[Freeipa-users] Samba 4 with IPA

Alexander Bokovoy abokovoy at redhat.com
Tue Apr 30 19:37:15 UTC 2013 

On Tue, 30 Apr 2013, Alexander Bokovoy wrote:
>On Tue, 30 Apr 2013, Alexander Bokovoy wrote:
>>On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.com wrote:
>>>That is actually pretty good news.  The real requirement is network
>>>storage for the Windows workstations secured by FreeIPA authentication.
>>>If I read what you’ve said correctly this is possible now.  I can live
>>>with the magical incantations to enrol any new Windows machines for
>>>now.  There are a few things that would work better if Windows thought
>>>it was logging on to a domain, but we have lived without those features
>>>for the last year.  Once a Windows machine has been set up correctly,
>>>which can be a bit hit and miss, the authentication works flawlessly .
>>To be clear, we have not tested this combination so you'll be in uncharted
>>waters.
>>
>>Since TGT for these users would still be issued by FreeIPA KDC, it would
>>include MS-PAC with SIDs of these users in FreeIPA domain -- once you
>>have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
>>be able to recognize them as FreeIPA users regardless where they come
>>from -- IPA or Windows machines, as long as Kerberos is in use.
>>
>>Any reports of how such setup would actually behave are welcomed.
>>
>>>It sounds as though I can set up the file server now and then extend it
>>>to do the AD DC bit when it is ready.
>>
>>>I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
>>>anywhere is there?
>>The only requirements for simplistic setup is to:
>>1. run file server on IPA master (you can make a dedicated replica for that)
>>2. run ipa-adtrust-install on that master to setup Samba configuration
>>  and enable KDC + directory server to handle SIDs
>>3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
>>  uses registry backend to store smb.conf configuration.
>>
>>See
>>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares
>>for sample how to work with 'net conf setparm'.
>>
>>For 'valid users' I guess you can use simply user names since these
>>would be our local ones.
>>
>>Again, this is completely untested right now.
>So, I tried quick test for this, using admins group:
>
>1. Setup shared space, apply SELinux context and modify ACLs:
>[root at red samba-4.0.5]# mkdir /srv/testshare
>[root at red samba-4.0.5]# chcon -t samba_share_t /srv/testshare
>[root at red samba-4.0.5]# setfacl -m g:admins:rwx  /srv/testshare
>[root at red samba-4.0.5]# getfacl /srv/testshare
>getfacl: Removing leading '/' from absolute path names
># file: srv/testshare
># owner: root
># group: root
>user::rwx
>group::r-x
>group:admins:rwx
>mask::rwx
>other::r-x
>
>2. Create actual Samba share:
>[root at red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N
>
>3. Obtain TGT for Kerberos identity (admin, belongs to admins group):
>[root at red samba-4.0.5]# kinit
>Password for admin at BIRD.CLONE: [root at red samba-4.0.5]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: admin at BIRD.CLONE
>
>Valid starting       Expires              Service principal
>30.04.2013 22:10:13  01.05.2013 22:10:11  krbtgt/BIRD.CLONE at BIRD.CLONE
>
>Now try connecting to //red.bird.clone/testshare and use it (I've copied
>few files in several sessions, showing last one):
>
>[root at red samba-4.0.5]# smbclient -k //red.bird.clone/testshare
>lp_load_ex: changing to config backend registry
>Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5]
>smb: \> dir
>  .                                   D        0  Tue Apr 30 22:06:51 2013
>  ..                                  D        0  Tue Apr 30 21:40:04 2013
>  foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
>  README                              A     7998  Tue Apr 30 22:06:51 2013
>
>                40918 blocks of size 262144. 19277 blocks available
>smb: \> put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt 
>(182,6 kb/s) (average 182,6 kb/s)
>smb: \> dir
>  .                                   D        0  Tue Apr 30 22:10:35 2013
>  ..                                  D        0  Tue Apr 30 21:40:04 2013
>  WHATSNEW.txt                        A    47112  Tue Apr 30 22:10:35 2013
>  foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
>  README                              A     7998  Tue Apr 30 22:06:51 2013
>
>                40918 blocks of size 262144. 19277 blocks available
>smb: \>
>
>Check status of the last copied file, notice permissions and SELinux
>contet:
>[root at red samba-4.0.5]#  stat /srv/testshare/WHATSNEW.txt   File: 
>‘/srv/testshare/WHATSNEW.txt’
>  Size: 47112           Blocks: 96         IO Block: 4096   regular file
>Device: fc03h/64515d    Inode: 153050      Links: 1
>Access: (0744/-rwxr--r--)  Uid: (1564400000/   admin)   Gid: (1564400000/  admins)
>Context: system_u:object_r:samba_share_t:s0
>Access: 2013-04-30 22:10:35.484270784 +0300
>Modify: 2013-04-30 22:10:35.580239030 +0300
>Change: 2013-04-30 22:10:35.579270116 +0300
> Birth: -
.... And for those who are too enjoyed -- this only works for FreeIPA
own users. AD users, coming through a trust, are not supported this way
yet, only through explicit 'valid users = USER-SID' right now. It is
due to the fact that smbd doesn't yet know how to convert back gid/uid
of the AD user to a SID since these users have automatically generated
gid/uid which aren't stored anywhere.

