[Freeipa-users] Ubuntu Samba Server Auth against IPA
Christopher Lamb
christopher.lamb at ch.ibm.com
Thu Aug 6 14:09:07 UTC 2015
Hi Matt
As far as I can make out, there are at least 2 viable Samba / FreeIPA
integration paths.
The route I took is suited where there is no Active Directory involved: In
my case all the Windows, OSX and Linux clients are islands that sit on the
same network.
The route that Youenn has taken (unless I have got completely the wrong end
of the stick) requires Active Directory in the architecture.
Chris
From: "Matt ." <yamakasi.014 at gmail.com>
To: Youenn PIOLET <piolet.y at gmail.com>
Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date: 06.08.2015 14:42
Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi,
OK, this sounds already quite logical, but I'm still refering to the
old howto we found earlier, does that one still apply somewhere or not
at all ?
Thanks,
Matt
2015-08-06 12:23 GMT+02:00 Youenn PIOLET <piolet.y at gmail.com>:
> Hey guys,
>
> I'll try to make a tutorial soon, sorry I'm quite in a rush these days :)
>
> General idea:
>
> On FreeIPA (4.1)
> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
> attribude, also known as SID)
> - regenerate each user password to build ipaNTHash attribute, not here by
> default on users
> - use your ldap browser to check ipaNTHash values are here on user
objects
> - create a CIFS service for your samba server
> - Create user roles/permissions as described here:
>
http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
> so that CIFS service will be able to read ipaNTsecurityidentifier and
> ipaNTHash attributes in LDAP (ACI)
> - SCP ipasam.so module to your cifs server (this is the magic trick) :
scp
> /usr/lib64/samba/pdb/ipasam.so
> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to
recompile
> it.
>
> On SAMBA Server side (CentOS 7...)
> - Install server keytab file for CIFS
> - check ipasam.so is here.
> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
> uid=admin ipaNTHash` thanks to kerberos
> - make your smb.conf following the linked thread and restart service
>
> I don't know if it works in Ubuntu. I know sssd has evolved quickly and
> ipasam may use quite recent functionalities, the best is to just try. You
> can read in previous thread : "If you insist on Ubuntu you need to get
> ipasam somewhere, most likely to compile it yourself".
>
> Make sure your user has ipaNTHash attribute :)
>
> You may want to debug authentication on samba server, I usually do this:
> `tail -f /var/log/samba/log* | grep <username>
>
> Cheers
> --
> Youenn Piolet
> piolet.y at gmail.com
>
>
> 2015-08-05 17:40 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>
>> Hi,
>>
>> This sounds great to me too, but a howto would help to make it more
>> clear about what you have done here. The thread confuses me a little
>> bit.
>>
>> Can you paste your commands so we can test out too and report back ?
>>
>> Thanks!
>>
>> Matt
>>
>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb
<christopher.lamb at ch.ibm.com>:
>> > Hi Youenn
>> >
>> > Good news that you have got an integration working
>> >
>> > Now you have got it going, and the solution is fresh in your mind, how
>> > about adding a How-to page on this solution to the FreeIPA wiki?
>> >
>> > Chris
>> >
>> >
>> >
>> > From: Youenn PIOLET <piolet.y at gmail.com>
>> > To: "Matt ." <yamakasi.014 at gmail.com>
>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
>> > "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> > Date: 05.08.2015 14:51
>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>> >
>> >
>> >
>> > Hi guys,
>> >
>> > Thank you so much your previous answers.
>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to
>> > ipa-adtrust-install --add-sids
>> >
>> > I found an other way to configure smb here:
>> >
>> >
http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
>> > It works perfectly.
>> >
>> > I'm using module ipasam.so I have manually scp to the samba server,
>> > Samba is set to use kerberos + ldapsam via this ipasam module.
>> > Following the instructions, I created a user role allowing service
>> > principal to read ipaNTHash value from the LDAP.
>> > ipaNTHash are generated each time a user changes his password.
>> > Authentication works perfectly on Windows 7, 8 and 10.
>> >
>> > For more details, the previously linked thread is quite clear.
>> >
>> > Cheers
>> >
>> > --
>> > Youenn Piolet
>> > piolet.y at gmail.com
>> >
>> >
>> > 2015-08-05 11:10 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> > Hi Chris.
>> >
>> > Yes, Apache Studio did that but I was not sure why it complained it
>> > was "already" there.
>> >
>> > I'm still getting:
>> >
>> > IPA Error 4205: ObjectclassViolation
>> >
>> > missing attribute "sambaGroupType" required by object class
>> > "sambaGroupMapping"
>> >
>> > When adding a user.
