[Samba] AD authentication with separate LDAP authorization

Ryan rlichtenwalter at gmail.com
Tue Jun 11 16:48:57 UTC 2019 

Hi all,

SHORT VERSION
How can I configure Samba 4.8.0 serving users on Windows 7 clients to
authenticate using their domain login credentials (winbindd and Active
Directory) but be authorized (i.e. perform user/group lookup) against
a separate OpenLDAP server?

This was easy in previous versions of Samba with the fallback
mechanism (https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP).
It seems to be more complicated once winbind must be involved.

LONG VERSION
It seems like SSSD, and people bringing it up, isn't very popular on
the lists. Despite its mention below, I am happy with a solution that
involves it or not, and I can work out how to modify it after I get
something working via any other method.

We have a CentOS 7 machine that needs to share files with Windows 7
machines in an Active Directory domain (that I do not control) for
users in the EXAMPLE.COM domain but perform user/group lookup against
a separate OpenLDAP server (that I do control) at ldap.mydomain.com.
With current versions of CentOS 7, as of Samba 4.8.0, the winbindd
fallback is no longer available and winbindd is required.

So we do the following:

- open firewall port 445 (but for testing, systemctl stop firewalld)
- set SELinux Booleans for sharing home directories (but for testing,
setenforce 0)
- add trust for the certificate authority that certified
ldap.mydomain.com (tested and LDAP lookups are functional on the
system)
- install packages samba, samba-client, samba-winbind,
samba-winbind-clients, and samba-winbind-krb5-locator
- net ads join -U 'user' (the domain allows non-admin creation of
machine accounts; net ads testjoin returns 'Join is OK')
- authconfig --enablesssd --enablesssdauth --disablemkhomedir --update

Here is the smb.conf with provisions for winbind (idmap lines), which
was (deliberately) not configured by authconfig above:

[global]
    strict locking = no
    workgroup = EXAMPLE
    server string = Samba Server Version %v
    disable netbios = yes
    log file = /var/log/samba/log.%m
    max log size = 50
    security = ads
    realm = EXAMPLE.COM
    ldap ssl = off
    idmap config * : backend = ldap
    idmap config * : ldap_url = ldaps://ldap.mydomain.com:636/
    idmap config * : ldap_base_dn = dc=mydomain,dc=com
    idmap config * : ldap_user_dn = uid=samba,ou=agents,dc=mydomain,dc=com
    idmap config * : read only = yes
    idmap config * : range = 1000-65535
    kerberos method = secrets and keytab
    load printers = no
    printcap name = /dev/null
    printing = bsd
    disable spoolss = yes
[home]
    comment = Home Directories
    path = /home/%U
    browseable = no
    writable = yes
    create mask = 0600
    directory mask = 0700
    valid users = EXAMPLE\%U
    preexec = ls /home/%U
[share]
    path = /home/share
    writable = yes
    valid users = @share
    force group = share
    create mask = 0660
    directory mask = 0770
    preexec = ls /home/share

Here is the problem:

smbclient //myhost.fqdn/home -U <user> performs winbind authentication
and successfully connects to the share for any value of <user>
smbclient //myhost.fqdn/share -U <user performs winbind authentication
but fails to determine from ldap.mydomain.com that <user> is in group
'share', thus returning tree connect failed: NT_STATUS_ACCESS_DENIED

Additional information:

- testparm shows no errors or warnings
- wbinfo -u returns list of EXAMPLE.COM domain users
- wbinfo -g returns list of EXAMPLE.COM domain groups
- SSH login of domain users (i.e. ssh user at host) works (currently
through SSSD's configuration of Kerberos with authorization and
automounting using LDAP, but I can also easily get authorization to work
with winbind)
- log.winbindd-idmap shows:

[2019/06/08 15:58:23.175342,  3]
../source3/winbindd/idmap.c:397(idmap_init_domain)
  idmap backend ldap not found
[2019/06/08 15:58:23.177972,  3]
../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib64/samba/idmap/ldap.so' loaded
[2019/06/08 15:58:23.179407,  2]
../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/06/08 15:58:23.340963,  3]
../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/06/08 15:58:23.343603,  1]
../source3/winbindd/idmap_ldap.c:484(idmap_ldap_db_init)
  idmap_ldap_db_init: failed to verify ID pool (NT_STATUS_UNSUCCESSFUL)
[2019/06/08 15:58:23.343810,  1]
../source3/winbindd/idmap.c:447(idmap_init_domain)
  idmap initialization returned NT_STATUS_UNSUCCESSFUL

Setting a higher debug level suggests that the final
NT_STATUS_UNSUCCESSFUL comes from an attempt to make changes to the
basedn, but I do not understand why idmap backend ldap not found
appears or why Samba/winbind needs to make changes to the LDAP
database, particularly when idmap config * : read only = yes is set in
smb.conf. Finally, I am not sure if these lines even explain the
problem. I do not want winbind to use LDAP to store its temporary
mapping. I want it not to use a temporary mapping and instead use %U
to perform user/group lookups, which it seems is what it does in the
configuration that results from the link I gave above and which we
used successfully in earlier Samba versions that did not rely on
winbind.

How can we achieve what we want with Samba 4.8.0 in CentOS 7? Why are
the idmap config lines in smb.conf not instructing Samba to get group
membership information from ldap.mydomain.com?


Thanks and regards,

Ryan

More information about the samba mailing list