[Freeipa-users] Ubuntu Samba Server Auth against IPA

Matt . yamakasi.014 at gmail.com
Tue Aug 4 15:55:42 UTC 2015 

Hi,

Yes, log is anonymised.

It's strange, my user doesn't have a SambaPwdLastSet, also when I
change it's password it doesn't get it in ldap.

There must be something going wrong I guess.

Matt

2015-08-04 17:45 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
> Hi Matt
>
> I assume [username] is a real username, identical to that in the FreeIPA
> cn=accounts, cn=users tree? (i.e. you anonymised the log extract).
>
> You user should be a member of the appropriate samba groups that you setup
> in FreeIPA.
>
> You should check that the user attribute SambaPwdLastSet is set to a
> positive value (e.g. 1). If not you get an error in the Samba logs - I
> would need to play around again with a test user to find out the exact
> error.
>
> I don't understand what you mean about syncing the users local, but we did
> not need to do anything like that.
>
> Chris
>
>
>
>
> From:   "Matt ." <yamakasi.014 at gmail.com>
> To:     Christopher Lamb/Switzerland/IBM at IBMCH
> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date:   04.08.2015 15:33
> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>
>
>
> Hi Chris,
>
> A puppet run added another passdb backend, that was causing my issue.
>
> What I still experience is:
>
>
> [2015/08/04 15:29:45.477783,  3]
> ../source3/auth/check_samsec.c:399(check_sam_security)
>   check_sam_security: Couldn't find user 'username' in passdb.
> [2015/08/04 15:29:45.478026,  2]
> ../source3/auth/auth.c:288(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [username] ->
> [username] FAILED with error NT_STATUS_NO_SUCH_USER
>
>
> I also wonder if I shall still sync the users local, or is it needed ?
>
> Thanks again,
>
> Matt
>
> 2015-08-04 14:16 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
>> Hi Matt
>>
>> From our smb.conf file:
>>
>> [global]
>>    security = user
>>    passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
>>    ldap suffix = dc=my,dc=silly,dc=example,dc=com
>>    ldap admin dn = cn=Directory Manager
>>
>> So yes, we use Directory Manager, it works for us. I have not tried with
> a
>> less powerful user, but it is conceivable that a lesser user may not see
>> all the required attributes, resulting in "no such user" errors.
>>
>> Chris
>>
>>
>>
>>
>> From:   "Matt ." <yamakasi.014 at gmail.com>
>> To:     Christopher Lamb/Switzerland/IBM at IBMCH
>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> Date:   04.08.2015 13:32
>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>>
>>
>>
>> Hi Chris,
>>
>> Thanks for the heads up, indeed local is 4 I see now when I add a
>> group from the GUI, great thanks!
>>
>> But do you use Directory Manager as ldap admin user or some other
>> admin account ?
>>
>> I'm not sure id DM is needed and it should get that deep into IPA.
>> Also when starting samba it cannot find "such user" as that sounds
>> quite known as it has no UID.
>>
>> From your config I see you use DM, this should work ?
>>
>> Thanks!
>>
>>
>> Matt
>>
>> 2015-08-04 13:15 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>> Hi Chris,
>>>
>>> Thanks for the heads up, indeed local is 4 I see now when I add a
>>> group from the GUI, great thanks!
>>>
>>> But do you use Directory Manager as ldap admin user or some other
>>> admin account ?
>>>
>>> I'm not sure id DM is needed and it should get that deep into IPA.
>>> Also when starting samba it cannot find "such user" as that sounds
>>> quite known as it has no UID.
>>>
>>> From your config I see you use DM, this should work ?
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>> 2015-08-03 17:17 GMT+02:00 Christopher Lamb
>> <christopher.lamb at ch.ibm.com>:
>>>> Hi Matt
>>>>
>>>> It sounds like you now have prepared FreeIPA for Samba
>>>>
>>>> I assume you have already configured Samba to authenticate via FreeIPA
>>>> (changes to the [global] section of your smb.conf file, secrets.tdb
> etc.
>>>>
>>>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups,
>>>> with SambaGroupType = 4)
>>>>
>>>> For example:
>>>>
>>>> In FreeIPA under cn=accounts, cn=users we have a group called
>> "smb-junit".
>>>>
>>>> This group has (among others) the attribute SambaGroupType = 4
>>>>
>>>> We can then use the name of the group in the smb.conf file
>>>>
>>>> [junit]
>>>>         comment = JUnit Share
>>>>         path = /samba/junit
