[Samba] LDAP bindpw password

L.P.H. van Belle belle at bazuin.nl
Thu Aug 6 07:56:56 UTC 2015

Hai Rowland, 

Yes, the configs below are currently working on Debian Jessie, in production.
Only debian packages are used from Jessie. 

and sorry for the big email, i alway try to keep is short but that never works out ...  :-/ 

The apache config, is a setup for Zarafa Single Sign On. 
basicly this setup, 
which works great. I tested this one on debian wheezy and jessie and ubuntu 12.04 and 14.04 
The site explains the settings. 
for this settins :  KrbServiceName HTTP 
if you create your spn like : samba-tool spn add HTTP/zarafa-server
you can force the use of the HTTP, without it, it can be http/zarafa-server also, which you dont want. 
spn's must be an exact match. 

>>      KrbMethodNegotiate On
>>      KrbMethodK5Passwd Off
disable the use of password based authentication for Kerberos v5
Users are not allow to type a password here, the must be passthrough auth with kerberos. 
so if it fails to authenticate you wil never reach the website, and that what i want. 
( if i did understand these settings well ) 

i have 2 setups for my apache, want for internal user, (above). 
and one for external user, not posted here, only a select group of users is allowed to use 
webmail from outside the office. We dropped outlook here, and started use-ing zarafa-webapp.
This was needed to make sure certain info can not be leaked out of the office. 

And for the squid configs. The order is also the order in my working config.
first kerb auth, used for passthrough authentication, with firefox and Internet Explorer, 
( same as needed for my zarafa server) no passwords are typed here. 
Then the ldap AD auth, then ldap basic auth.
Kerberos for internal AD/users.
LDAP AD, for users which dont authenticate in the AD, but which do need internet. typed password
LDAP Basic, for my quest users. typed password.
Radius is the next step, but im not here yet. ;-) 
There is a only 1 men IT department here.. me.. so lots of things to do. 

This is the full set i have for squid. 
I've made this setups, because there are lots of "not working/to complex/half" setups/howtos. 
Depending on how you want to use your squid, you select the config files. 

squid-01-01-auth-GSS.conf  => auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
	Works only with samba4 , not tested yet. 

squid-01-01-auth-KERB.conf => auth_param negotiate program usr/lib/squid3/negotiate_kerberos_auth 
	-s HTTP/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD
	the kerberos ticked is used for auth. no UID needed. no passwords are typed.
	here, extra settings are needed in the pc's. I used GPO for that, also needed for the zarafa SSO. 
	for that see the site :	https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4
	which explains a lot. 

squid-01-02-auth-AD-ldap.conf	=> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R (-R do not follow referencials ) 
	-D ldapbind at internal.domain.tld resulting in the userPrincipalName or sAMAccountName AD entries. 
	NO uid needed, passwords are typed.

squid-01-03-auth-ldap-basic.conf => auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -f uid=%s 
	you also see a different way for the ldapbind user, this one also works with samba 3. ( not het tested on samba4, but should works also) 
	resulting in the UID for the users. so UID is needed, passwords are typed. 

squid-01-01-auth-NTLM.conf	auth_param ntlm program /usr/bin/ntlm_auth  
	Should works with samba3 and samba 4 but this one is not tested yet. 

-- i use include *.conf for my squid setup and the numbers in the file names, make that i can put extra settings in.
	without touching any other squid config, imo this makes the squid config more easy to handle.

I have 2 squid server, with 1 user for the SPNs. 
Created like this. username=squid-proxy 

samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password
samba-tool user setexpiry squid-proxy --noexpiry

echo "setting HTTP SPN on the proxy user (proxy1)"
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1.internal.domain.tld at INTERNAL.DOMAIN.TLD squid-proxy

echo "setting HTTP SPN on the httpd user (proxy2)"
samba-tool spn add HTTP/proxy2.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy2.internal.domain.tld at INTERNAL.DOMAIN.TLD squid-proxy

samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld /root/keytabs/proxy1.keytab
samba-tool domain exportkeytab --principal=HTTP/proxy2.internal.domain.tld /root/keytabs/proxy2.keytab

and the ldapbind users, which can be used for multiple things. 
samba-tool user create ldap-bind --description="Unprivileged user for LDAP bind connections" --random-password
samba-tool user setexpiry ldap-bind --noexpiry
When done, you must reset the password to a know password, the password wil not expire. 
and we put the password in the file /etc/squid3/private/ldapbind

