[Freeipa-users] Ubuntu Samba Server Auth against IPA

Christopher Lamb christopher.lamb at ch.ibm.com
Tue Aug 4 15:45:19 UTC 2015 

Hi Matt

I assume [username] is a real username, identical to that in the FreeIPA
cn=accounts, cn=users tree? (i.e. you anonymised the log extract).

You user should be a member of the appropriate samba groups that you setup
in FreeIPA.

You should check that the user attribute SambaPwdLastSet is set to a
positive value (e.g. 1). If not you get an error in the Samba logs - I
would need to play around again with a test user to find out the exact
error.

I don't understand what you mean about syncing the users local, but we did
not need to do anything like that.

Chris




From:	"Matt ." <yamakasi.014 at gmail.com>
To:	Christopher Lamb/Switzerland/IBM at IBMCH
Cc:	"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date:	04.08.2015 15:33
Subject:	Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



Hi Chris,

A puppet run added another passdb backend, that was causing my issue.

What I still experience is:


[2015/08/04 15:29:45.477783,  3]
../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'username' in passdb.
[2015/08/04 15:29:45.478026,  2]
../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [username] ->
[username] FAILED with error NT_STATUS_NO_SUCH_USER


I also wonder if I shall still sync the users local, or is it needed ?

Thanks again,

Matt

2015-08-04 14:16 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
> Hi Matt
>
> From our smb.conf file:
>
> [global]
>    security = user
>    passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
>    ldap suffix = dc=my,dc=silly,dc=example,dc=com
>    ldap admin dn = cn=Directory Manager
>
> So yes, we use Directory Manager, it works for us. I have not tried with
a
> less powerful user, but it is conceivable that a lesser user may not see
> all the required attributes, resulting in "no such user" errors.
>
> Chris
>
>
>
>
> From:   "Matt ." <yamakasi.014 at gmail.com>
> To:     Christopher Lamb/Switzerland/IBM at IBMCH
> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date:   04.08.2015 13:32
> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>
>
>
> Hi Chris,
>
> Thanks for the heads up, indeed local is 4 I see now when I add a
> group from the GUI, great thanks!
>
> But do you use Directory Manager as ldap admin user or some other
> admin account ?
>
> I'm not sure id DM is needed and it should get that deep into IPA.
> Also when starting samba it cannot find "such user" as that sounds
> quite known as it has no UID.
>
> From your config I see you use DM, this should work ?
>
> Thanks!
>
>
> Matt
>
> 2015-08-04 13:15 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Chris,
>>
>> Thanks for the heads up, indeed local is 4 I see now when I add a
>> group from the GUI, great thanks!
>>
>> But do you use Directory Manager as ldap admin user or some other
>> admin account ?
>>
>> I'm not sure id DM is needed and it should get that deep into IPA.
>> Also when starting samba it cannot find "such user" as that sounds
>> quite known as it has no UID.
>>
>> From your config I see you use DM, this should work ?
>>
>> Thanks!
>>
>> Matt
>>
>> 2015-08-03 17:17 GMT+02:00 Christopher Lamb
> <christopher.lamb at ch.ibm.com>:
>>> Hi Matt
>>>
>>> It sounds like you now have prepared FreeIPA for Samba
>>>
>>> I assume you have already configured Samba to authenticate via FreeIPA
>>> (changes to the [global] section of your smb.conf file, secrets.tdb
etc.
>>>
>>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups,
>>> with SambaGroupType = 4)
>>>
>>> For example:
>>>
>>> In FreeIPA under cn=accounts, cn=users we have a group called
> "smb-junit".
>>>
>>> This group has (among others) the attribute SambaGroupType = 4
>>>
>>> We can then use the name of the group in the smb.conf file
>>>
>>> [junit]
>>>         comment = JUnit Share
>>>         path = /samba/junit
>>>         browseable = no
>>>         valid users = @smb-junit
>>>          write list = @smb-junit
>>>          force group = smb-junit
>>>         create mask = 0770
>>>
>>>
>>> Ciao
>>>
>>> Chris
>>>
