[Freeipa-users] Ubuntu Samba Server Auth against IPA
Christopher Lamb
christopher.lamb at ch.ibm.com
Wed Aug 5 13:18:27 UTC 2015
Hi Youenn
Good news that you have got an integration working
Now you have got it going, and the solution is fresh in your mind, how
about adding a How-to page on this solution to the FreeIPA wiki?
Chris
From: Youenn PIOLET <piolet.y at gmail.com>
To: "Matt ." <yamakasi.014 at gmail.com>
Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date: 05.08.2015 14:51
Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi guys,
Thank you so much your previous answers.
I realised my SID were stored in ipaNTsecurityidentifier, thanks to
ipa-adtrust-install --add-sids
I found an other way to configure smb here:
http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
It works perfectly.
I'm using module ipasam.so I have manually scp to the samba server,
Samba is set to use kerberos + ldapsam via this ipasam module.
Following the instructions, I created a user role allowing service
principal to read ipaNTHash value from the LDAP.
ipaNTHash are generated each time a user changes his password.
Authentication works perfectly on Windows 7, 8 and 10.
For more details, the previously linked thread is quite clear.
Cheers
--
Youenn Piolet
piolet.y at gmail.com
2015-08-05 11:10 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
Hi Chris.
Yes, Apache Studio did that but I was not sure why it complained it
was "already" there.
I'm still getting:
IPA Error 4205: ObjectclassViolation
missing attribute "sambaGroupType" required by object class
"sambaGroupMapping"
When adding a user.
I also see "class" as fielname under my "Last name", this is not OK also.
We sure need to make some howto, I think we can nail this down :)
Thanks for the heads up!
Matthijs
2015-08-05 7:51 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
> Hi Matt
>
> If I use Apache Directory Studio to add an attribute ipaCustomFields to
> cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown
below:
>
> #!RESULT OK
> #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
> #!DATE 2015-08-05T05:45:04.608
> dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
> changetype: modify
> add: ipaCustomFields
> ipaCustomFields: Samba Group Type,sambagrouptype,true
>
> After that I then have a visible attribute ipaCustomFields as expected.
>
> When adding the attribute, the wizard offered me "ipaCustomFields" as
> attribute type in a drop down list.
>
> Once we get this cracked, we really must write a how-to on the FreeIPA
> Wiki.
>
> Chris
>
>
>
> From: Christopher Lamb/Switzerland/IBM at IBMCH
> To: "Matt ." <yamakasi.014 at gmail.com>
> Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date: 05.08.2015 07:31
> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> Hi Matt
>
> I also got the same result at that step, but can see nothing in Apache
> Directory Studio.
>
> As I am using existing Samba / FreeIPA groups migrated across, they
> probably were migrated with all the required attributes.
>
> Looking more closely at that LDIF: I wonder should it not be:
>
> ldapmodify -Y GSSAPI <<EOF
> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
> changetype: modify
> add: ipaCustomFields
> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
> EOF
>
> i.e. changetype: modify, instead of changetype add ?
>
> I don't want to play around with my prod directory - I will setup an EL
7.1
> VM and install FreeIPA 4.x and Samba 4.x That will allow me to play
around
> more destructively.
>
> Chris
>
>
>
>
>
> From: "Matt ." <yamakasi.014 at gmail.com>
> To: Christopher Lamb/Switzerland/IBM at IBMCH
> Cc: Youenn PIOLET <piolet.y at gmail.com>, "
freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
> Date: 05.08.2015 01:01
> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
against IPA
>
>
>
> Hi Chris,
>
> I'm at the right path, but my issue is that:
>
> ldapmodify -Y GSSAPI <<EOF
> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
> changetype: add
> add: ipaCustomFields
> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
> EOF
>
> Does say it exists, my ldap explorer doesn't show it, and when I add
> it manually as an attribute it still fails when I add a user on this
> sambagrouptype as it's needed by the other attributes
>
> So that is my issue I think so far.
>
> Any clue about that ?
>
> No problem "you don't know something or are no guru" we are all
> learning! :)
>
> Cheers,
>
> Matt
>
>
> 2015-08-04 21:22 GMT+02:00 Christopher Lamb <
christopher.lamb at ch.ibm.com>:
>> Hi Matt, Youeen
>>
>> Just to set the background properly, I did not invent this process. I
> know
>> only a little about FreeIPA, and almost nothing about Samba, but I
guess
> I
>> was lucky enough to get the integration working on a Sunday afternoon.
(I
>> did have an older FreeIPA 3.x / Samba 3.x installation as a
reference).
>>
>> It sounds like we need to step back, and look at the test user and
group
> in
>> the FreeIPA LDAP tree. I find using an LDAP browser makes this much
> easier.
>>
>> My FreeIPA / Samba Users have the following Samba extensions in
FreeIPA
>> (cn=accounts, cn=users):
>>
>> * objectClass: sambasamaccount
>>
>> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet
>>
>> My FreeIPA / Samba Groups have the following Samba extensions in
FreeIPA
>> (cn=accounts, cn=groups):
>>
>> * objectClass: sambaGroupMapping
>>
>> * Attributes: sambaGroupType, sambaSID
>>
>> The Users must belong to one or more of the samba groups that you have
>> setup.
>>
>> If you don't have something similar to the above (which sounds like it
is
>> the case), then something went wrong applying the extensions. It would
be
>> worth testing comparing a new user / group created post adding the
>> extensions to a previous existing user.
>>
>> i.e.
>> are the extensions missing on existing users / groups?
>> are the extensions missing on new users / groups?
