[Samba] (no subject)

Ryan rlichtenwalter at gmail.com
Sat Jun 15 06:32:51 UTC 2019

On Fri, Jun 14, 2019 at 10:31 AM Denis Cardon <dcardon at tranquil.it> wrote:

> Hi Ryan,
> > Sorry for the repost: my message delivery was set to digest, and that was
> > hard to manage use for conversation. I changed that setting. So starting
> > clean with the same subject...
> >
> > I don't care about SSSD or whether it's even on the machine or not. Right
> > now, it's only used by the machine for login. It isn't used by Samba,
> and I
> > am very careful to let libwbclient-sssd nowhere near the system to avoid
> > the problems that causes.
> >
> > I have looked into the idmap_rid backend, and I do not understand how it
> > could be helpful here. I'm not saying I think it isn't; I'm just saying I
> > don't understand. If I'm missing something, please do help if you can.
> >
> > What I essentially need, which is accomplished by the configuration in
> the
> > wiki article I provided for old Samba versions when winbindd is not used
> is:
> >
> > 1. Windows user attempts to access share with credentials from either
> > already having logged in on a machine with a domain account or by
> employing
> > "Connect using different credentials" to spontaneously login with a
> domain
> > account.
> >
> > 2. Samba (with winbindd) performs authentication of username %U against
> > Active Directory domain EXAMPLE.COM, effectively authenticating
> > \%U
> >
> > 3. If authentication fails, stop. If authentication succeeds, ignore SID,
> > groups and everything else from the AD server, because that server is
> > *only* to be used for authentication of %U. Continue processing.
> >
> > 4. Use username %U to query the LDAP server at ldap.mydomain.com for
> UID,
> > GID, and UNIX groups.
> you can achieve the same thing in copying your uidnumber/gidnumber in
> the AD attribute and use rfc2307 idmap module on your member server.

I do not have any access to add or change information on the AD server
)aside from joining the machine and thus creating a machine account), and
any existing information on the AD server is not relevant to my deployment.
My access is purely read-only. I am not sure how rfc2307 will help here,
because my understanding is that it deals with what information to retrieve
from AD itself.

> > 5. Given information returned from step 4, check user authorization
> against
> > share definition requirements and permit access for user with UID and GID
> > set as per LDAP lookup.
> >
> > And it's essentially just:
> >
> > https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP
> I'd say it isn't, in the sense that you want to have share definition
> authorization, which are enforced by Samba (which then would require
> Samba to know about group membership et al.). If you don't have any
> share authorization, then UI guess you should be able to use filesystem
> UGO/ACL restriction (as per the wiki page you mentionned).
> I am coming off a CentOS 6 deployment with Samba 3. Here, winbind is not
installed, but the machine is joined to the AD domain, and Kerberos and
OpenLDAP are configured on the machine (but not within Samba itself). When
Samba receives a Kerberos ticket (from existing Windows login session or
spontaneous login as other user), it authenticates %U against AD, but it
queries the local machine, which accesses my OpenLDAP server for UID, GID,
and group membership. This correctly authorizes users for a wide variety of
shares based on the UNIX groups of which they are a member in my OpenLDAP
server and *not* the central AD server (which has no knowledge of these
groups at all). I don't honestly know how Samba 3 is getting this
information, but it is, because if I change either the @share in the
[share] definition or remove user from group share on my OpenLDAP server,
the user can no longer access the share provided by [share].

> But anyway, I encourage you to use more common configuration type. Samba
> let you do many strange setups, but the less standard the setup, the
> most chance you'll get to fall on strange non expected behavior...
> rfc2307 is you friend here.

In fact, from following other postings on this list, it sounds like I
really just need Samba to use the authentication and authorization
facilities of the Linux host, Kerberos 5 and the OpenLDAP client. The
machine wouldn't even need to be joined to the domain. As a result, I guess
I could setup 'security = user'. The only problem with this, I think, and
it is fatal, is that users could not authenticate with existing Kerberos
tickets from the Windows host, but would need to supply username/password
credentials. Is this correct? If it's possible for Windows login tickets to
work with a 'security = user' configuration, then I'm very happy to go that

> Cheers,
> Denis
> >
> > that works with Samba 4.8.0 and winbindd instead of relying on the old
> > Samba fallback mechanism.
> >
> > How can this be accomplished with winbind?
> >
> > Kind regards,
> >
> > Ryan
> >
> > P.S. This may be a fairly common use case, since each large organization
> > may deploy Kerberos authentication via AD but relatively many smaller
> > sub-organizations may want to rely on the existing authentication
> > architecture while managing their own authorization (e.g. physics,
> > chemistry, mathematics, and computer science departments who each want
> > autonomous authorization without deploying un-synced authentication
> > themselves and leaving users with more credentials to manage). The
> current
> > use is the third organization I've seen it in or needed it in
> > professionally, but since EL 7 picked up Samba 4.8.0, it is broken as
> > deployed. :-(
> >
> --
> Denis Cardon
> Tranquil IT
> 12 avenue Jules Verne (Bat. A)
> 44230 Saint Sébastien sur Loire (FRANCE)
> tel : +33 (0) 240 975 755
> http://www.tranquil.it
> Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
> Samba install wiki for Frenchies : https://dev.tranquil.it
> WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list