>>>
>>>
>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>> To:     Christopher Lamb/Switzerland/IBM at IBMCH
>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>, Petr
>>>             Vobornik <pvoborni at redhat.com>
>>> Date:   03.08.2015 16:03
>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>>>
>>>
>>>
>>> Hi,
>>>
>>> OK, I have a Samba Group Type now in my groups details list and also
>>> in the groups settings tab.
>>>
>>> I'm not 100% how this is managed. I have Grouptype 4, in the groups
>>> overview it's still empty. But how to manage this between samba and
>>> ipa ? What should be the reference between the group(names) ?
>>>
>>> Thanks again!
>>>
>>> Matt
>>>
>>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb
> <christopher.lamb at ch.ibm.com>:
>>>> HI Matt
>>>>
>>>> It looks like I skipped that step ... (And as we already had samba
> groups
>>>> in place, did not need to make new ones via the WebUI).
>>>>
>>>> However a quick google trawled up this old thread that has a possible
>>>> answer from Peter. (I have not tested it yet myself).
>>>>
>>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>> To:
>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>> Date:   03.08.2015 12:45
>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
> IPA
>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>
>>>>
>>>>
>>>> In my previous reply, I ment "no group.js at all" .
>>>>
>>>>
>>>> 2015-08-03 12:17 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>> Hi Chris,
>>>>>
>>>>> Thanks for that verification!
>>>>>
>>>>> It seems that:
>>>>>
>>>>> /usr/share/ipa/ui/group.js
>>>>>
>>>>> Is not there on IPA.4.1, also there is no .js at all on the whole
>>> system.
>>>>>
>>>>> Any idea there ?
>>>>>
>>>>> Thanks again!
>>>>>
>>>>> Matt
>>>>>
>>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb
>>> <christopher.lamb at ch.ibm.com>:
>>>>>> Hi Matt
>>>>>>
>>>>>> Thankfully I saved the output from those ldapmodify commands
(against
>>>>>> FreeIPA 4.1) and was able to find it again!
>>>>>>
>>>>>> In our case sambagrouptype also seems to have already been present,
> so
>>>> that
>>>>>> should not hurt.
>>>>>>
>>>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
>>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>>>>>>> changetype: add
>>>>>>> add: ipaCustomFields
>>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>>>>> EOF
>>>>>> SASL/GSSAPI authentication started
>>>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM
>>>>>> SASL SSF: 56
>>>>>> SASL data security layer installed.
>>>>>> adding new entry
> "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
>>>>>> ldap_add: Already exists (68)
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>>> To:
>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>> Date:   02.08.2015 13:33
>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
>>> IPA
>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> Chris,
>>>>>>
>>>>>> Are you doing this on 3.x or also 4.x ?
>>>>>>
>>>>>> As the following already exists:
>>>>>>
>>>>>> ldapmodify -Y GSSAPI <<EOF
>>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>>>>>> changetype: add
>>>>>> add: ipaCustomFields
>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>>>> EOF
>>>>>>
>>>>>>
>>>>>> And I'm unsure about the pyton files are they are sligtly different
> on
>>>> 4.1
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Yes I found that earlier, that looks good and even better when you
>>>>>>> confirm this as really usable.
>>>>>>>
>>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what
>>>>>>> happends when we "need" to move because integration has been
> improved.
>>>>>>>
>>>>>>> I try to keep IPA as native as I can.
>>>>>>>
>>>>>>> So this is the best way to go for now, even when this thread is
such
>>>>>> "old" ?
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>>
>>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb
>>>> <christopher.lamb at ch.ibm.com>:
>>>>>>>> Hi Matt
>>>>>>>>
>>>>>>>> For a "how to" of Samba FreeIPA integration using schema
> extensions,
>>>> see
>>>>>>>> this previous thread
>>>>>>>>
>>>>>>>>
> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>>>>>>>
>>>>>>>> That should point to this techslaves article with the detailed
>>>>>> instructions
>>>>>>>> that we followed:
>>>>>>>>
>>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>>>>>>>
>>>>>>>> The main reason we went that way is that we have no AD domain,
> which
>>>>>> seems
>>>>>>>> to be required by other integration paths.
>>>>>>>>
>>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x,
> now
>>>>>> 7.x).
>>>>>>>> So things may be different on Ubuntu.
>>>>>>>>
>>>>>>>> As always, when changing the LDAP schema, an LDAP browser like
> Apache
>>>>>>>> Directory Studio is very useful to visualise what is going on and
> to
>>>>>> verify
>>>>>>>> if your changes are present! (and is sometime easier to manually
>>>> change
>>>>>>>> attributes rather than by LDAPMODIFY script....)
>>>>>>>>
>>>>>>>> There is another ongoing thread in this mailing list about
problems
>>>> with
>>>>>>>> the attribute SambaPwdLastSet.
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>>>>> To:
>>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>>> Date:   31.07.2015 16:58
>>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth
> against
>>>> IPA
>>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> This is nice to have confirmed.
>>>>>>>>
>>>>>>>> Is it possible for you to descrive what you do ? It might be handy
> to
>>>>>>>> add this to the IPA documentation also with some explanation
why...
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
>>>>>> <christopher.lamb at ch.ibm.com>:
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect
> to
>>>> the
>>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt
>>>>>> problem
>>>>>>>>> that we have is, that the users get no notice of password expiry
>>>> until
>>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is
>>> not
>>>>>>>>> accepted when trying to connect to a share. Once the password is
>>>> reset
>>>>>>>> (via
>>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>>>>>>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>>>> Date:   31.07.2015 16:21
>>>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth
> against
>>>>>> IPA
>>>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>> I asked the very same question a few weeks ago, but no answer
yet.
>>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>>>>>>>
>>>>>>>>> The only method I see is to install samba extensions in FreeIPA's
>>>> LDAP
>>>>>>>>> directory, and bind samba with LDAP. There may be a lot of
>>>> difficulties
>>>>>>>>> with password management doing this, that's why I'd like to get a
>>>>>> better
>>>>>>>>> solution :)
>>>>>>>>>
>>>>>>>>> Anyone?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Youenn Piolet
>>>>>>>>> piolet.y at gmail.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>   Hi Guys,
>>>>>>>>>
>>>>>>>>>   I'm really struggeling getting a NON AD Samba server authing
>>>> against
>>>>>> a
>>>>>>>>>   FreeIPA server:
>>>>>>>>>
>>>>>>>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>>>>>>>   CentOS 7.1 -> FreeIPA 4.1
>>>>>>>>>
>>>>>>>>>   Now this seems to be the way:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>>
>
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>   But as this, which I also found on the mailinglists:
>>>>>>>>>
>>>>>>>>>   NOTE: Only Kerberos authentication will work when accessing
> Samba
>>>>>>>>>   shares using this method. This means that Windows clients not
>>>> joined
>>>>>>>>>   to Active Directory forest trusted by IPA would not be able to
>>>> access
>>>>>>>>>   the shares. This is related to SSSD not yet being able to
handle
>>>>>>>>>   NTLMSSP authentication.
>>>>>>>>>
>>>>>>>>>   It might not be that easy to have a Samba Shares only server.
>>>>>>>>>
>>>>>>>>>   Any idea here how to accomplish ?
>>>>>>>>>
>>>>>>>>>   Cheers,
>>>>>>>>>
>>>>>>>>>   Matt
>>>>>>>>>
>>>>>>>>>   --
>>>>>>>>>   Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>   Go to http://freeipa.org for more info on the project
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>
>
>
>

More information about the Freeipa-users mailing list