[Samba] AD authentication with separate LDAP authorization
Ryan
rlichtenwalter at gmail.com
Tue Jun 11 16:48:57 UTC 2019
Hi all,
SHORT VERSION
How can I configure Samba 4.8.0 serving users on Windows 7 clients to
authenticate using their domain login credentials (winbindd and Active
Directory) but be authorized (i.e. perform user/group lookup) against
a separate OpenLDAP server?
This was easy in previous versions of Samba with the fallback
mechanism (https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP).
It seems to be more complicated once winbind must be involved.
LONG VERSION
It seems like SSSD, and people bringing it up, isn't very popular on
the lists. Despite its mention below, I am happy with a solution that
involves it or not, and I can work out how to modify it after I get
something working via any other method.
We have a CentOS 7 machine that needs to share files with Windows 7
machines in an Active Directory domain (that I do not control) for
users in the EXAMPLE.COM domain but perform user/group lookup against
a separate OpenLDAP server (that I do control) at ldap.mydomain.com.
With current versions of CentOS 7, as of Samba 4.8.0, the winbindd
fallback is no longer available and winbindd is required.
So we do the following:
- open firewall port 445 (but for testing, systemctl stop firewalld)
- set SELinux Booleans for sharing home directories (but for testing,
setenforce 0)
- add trust for the certificate authority that certified
ldap.mydomain.com (tested and LDAP lookups are functional on the
system)
- install packages samba, samba-client, samba-winbind,
samba-winbind-clients, and samba-winbind-krb5-locator
- net ads join -U 'user' (the domain allows non-admin creation of
machine accounts; net ads testjoin returns 'Join is OK')
- authconfig --enablesssd --enablesssdauth --disablemkhomedir --update
Here is the smb.conf with provisions for winbind (idmap lines), which
was (deliberately) not configured by authconfig above:
[global]
strict locking = no
workgroup = EXAMPLE
server string = Samba Server Version %v
disable netbios = yes
log file = /var/log/samba/log.%m
max log size = 50
security = ads
realm = EXAMPLE.COM
ldap ssl = off
idmap config * : backend = ldap
idmap config * : ldap_url = ldaps://ldap.mydomain.com:636/
idmap config * : ldap_base_dn = dc=mydomain,dc=com
idmap config * : ldap_user_dn = uid=samba,ou=agents,dc=mydomain,dc=com
idmap config * : read only = yes
idmap config * : range = 1000-65535
kerberos method = secrets and keytab
load printers = no
printcap name = /dev/null
printing = bsd
disable spoolss = yes
[home]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
create mask = 0600
directory mask = 0700
valid users = EXAMPLE\%U
preexec = ls /home/%U
[share]
path = /home/share
writable = yes
valid users = @share
force group = share
create mask = 0660
directory mask = 0770
preexec = ls /home/share
Here is the problem:
smbclient //myhost.fqdn/home -U <user> performs winbind authentication
and successfully connects to the share for any value of <user>
smbclient //myhost.fqdn/share -U <user performs winbind authentication
but fails to determine from ldap.mydomain.com that <user> is in group
'share', thus returning tree connect failed: NT_STATUS_ACCESS_DENIED
Additional information:
- testparm shows no errors or warnings
- wbinfo -u returns list of EXAMPLE.COM domain users
- wbinfo -g returns list of EXAMPLE.COM domain groups
- SSH login of domain users (i.e. ssh user at host) works (currently
through SSSD's configuration of Kerberos with authorization and
automounting using LDAP, but I can also easily get authorization to work
with winbind)
- log.winbindd-idmap shows:
[2019/06/08 15:58:23.175342, 3]
../source3/winbindd/idmap.c:397(idmap_init_domain)
idmap backend ldap not found
[2019/06/08 15:58:23.177972, 3]
../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module '/usr/lib64/samba/idmap/ldap.so' loaded
[2019/06/08 15:58:23.179407, 2]
../source3/lib/smbldap.c:847(smbldap_open_connection)
smbldap_open_connection: connection opened
[2019/06/08 15:58:23.340963, 3]
../source3/lib/smbldap.c:1069(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2019/06/08 15:58:23.343603, 1]
../source3/winbindd/idmap_ldap.c:484(idmap_ldap_db_init)
idmap_ldap_db_init: failed to verify ID pool (NT_STATUS_UNSUCCESSFUL)
[2019/06/08 15:58:23.343810, 1]
../source3/winbindd/idmap.c:447(idmap_init_domain)
idmap initialization returned NT_STATUS_UNSUCCESSFUL
Setting a higher debug level suggests that the final
NT_STATUS_UNSUCCESSFUL comes from an attempt to make changes to the
basedn, but I do not understand why idmap backend ldap not found
appears or why Samba/winbind needs to make changes to the LDAP
database, particularly when idmap config * : read only = yes is set in
smb.conf. Finally, I am not sure if these lines even explain the
problem. I do not want winbind to use LDAP to store its temporary
mapping. I want it not to use a temporary mapping and instead use %U
to perform user/group lookups, which it seems is what it does in the
configuration that results from the link I gave above and which we
used successfully in earlier Samba versions that did not rely on
winbind.
How can we achieve what we want with Samba 4.8.0 in CentOS 7? Why are
the idmap config lines in smb.conf not instructing Samba to get group
membership information from ldap.mydomain.com?
Thanks and regards,
Ryan
More information about the samba
mailing list