We need to add some smart logic to ipasam module to handle it.

[2013/04/30 22:20:03.878564,  5] ../libcli/security/security_token.c:63(security_token_debug)
   Security token SIDs (12):
     SID[  0]: S-1-5-21-3502988750-125904550-3683905862-500
     SID[  1]: S-1-5-21-3502988750-125904550-3683905862-513
     SID[  2]: S-1-5-21-3502988750-125904550-3683905862-520
     SID[  3]: S-1-5-21-3502988750-125904550-3683905862-512
     SID[  4]: S-1-5-21-3502988750-125904550-3683905862-519
     SID[  5]: S-1-5-21-3502988750-125904550-3683905862-518
     SID[  6]: S-1-18-1
     SID[  7]: S-1-5-21-1492269836-2180264219-1113070302-1004
     SID[  8]: S-1-1-0
     SID[  9]: S-1-5-2
     SID[ 10]: S-1-5-11
     SID[ 11]: S-1-22-1-1442800500
    Privileges (0x               0):
    Rights (0x               0):
[2013/04/30 22:20:03.879021,  5] ../source3/auth/token_util.c:528(debug_unix_user_token)
   UNIX token of user 1442800500
   Primary group is 1442800500 and contains 0 supplementary groups
[2013/04/30 22:20:03.879198,  5] ../source3/smbd/uid.c:373(change_to_user_internal)
   Impersonated user: uid=(1442800500,1442800500), gid=(0,1442800500)

and then

[2013/04/30 22:20:03.951270,  5] ../source3/passdb/lookup_sid.c:1212(gid_to_sid)
   gid_to_sid: winbind failed to find a sid for gid 1564400004
...
[2013/04/30 22:20:03.951488,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext) 
   smbldap_search_ext: base => [dc=bird,dc=clone], filter => [(&(gidNumber=1564400004)(objectClass=ipaNTGroupAttrs))], scope => [2]
[2013/04/30 22:20:03.952132,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
   pop_sec_ctx (1442800500, 1442800500) - sec_ctx_stack_ndx = 0
[2013/04/30 22:20:03.952214,  3] ../source3/smbd/open.c:791(open_file)
   Error opening file README.downgrade (NT_STATUS_ACCESS_DENIED) (local_flags=578) (flags=578)

I.e. attempt to write file while being a process under uid 1442800500
and gid 1442800500 fails. This is uid of Administrator at AD.LAN, AD user,
and gid of his/her primary group, which are automatically generated
based on its SID.

[root at red samba-4.0.5]# id Administrator at ad.lan
uid=1442800500(administrator at ad.lan) gid=1442800500(administrator at ad.lan) groups=1442800500(administrator at ad.lan),1442800519(enterprise admins at ad.lan),1442800512(domain admins at ad.lan),1564400004(ad_members)

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list