>>>>         browseable = no
>>>>         valid users = @smb-junit
>>>>          write list = @smb-junit
>>>>          force group = smb-junit
>>>>         create mask = 0770
>>>>
>>>>
>>>> Ciao
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>> To:     Christopher Lamb/Switzerland/IBM at IBMCH
>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>, Petr
>>>>             Vobornik <pvoborni at redhat.com>
>>>> Date:   03.08.2015 16:03
>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
> IPA
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> OK, I have a Samba Group Type now in my groups details list and also
>>>> in the groups settings tab.
>>>>
>>>> I'm not 100% how this is managed. I have Grouptype 4, in the groups
>>>> overview it's still empty. But how to manage this between samba and
>>>> ipa ? What should be the reference between the group(names) ?
>>>>
>>>> Thanks again!
>>>>
>>>> Matt
>>>>
>>>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb
>> <christopher.lamb at ch.ibm.com>:
>>>>> HI Matt
>>>>>
>>>>> It looks like I skipped that step ... (And as we already had samba
>> groups
>>>>> in place, did not need to make new ones via the WebUI).
>>>>>
>>>>> However a quick google trawled up this old thread that has a possible
>>>>> answer from Peter. (I have not tested it yet myself).
>>>>>
>>>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>>
>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>> To:
>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>> Date:   03.08.2015 12:45
>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
>> IPA
>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>
>>>>>
>>>>>
>>>>> In my previous reply, I ment "no group.js at all" .
>>>>>
>>>>>
>>>>> 2015-08-03 12:17 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>> Hi Chris,
>>>>>>
>>>>>> Thanks for that verification!
>>>>>>
>>>>>> It seems that:
>>>>>>
>>>>>> /usr/share/ipa/ui/group.js
>>>>>>
>>>>>> Is not there on IPA.4.1, also there is no .js at all on the whole
>>>> system.
>>>>>>
>>>>>> Any idea there ?
>>>>>>
>>>>>> Thanks again!
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb
>>>> <christopher.lamb at ch.ibm.com>:
>>>>>>> Hi Matt
>>>>>>>
>>>>>>> Thankfully I saved the output from those ldapmodify commands
> (against
>>>>>>> FreeIPA 4.1) and was able to find it again!
>>>>>>>
>>>>>>> In our case sambagrouptype also seems to have already been present,
>> so
>>>>> that
>>>>>>> should not hurt.
>>>>>>>
>>>>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
>>>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>>>>>>>> changetype: add
>>>>>>>> add: ipaCustomFields
>>>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>>>>>> EOF
>>>>>>> SASL/GSSAPI authentication started
>>>>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM
>>>>>>> SASL SSF: 56
>>>>>>> SASL data security layer installed.
>>>>>>> adding new entry
>> "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
>>>>>>> ldap_add: Already exists (68)
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>>>> To:
>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>> Date:   02.08.2015 13:33
>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
>>>> IPA
>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Chris,
>>>>>>>
>>>>>>> Are you doing this on 3.x or also 4.x ?
>>>>>>>
>>>>>>> As the following already exists:
>>>>>>>
>>>>>>> ldapmodify -Y GSSAPI <<EOF
>>>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>>>>>>> changetype: add
>>>>>>> add: ipaCustomFields
>>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>>>>> EOF
>>>>>>>
>>>>>>>
>>>>>>> And I'm unsure about the pyton files are they are sligtly different
>> on
>>>>> 4.1
>>>>>>>
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>>
>>>>>>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Yes I found that earlier, that looks good and even better when you
>>>>>>>> confirm this as really usable.
>>>>>>>>
>>>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what
>>>>>>>> happends when we "need" to move because integration has been
>> improved.
>>>>>>>>
>>>>>>>> I try to keep IPA as native as I can.
>>>>>>>>
>>>>>>>> So this is the best way to go for now, even when this thread is
> such
>>>>>>> "old" ?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb
>>>>> <christopher.lamb at ch.ibm.com>:
>>>>>>>>> Hi Matt
>>>>>>>>>
>>>>>>>>> For a "how to" of Samba FreeIPA integration using schema
>> extensions,
>>>>> see