>>
>> Cheers
>>
>> Chris
>>
>>
>>
>>
>>
>> From: Youenn PIOLET <piolet.y at gmail.com>
>> To: "Matt ." <yamakasi.014 at gmail.com>
>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
>> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> Date: 04.08.2015 18:56
>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>>
>>
>>
>> Hi there,
>>
>> I have difficulties to follow you at this point :)
>> Here is what I've done and what I've understood:
>>
>> ## SMB Side
>> - Testparm OK
>> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect.
>> - pdbedit -Lv output is all successfull but I can see there is a
filter :
>> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have
>> sambaSamAccount.
>>
>> ## LDAP / FreeIPA side
>> - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA
>> server to get samba LDAP extensions.
>> - I can see samba classes exist in LDAP but are not used on my group
>> objects nor my user objects
>> - I have add sambaSamAccount in FreeIPA default user classes,
>> and sambaGroupMapping to default group classes. In that state I can't
>> create user nor groups anymore, as new samba attributes are needed for
>> instantiation.
>> - I have add in etc ipaCustomFields: 'Samba Group
> Type,sambagrouptype,true'
>> but I don't get what it does.
>> - I tried to add the samba.js plugin. It works, and adds the "local"
> option
>> when creating a group in FreeIPA, supposed to set sambagrouptype to 4
or
> 2
>> (domain). It doesn't work and tells that sambagrouptype attribute
doesn't
>> exist (but it should now I put sambaGroupType class by default...)
>>
>> ## Questions
>> 0) Can I ask samba not to search sambaSamAccount and use unix / posix
>> instead? I guess no.
>> 1) How to generate the user/group SIDs ? They are requested to add
>> sambaSamAccount classes.
>> This article doesn't seem relevant since we don't use domain
controller
>>
>
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
>> and netgetlocalsid returns an error.
>> 2) How to fix samba.js plugin?
>> 3) I guess an equivalent of samba.js is needed for user creation,
where
> can
>> I find it?
>> 4) Is your setup working with Windows 8 / Windows 10 and not only
Windows
>> 7?
>>
>> Thanks a lot for your previous and future answers
>>
>> --
>> Youenn Piolet
>> piolet.y at gmail.com
>>
>>
>> 2015-08-04 17:55 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi,
>>
>> Yes, log is anonymised.
>>
>> It's strange, my user doesn't have a SambaPwdLastSet, also when I
>> change it's password it doesn't get it in ldap.
>>
>> There must be something going wrong I guess.
>>
>> Matt
>>
>> 2015-08-04 17:45 GMT+02:00 Christopher Lamb
> <christopher.lamb at ch.ibm.com
>> >:
>> > Hi Matt
>> >
>> > I assume [username] is a real username, identical to that in the
>> FreeIPA
>> > cn=accounts, cn=users tree? (i.e. you anonymised the log extract).
>> >
>> > You user should be a member of the appropriate samba groups that
you
>> setup
>> > in FreeIPA.
>> >
>> > You should check that the user attribute SambaPwdLastSet is set to
a
>> > positive value (e.g. 1). If not you get an error in the Samba logs
-
> I
>> > would need to play around again with a test user to find out the
> exact
>> > error.
>> >
>> > I don't understand what you mean about syncing the users local,
but
> we
>> did
>> > not need to do anything like that.
>> >
>> > Chris
>> >
>> >
>> >
>> >
>> > From: "Matt ." <yamakasi.014 at gmail.com>
>> > To: Christopher Lamb/Switzerland/IBM at IBMCH
>> > Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> > Date: 04.08.2015 15:33
>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
against
>> IPA
>> >
>> >
>> >
>> > Hi Chris,
>> >
>> > A puppet run added another passdb backend, that was causing my
issue.
>> >
>> > What I still experience is:
>> >
>> >
>> > [2015/08/04 15:29:45.477783, 3]
>> > ../source3/auth/check_samsec.c:399(check_sam_security)
>> > check_sam_security: Couldn't find user 'username' in passdb.
>> > [2015/08/04 15:29:45.478026, 2]
>> > ../source3/auth/auth.c:288(auth_check_ntlm_password)
>> > check_ntlm_password: Authentication for user [username] ->
>> > [username] FAILED with error NT_STATUS_NO_SUCH_USER
>> >
>> >
>> > I also wonder if I shall still sync the users local, or is it
> needed ?
>> >
>> > Thanks again,
>> >
>> > Matt
>> >
>> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb <
>> christopher.lamb at ch.ibm.com>:
>> >> Hi Matt
>> >>
>> >> From our smb.conf file:
>> >>
>> >> [global]
>> >> security = user
>> >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
>> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com
>> >> ldap admin dn = cn=Directory Manager
>> >>
>> >> So yes, we use Directory Manager, it works for us. I have not
tried
>> with
>> > a
>> >> less powerful user, but it is conceivable that a lesser user may
not
>> see
>> >> all the required attributes, resulting in "no such user" errors.
>> >>
>> >> Chris
>> >>
>> >>
>> >>
>> >>
>> >> From: "Matt ." <yamakasi.014 at gmail.com>
>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH
>> >> Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> >> Date: 04.08.2015 13:32
>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
against
>> IPA
>> >>
>> >>
>> >>
>> >> Hi Chris,
>> >>
>> >> Thanks for the heads up, indeed local is 4 I see now when I add a
>> >> group from the GUI, great thanks!
>> >>
>> >> But do you use Directory Manager as ldap admin user or some other
>> >> admin account ?
>> >>
>> >> I'm not sure id DM is needed and it should get that deep into
IPA.
>> >> Also when starting samba it cannot find "such user" as that
sounds
>> >> quite known as it has no UID.
>> >>
>> >> From your config I see you use DM, this should work ?
>> >>
>> >> Thanks!
>> >>
>> >>
>> >> Matt
>> >>
>> >>
>> >
>> >
>> >
>> >
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list