[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

vincent at cojot.name vincent at cojot.name
Sat Aug 22 20:31:41 UTC 2020

Hi Andrew, Hi Rowland,

I just spent close to one hour debugging this with one OpenShift 
specialist from RedHat. What we figured was:

1) both of my configs work (auth and group-sync) and are in fact correct.

2) OCP group sync does not sync the groups that have no explicit 'member' 
Attribute or groups that are 'default' groups (E.g: 'Domain Users') where membership 
is through the primaryGroupID.

So things are in fact working and they'll be reaching out to me because 
I'm one of the few guys with a working 'Active Directory' in his home/lab 
and they'd like to support ActiveDirectory in the Group Sync Operator 
they're writing upstream. :)

Thank you for your help debugging this yesterday. I keep trying to 
evangelize Samba AD/DC internally to my peers and the level of help I 
received on that issue really makes the case for this type of setup.
I will most likely write a post about this.

Much appreciated,



Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name

They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places.       - Robert Frost

On Sat, 22 Aug 2020, Andrew Bartlett via samba wrote:

> On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote:
>> Hi Rowland,
>> First of all, thank you for taking the time to help me.
>> I tried your suggestion and all results came up empty.
>> Then I did a few lapdsearch(es) and found this:
>> 1) This query returns two users:
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
>> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
>> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>> 2) This query returns no users ("Domain Users" instead of "Domain
>> Admins"):
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
>> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
>> Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>> -but- the list of users is correctly reported if I run this on a DC:
>> root at dc01 ~]# samba-tool group listmembers 'Domain Users'
>> [....]
>> raistlin
>> [...]
>> krbtgt
>> dns-dc00
>> dns-dc01
>> Am I doing something wrong?
> The system that you ary trying to use for OpenShift does not know about
> primary group memberships, as these are not recorded as DN links.
> Inside that samba-tool group listmembers command we work around that by
> using this filter:
>            search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" %
>                             (rid, group_sid_dn))
> You may need to contribute logic upstream to OpenShift to learn about
> how groups work in AD, or (if secure) forgo primary group memberships.
> Andrew Bartlett
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list