>>>>>>>>> this previous thread
>>>>>>>>>
>>>>>>>>>
>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>>>>>>>>
>>>>>>>>> That should point to this techslaves article with the detailed
>>>>>>> instructions
>>>>>>>>> that we followed:
>>>>>>>>>
>>>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>>>>>>>>
>>>>>>>>> The main reason we went that way is that we have no AD domain,
>> which
>>>>>>> seems
>>>>>>>>> to be required by other integration paths.
>>>>>>>>>
>>>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x,
>> now
>>>>>>> 7.x).
>>>>>>>>> So things may be different on Ubuntu.
>>>>>>>>>
>>>>>>>>> As always, when changing the LDAP schema, an LDAP browser like
>> Apache
>>>>>>>>> Directory Studio is very useful to visualise what is going on and
>> to
>>>>>>> verify
>>>>>>>>> if your changes are present! (and is sometime easier to manually
>>>>> change
>>>>>>>>> attributes rather than by LDAPMODIFY script....)
>>>>>>>>>
>>>>>>>>> There is another ongoing thread in this mailing list about
> problems
>>>>> with
>>>>>>>>> the attribute SambaPwdLastSet.
>>>>>>>>>
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>>>>>> To:
>>>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>>>> Date:   31.07.2015 16:58
>>>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth
>> against
>>>>> IPA
>>>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> This is nice to have confirmed.
>>>>>>>>>
>>>>>>>>> Is it possible for you to descrive what you do ? It might be handy
>> to
>>>>>>>>> add this to the IPA documentation also with some explanation
> why...
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
>>>>>>> <christopher.lamb at ch.ibm.com>:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect
>> to
>>>>> the
>>>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt
>>>>>>> problem
>>>>>>>>>> that we have is, that the users get no notice of password expiry
>>>>> until
>>>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is
>>>> not
>>>>>>>>>> accepted when trying to connect to a share. Once the password is
>>>>> reset
>>>>>>>>> (via
>>>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>>>>>>>>
>>>>>>>>>> Chris
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>>>>>>>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>>>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>>>>> Date:   31.07.2015 16:21
>>>>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth
>> against
>>>>>>> IPA
>>>>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>> I asked the very same question a few weeks ago, but no answer
> yet.
>>>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>>>>>>>>
>>>>>>>>>> The only method I see is to install samba extensions in FreeIPA's
>>>>> LDAP
>>>>>>>>>> directory, and bind samba with LDAP. There may be a lot of
>>>>> difficulties
>>>>>>>>>> with password management doing this, that's why I'd like to get a
>>>>>>> better
>>>>>>>>>> solution :)
>>>>>>>>>>
>>>>>>>>>> Anyone?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Youenn Piolet
>>>>>>>>>> piolet.y at gmail.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>   Hi Guys,
>>>>>>>>>>
>>>>>>>>>>   I'm really struggeling getting a NON AD Samba server authing
>>>>> against
>>>>>>> a
>>>>>>>>>>   FreeIPA server:
>>>>>>>>>>
>>>>>>>>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>>>>>>>>   CentOS 7.1 -> FreeIPA 4.1
>>>>>>>>>>
>>>>>>>>>>   Now this seems to be the way:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>
> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>   But as this, which I also found on the mailinglists:
>>>>>>>>>>
>>>>>>>>>>   NOTE: Only Kerberos authentication will work when accessing
>> Samba
>>>>>>>>>>   shares using this method. This means that Windows clients not
>>>>> joined
>>>>>>>>>>   to Active Directory forest trusted by IPA would not be able to
>>>>> access
>>>>>>>>>>   the shares. This is related to SSSD not yet being able to
> handle
>>>>>>>>>>   NTLMSSP authentication.
>>>>>>>>>>
>>>>>>>>>>   It might not be that easy to have a Samba Shares only server.
>>>>>>>>>>
>>>>>>>>>>   Any idea here how to accomplish ?
>>>>>>>>>>
>>>>>>>>>>   Cheers,
>>>>>>>>>>
>>>>>>>>>>   Matt
>>>>>>>>>>
>>>>>>>>>>   --
>>>>>>>>>>   Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>   Go to http://freeipa.org for more info on the project
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>
>
>
>

More information about the Freeipa-users mailing list