom' of software deployment and GPO, users are
can't install anything
All standard Linux services (apache, postfix, dovecot, pptp, mysql,
webmail, ...) can query AD
What is done :
I have setup 'folder redirection' in WRAT, so users 'documents' and
'desktop' are avalaible offline and mapped to home/%U on server
AD Administrator has a roaming profile
Searched a lot and succeed to deploy Office, Acrobat reader, Skype,
7-zip, Firefox to users (windows is another world...)
Shares are mounted (depending on AD 'ou' rights) on user's pc
Administrator can login via UltraVNC to all workstation
What needs to be done:
Linux services to auth to AD
From what I've read, sssd is the more secure solution to achieve this,
but ...
Using sssd 1.11.1 : files configuration:
1)
> sudo cat /etc/sssd/sssd.conf
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = radiodjiido.nc
> [nss]
> [pam]
> [domain/radiodjiido.nc]
> dyndns_update = false
> ad_hostname = serveur.radiodjiido.nc
> ad_server = serveur.radiodjiido.nc
> ad_domain = radiodjiido.nc
> ldap_schema = ad
> id_provider = ad
> access_provider = simple
> enumerate = true
> cache_credentials = true
> auth_provider = krb5
> chpass_provider = krb5
> krb5_realm = RADIODJIIDO.NC
> krb5_server = serveur.radiodjiido.nc
> krb5_kpasswd = serveur.radiodjiido.nc
> #next line only lists users with uidNumber/gidNumber entered via ldbedit
> ldap_id_mapping = false
> ldap_referrals = false
> ldap_uri = ldap://serveur.radiodjiido.nc
> ldap_search_base = dc=radiodjiido,dc=nc
> ldap_user_object_class = user
> ldap_user_name = samAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
> ldap_group_object_class = group
> ldap_group_search_base = dc=radiodjiido,dc=nc
> ldap_group_name = cn
> ldap_group_member = member
> ldap_sasl_mech = gssapi
> #ldap_sasl_authid = serveur$
> ldap_sasl_authid = serveur$@RADIODJIIDO.NC
> krb5_keytab = /etc/krb5.sssd.keytab
> ldap_krb5_init_creds = true
> cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> workgroup = RADIODJIIDO
> realm = RADIODJIIDO.NC
> netbios name = SERVEUR
> server role = active directory domain controller
> dns forwarder = 192.168.1.1
> # for sssd
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/radiodjiido.nc/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [Profiles]
> path = /media/data/Profiles/
> read only = No
>
> [partage]
> comment = partage general
> path = /media/data/global
> read only = No
>
> [home]
> comment = dossiers utilisateurs
> path = /media/data/homes
> read only = No
>
> [journal]
> comment = journal
> path = /media/data/journal
> read only = No
>
> [musique]
> comment = musique
> path = /media/data/musique
> read only = No
> cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat sss
> group: compat sss
> shadow: compat
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
Result with:
getent passwd
> mysql:x:113:124:MySQL Server,,,:/nonexistent:/bin/false
> nut:x:114:125::/var/lib/nut:/bin/false
> nico:*:3000025:100:nico:/:
-> the user I entered uidNumber/gidNumber is listed, home dir seems /
and no shell
Result with:
getent group
> rtkit:x:123:
> mysql:x:124:
> nut:x:125:
-> no AD group listed at all
2) If sssd.conf is modified:
> #ldap_id_mapping = false
> ldap_schema = rfc2307bis
getent passwd and getent group are listing (nearly all) users and groups
in AD with the infamous random IDs like :
> nico-virtual-7$:*:166801125:166800515:NICO-VIRTUAL-7:/:
> administrator:*:166800500:166800513:Administrator:/:
So I'm a bit desesperate with the sssd use...
Is an OpenLDAP proxy the best way to make all this working together ?
Thanks in advance for your time.
Nicolas
In case that could help some, here are the steps I've done to install
sssd 1.11.1:
cd ~
wget https://fedorahosted.org/released/sssd/sssd-1.11.1.tar.gz
sudo apt-get install debhelper quilt dh-autoreconf autopoint
lsb-release dpkg-dev dnsutils libpopt-dev libdbus-1-dev
libkeyutils-dev libkeyutils-dev libldap2-dev libpam-dev libnl-dev
libnss3-dev libnspr4-dev libpcre3-dev libselinux1-dev libsasl2-dev
libtevent-dev libldb-dev libtalloc-dev libtdb-dev xml-core
docbook-xsl docbook-xml libxml2-utils xsltproc krb5-config
libkrb5-dev libc-ares-dev python-dev libdhash-dev libcollection-dev
libini-config-dev check dh-apparmor libglib2.0-dev libndr-dev
libndr-standard-dev libsamba-util-dev samba4-dev libdcerpc-dev
build-essential libsemanage1-dev samba4-dev libpam-sss
cyrus-sasl2-heimdal-dbg
-> this installed sssd 1.8.6 with this /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = radiodjiido.nc
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
>
> [domain/radiodjiido.nc]
> ; Using enumerate = true leads to high load and slow response
> enumerate = false
> cache_credentials = true
>
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
>
> ldap_uri = ldap://serveur.radiodjiido.nc
> ldap_search_base = DC=radiodjiido,DC=nc
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
>
> krb5_kdcip = serveur.radiodjiido.nc
> krb5_realm = RADIODJIIDO.NC
> krb5_changepw_principle = kadmin/changepw
> krb5_auth_timeout = 15
sudo service sssd stop
tar -xzvf sssd-1.11.1.tar.gz
cd sssd-1.11.1
./configure && make
sudo make install
sudo cp /usr/local/lib/* /lib/x86_64-linux-gnu
sudo rm /lib/x86_64-linux-gnu/*.la
sudo cp /usr/local/lib/security/pam_sss.so /lib/x86_64-linux-gnu/security
sudo rm /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba
sudo rm /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/memberof.la
sudo pam-auth-update
sudo /usr/local/samba/bin/samba-tool domain exportkeytab
/etc/krb5.sssd.keytab --principal=serveur$
sudo chown root:root /etc/krb5.sssd.keytab
sudo chmod 600 /etc/krb5.sssd.keytab
sudo nano /usr/local/etc/sssd/sssd.conf
-> see beginning of message for configuration
sudo chmod 600 /usr/local/etc/sssd/sssd.conf
sudo rm /usr/local/var/lib/sss/db/*
sudo cp /usr/local/lib/security/pam_sss.so /lib/x86_64-linux-gnu/security
sudo nano /root/.bashrc
add at end:
PATH="/usr/local/sbin:/usr/local/lib:/usr/local/etc:$PATH"
sudo mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf_dist
sudo ln -s /usr/local/etc/sssd/sssd.conf /etc/sssd/
sudo sssd -i -d3
More information about the samba
mailing list