[Samba] Authenticating against Samba 4 AD LDAP service

Rowland Penny rpenny at samba.org
Fri Sep 7 08:53:33 UTC 2018 

On Fri, 07 Sep 2018 10:57:18 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:

> Rowland Penny via samba писал 2018-09-06 16:59:

> I thought I answered by mentioning PAM authentication.

Er, no, nothing beats actually mentioning the components ;-)

> 
> Exim 4, using saslauthd (which still uses PAM to auth against 
> username/password).
> Dovecot, using PAM.

Yes, you can use kerberos with them, just do an internet search using
the correct terms e.g. saslauthd kerberos active directory

> 
> Users and groups *has been* created (imported) by 'classic upgrade'. 
> What is missing is group memberships and uidNumber/gidNumber fields 
> (requried by nslcd).
> 
> So question is, is it possible to add attributes on per-item (user, 
> group) basis in batch mode (without doing that manually with ldbedit)?
> 
> Namely, mass add uidNumber/gidNumber attributes.
> 
> There can be cases when all the attributes must be
> changes/added/deleted en masse, so I assume I am not the only one in
> need of batch altering users/groups attributes.

There are no tools from Samba to do this, one reason is that most
people don't delete/change *idNumber attributes.

The only way I can see to do what you require is, write a script using
ldbmodify. 
 
> 
> >> 2. I have no luck setting up pam_ldap.conf to allow  authentication
> >> against Samba4. There are no visible hints in Samba Wiki. I could
> >> only guess I have to try Kerberos, perhaps, instead of pam_ldap.
> > 
> > Are you using a DC as a fileserver ?
> 
> Yes. It's relatively small domain, so no performance penalty is 
> expected.

I 'think' pam_ldap.conf disappears in Centos 7, so you need to find a
way around it now.
 
> Question is how to authenticate. Currently, PAM part authenticates 
> against Samba 3 domain, while NSS gets required attributes. That 
> satisfies all the Linux services.

In most cases, you can extend the Samba AD schema to include the
required attributes, you just need to find an AD compatible ldif or
convert an ldap one (Samba provides a script to do this)

> 
> On Samba 4, I wasted much time trying to make PAM authentication to 
> work. I will try using Kerberos for now (if it works along with
> nslcd, I won't touch sssd, which, in my experience, is more a problem
> than a solution)

On a DC (note, I can only speak from a debian perspective here) if you
install libpam-winbind, libpam-krb5 and libnss-winbind, add 'winbind' to
the 'passwd' & 'group' lines in /etc/nsswitch.conf, authentication just
works, You can log into a terminal or via ssh as a AD user.

There is a gotcha though, you need to set 'template' lines in the DC's
smb.conf and add this line to /etc/pam.d/common-session:

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

On a Unix domain member it gets better, whilst you need to do most of
the above, you do not need the template lines in smb.conf, winbind will
extract the shell & homedir from AD.

Rowland

More information about the samba mailing list