this is used for my zarafa setup.
!! zarafa has 2 users hardcoded zarafa-linux and httpd-linux !!  
samba-tool user create zarafa-linux --description="Unprivileged user for Zarafa Services" --random-password
samba-tool user create httpd-linux --description="Unprivileged user for Apache/zarafa Services on HOSTNAME.DOMAIN.TLD" --random-password
samba-tool user setexpiry zarafa-linux --noexpiry
samba-tool user setexpiry httpd-linux --noexpiry

samba-tool spn add zarafa/hostname.domain.tld zarafa-linux
samba-tool spn add zarafa/hostname.domain.tld at INTERNAL.DOMAIN.TLD zarafa-linux

samba-tool spn add HTTP/hostname.domain.tld httpd-linux
samba-tool spn add HTTP/hostname.domain.tld at INTERNAL.DOMAIN.TLD httpd-linux

samba-tool domain exportkeytab --principal=zarafa/hostname.domain.tld ~/keytabs/hostname-zarafa-zarafa.keytab
samba-tool domain exportkeytab --principal=HTTP/hostname.domain.tld ~/keytabs/hostname-http-zarafa.keytab

and dont forget to set the needed rights on the apache keytab file
chown www-data:www-data hostname-http-zarafa.keytab
chmod 400 hostname-http-zarafa.keytab



>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: woensdag 5 augustus 2015 17:02
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] LDAP bindpw password
>On 05/08/15 15:38, L.P.H. van Belle wrote:
>> Rowland,
>> dont be to hard on the guy..  ;-)
>Hi Louis, Marc spends a lot of time writing and updating the wiki, I 
>help where I can (turning German English into English), but 
>nobody seems 
>to read it!!! or if they do, you need to drag it out of them that they 
>have read it and are having problems understanding it. How can 
>the wiki 
>be improved if isn't known what is wrong with it.
>> Sorry that i cant help out more atm but im in process of 
>win7 to win 10 testing with samba,
>> and mainwhile doing a rollout..  :-/
>> Here are some working examples on debian jessie..  with 
>samba 4.1.7 debian.
>> an apache2.4 kerberos auth example.
>>      AuthType Kerberos
>>      AuthName "Website Login"
>>      KrbMethodNegotiate On
>>      KrbMethodK5Passwd Off
>>      KrbServiceName HTTP
>>      KrbAuthRealms INTERNAL.DOMAIN.TLD
>>      Krb5KeyTab /etc/apache2/hostname-apache.keytab
>>      require valid-user
>Hmm, similar to the wiki, yet different in a few ways:
>Wiki: KrbMethodK5Passwd On
>You have: KrbServiceName HTTP
>The wiki doesn't
>The wiki has: KrbLocalUserMapping On
>You don't
>Can you confirm that your setup works and if possible give reasons why 
>there are the differences, I will then update the wiki.
>> an squid kerberos example.
>> auth_param negotiate program 
>/usr/lib/squid3/negotiate_kerberos_auth -s 
>HTTP/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD
>> auth_param negotiate children 10 startup=0 idle=1
>> a squid3 fall back to ldap - AD auth.!!
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>>          -b "OU=Users,DC=internal,DC=domain,DC=tld" \
>>          -D ldapbind at internal.domain.tld -W 
>/etc/squid3/private/ldapbind \
>>          -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>>          -h hostname.internal.domain.tld
>> and a squid fallback to LDAP Basic auth.
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 \
>>           -b "OU=Users,DC=internal,DC=domain,DC=tld" \
>>           -D 
>-W /etc/squid3/private/ldapbind \
>>           -f uid=%s hostname.internal.domain.tld
>If you wait a short while, you will see the squid part on the 
>wiki page 
>(once I understand it fully )
>> Greetz,
>> Louis
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens shacky
>>> Verzonden: woensdag 5 augustus 2015 14:20
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] LDAP bindpw password
>>> Hi.
>>> I'm using Samba 4 on two Zentyal servers as Domain 
>Controller and now
>>> I have to authenticate some services to it (Apache and PAM in
>>> particular).
>>> The LDAP integration asks me for a LDAP bind password, but I cannot
>>> find out where it is on Zentyal.
>>> Is there a way to check (or change it) directly on Samba 4?
>>> Or is it preferable to authenticate against Active Directory
>>> or Kerberos?
>>> Thank you very much for your help!
>>> Bye
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list