[Freeipa-users] Ubuntu Samba Server Auth against IPA

Christopher Lamb christopher.lamb at ch.ibm.com
Tue Aug 4 19:22:45 UTC 2015 

Hi Matt, Youeen

Just to set the background properly, I did not invent this process. I know
only a little about FreeIPA, and almost nothing about Samba, but I guess I
was lucky enough to get the integration working on a Sunday afternoon. (I
did have an older FreeIPA 3.x / Samba 3.x installation as a reference).

It sounds like we need to step back, and look at the test user and group in
the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier.

My FreeIPA / Samba Users have the following Samba extensions in FreeIPA
(cn=accounts, cn=users):

* objectClass: sambasamaccount

* Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet

My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA
(cn=accounts, cn=groups):

* objectClass: sambaGroupMapping

* Attributes: sambaGroupType, sambaSID

The Users must belong to one or more of the samba groups that you have
setup.

If you don't have something similar to the above (which sounds like it is
the case), then something went wrong applying the extensions. It would be
worth testing comparing a new user / group created post adding the
extensions to a previous existing user.

i.e.
are the extensions missing on existing users / groups?
are the extensions missing on new users / groups?

Cheers

Chris





From:	Youenn PIOLET <piolet.y at gmail.com>
To:	"Matt ." <yamakasi.014 at gmail.com>
Cc:	Christopher Lamb/Switzerland/IBM at IBMCH,
            "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date:	04.08.2015 18:56
Subject:	Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



Hi there,

I have difficulties to follow you at this point :)
Here is what I've done and what I've understood:

## SMB Side
- Testparm OK
- I've got the same NT_STATUS_NO_SUCH_USER when I try to connect.
- pdbedit -Lv output is all successfull but I can see there is a filter :
(&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have
sambaSamAccount.

## LDAP / FreeIPA side
- Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA
server to get samba LDAP extensions.
- I can see samba classes exist in LDAP but are not used on my group
objects nor my user objects
- I have add sambaSamAccount in FreeIPA default user classes,
and sambaGroupMapping to default group classes. In that state I can't
create user nor groups anymore, as new samba attributes are needed for
instantiation.
- I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true'
but I don't get what it does.
- I tried to add the samba.js plugin. It works, and adds the "local" option
when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2
(domain). It doesn't work and tells that sambagrouptype attribute doesn't
exist (but it should now I put sambaGroupType class by default...)

## Questions
0) Can I ask samba not to search sambaSamAccount and use unix / posix
instead? I guess no.
1) How to generate the user/group SIDs ? They are requested to add
sambaSamAccount classes.
This article doesn't seem relevant since we don't use domain controller
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
and netgetlocalsid returns an error.
2) How to fix samba.js plugin?
3) I guess an equivalent of samba.js is needed for user creation, where can
I find it?
4) Is your setup working with Windows 8 / Windows 10 and not only Windows
7?

Thanks a lot for your previous and future answers

--
Youenn Piolet
piolet.y at gmail.com


2015-08-04 17:55 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
  Hi,

  Yes, log is anonymised.

  It's strange, my user doesn't have a SambaPwdLastSet, also when I
  change it's password it doesn't get it in ldap.

  There must be something going wrong I guess.

  Matt

  2015-08-04 17:45 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com
  >:
  > Hi Matt
  >
  > I assume [username] is a real username, identical to that in the
  FreeIPA
  > cn=accounts, cn=users tree? (i.e. you anonymised the log extract).
  >
  > You user should be a member of the appropriate samba groups that you
  setup
  > in FreeIPA.
  >
  > You should check that the user attribute SambaPwdLastSet is set to a
  > positive value (e.g. 1). If not you get an error in the Samba logs - I
  > would need to play around again with a test user to find out the exact
  > error.
  >
  > I don't understand what you mean about syncing the users local, but we
  did
  > not need to do anything like that.
  >
  > Chris
  >
  >
  >
  >
  > From:   "Matt ." <yamakasi.014 at gmail.com>
  > To:     Christopher Lamb/Switzerland/IBM at IBMCH
  > Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
  > Date:   04.08.2015 15:33
  > Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
  >
  >
  >
  > Hi Chris,
  >
  > A puppet run added another passdb backend, that was causing my issue.
  >
  > What I still experience is:
  >
  >
  > [2015/08/04 15:29:45.477783,  3]
  > ../source3/auth/check_samsec.c:399(check_sam_security)
  >   check_sam_security: Couldn't find user 'username' in passdb.
  > [2015/08/04 15:29:45.478026,  2]
  > ../source3/auth/auth.c:288(auth_check_ntlm_password)
  >   check_ntlm_password:  Authentication for user [username] ->
  > [username] FAILED with error NT_STATUS_NO_SUCH_USER
  >
  >
  > I also wonder if I shall still sync the users local, or is it needed ?
  >
  > Thanks again,
  >
  > Matt
  >
  > 2015-08-04 14:16 GMT+02:00 Christopher Lamb <
  christopher.lamb at ch.ibm.com>:
  >> Hi Matt
  >>
  >> From our smb.conf file:
  >>
  >> [global]
  >>    security = user
  >>    passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
  >>    ldap suffix = dc=my,dc=silly,dc=example,dc=com
  >>    ldap admin dn = cn=Directory Manager
  >>
  >> So yes, we use Directory Manager, it works for us. I have not tried
  with
  > a
  >> less powerful user, but it is conceivable that a lesser user may not
  see
  >> all the required attributes, resulting in "no such user" errors.
  >>
  >> Chris
  >>
  >>
  >>
  >>
  >> From:   "Matt ." <yamakasi.014 at gmail.com>
  >> To:     Christopher Lamb/Switzerland/IBM at IBMCH
  >> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
  >> Date:   04.08.2015 13:32
  >> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
  >>
  >>
  >>
  >> Hi Chris,
  >>
  >> Thanks for the heads up, indeed local is 4 I see now when I add a
  >> group from the GUI, great thanks!
  >>
  >> But do you use Directory Manager as ldap admin user or some other
  >> admin account ?
  >>
  >> I'm not sure id DM is needed and it should get that deep into IPA.
  >> Also when starting samba it cannot find "such user" as that sounds
  >> quite known as it has no UID.
  >>
  >> From your config I see you use DM, this should work ?
  >>
  >> Thanks!
  >>
  >>
  >> Matt
  >>
  >>
  >
  >
  >
  >

  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list