[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
vincent at cojot.name
vincent at cojot.name
Sat Aug 22 20:31:41 UTC 2020
Hi Andrew, Hi Rowland,
I just spent close to one hour debugging this with one OpenShift
specialist from RedHat. What we figured was:
1) both of my configs work (auth and group-sync) and are in fact correct.
2) OCP group sync does not sync the groups that have no explicit 'member'
Attribute or groups that are 'default' groups (E.g: 'Domain Users') where membership
is through the primaryGroupID.
So things are in fact working and they'll be reaching out to me because
I'm one of the few guys with a working 'Active Directory' in his home/lab
and they'd like to support ActiveDirectory in the Group Sync Operator
they're writing upstream. :)
Thank you for your help debugging this yesterday. I keep trying to
evangelize Samba AD/DC internally to my peers and the level of help I
received on that issue really makes the case for this type of setup.
I will most likely write a post about this.
Much appreciated,
Regards,
Vincent
,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name
They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places. - Robert Frost
On Sat, 22 Aug 2020, Andrew Bartlett via samba wrote:
> On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote:
>> Hi Rowland,
>>
>> First of all, thank you for taking the time to help me.
>> I tried your suggestion and all results came up empty.
>>
>> Then I did a few lapdsearch(es) and found this:
>>
>> 1) This query returns two users:
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
>> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
>> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>>
>> 2) This query returns no users ("Domain Users" instead of "Domain
>> Admins"):
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
>> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
>> Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>>
>> -but- the list of users is correctly reported if I run this on a DC:
>> root at dc01 ~]# samba-tool group listmembers 'Domain Users'
>> [....]
>> raistlin
>> [...]
>> krbtgt
>> dns-dc00
>> dns-dc01
>>
>> Am I doing something wrong?
>
> The system that you ary trying to use for OpenShift does not know about
> primary group memberships, as these are not recorded as DN links.
>
> Inside that samba-tool group listmembers command we work around that by
> using this filter:
> search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" %
> (rid, group_sid_dn))
>
> You may need to contribute logic upstream to OpenShift to learn about
> how groups work in AD, or (if secure) forgo primary group memberships.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list