>> >
>> > I also see "class" as fielname under my "Last name", this is not OK
>> > also.
>> >
>> >
>> >
>> > We sure need to make some howto, I think we can nail this down :)
>> >
>> > Thanks for the heads up!
>> >
>> > Matthijs
>> >
>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb
>> > <christopher.lamb at ch.ibm.com>:
>> > > Hi Matt
>> > >
>> > > If I use Apache Directory Studio to add an attribute
ipaCustomFields
>> > to
>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as
shown
>> > below:
>> > >
>> > > #!RESULT OK
>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
>> > > #!DATE 2015-08-05T05:45:04.608
>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>> > > changetype: modify
>> > > add: ipaCustomFields
>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true
>> > >
>> > > After that I then have a visible attribute ipaCustomFields as
>> > expected.
>> > >
>> > > When adding the attribute, the wizard offered me "ipaCustomFields"
>> > as
>> > > attribute type in a drop down list.
>> > >
>> > > Once we get this cracked, we really must write a how-to on the
>> > FreeIPA
>> > > Wiki.
>> > >
>> > > Chris
>> > >
>> > >
>> > >
>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH
>> > > To: "Matt ." <yamakasi.014 at gmail.com>
>> > > Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> > > Date: 05.08.2015 07:31
>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
against
>> > IPA
>> > > Sent by: freeipa-users-bounces at redhat.com
>> > >
>> > >
>> > >
>> > > Hi Matt
>> > >
>> > > I also got the same result at that step, but can see nothing in
>> > Apache
>> > > Directory Studio.
>> > >
>> > > As I am using existing Samba / FreeIPA groups migrated across,
they
>> > > probably were migrated with all the required attributes.
>> > >
>> > > Looking more closely at that LDIF: I wonder should it not be:
>> > >
>> > > ldapmodify -Y GSSAPI <<EOF
>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>> > > changetype: modify
>> > > add: ipaCustomFields
>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>> > > EOF
>> > >
>> > > i.e. changetype: modify, instead of changetype add ?
>> > >
>> > > I don't want to play around with my prod directory - I will setup
an
>> > EL
>> > 7.1
>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to
play
>> > around
>> > > more destructively.
>> > >
>> > > Chris
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > From: "Matt ." <yamakasi.014 at gmail.com>
>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH
>> > > Cc: Youenn PIOLET <piolet.y at gmail.com>, "
>> > freeipa-users at redhat.com"
>> > > <freeipa-users at redhat.com>
>> > > Date: 05.08.2015 01:01
>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server
>> > Auth
>> > against IPA
>> > >
>> > >
>> > >
>> > > Hi Chris,
>> > >
>> > > I'm at the right path, but my issue is that:
>> > >
>> > > ldapmodify -Y GSSAPI <<EOF
>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>> > > changetype: add
>> > > add: ipaCustomFields
>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>> > > EOF
>> > >
>> > > Does say it exists, my ldap explorer doesn't show it, and when I
add
>> > > it manually as an attribute it still fails when I add a user on
this
>> > > sambagrouptype as it's needed by the other attributes
>> > >
>> > > So that is my issue I think so far.
>> > >
>> > > Any clue about that ?
>> > >
>> > > No problem "you don't know something or are no guru" we are all
>> > > learning! :)
>> > >
>> > > Cheers,
>> > >
>> > > Matt
>> > >
>> > >
>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb <
>> > christopher.lamb at ch.ibm.com>:
>> > >> Hi Matt, Youeen
>> > >>
>> > >> Just to set the background properly, I did not invent this
process.
>> > I
>> > > know
>> > >> only a little about FreeIPA, and almost nothing about Samba, but
I
>> > guess
>> > > I
>> > >> was lucky enough to get the integration working on a Sunday
>> > afternoon.
>> > (I
>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a
>> > reference).
>> > >>
>> > >> It sounds like we need to step back, and look at the test user
and
>> > group
>> > > in
>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this
much
>> > > easier.
>> > >>
>> > >> My FreeIPA / Samba Users have the following Samba extensions in
>> > FreeIPA
>> > >> (cn=accounts, cn=users):
>> > >>
>> > >> * objectClass: sambasamaccount
>> > >>
>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet
>> > >>
>> > >> My FreeIPA / Samba Groups have the following Samba extensions in
>> > FreeIPA
>> > >> (cn=accounts, cn=groups):
>> > >>
>> > >> * objectClass: sambaGroupMapping
>> > >>
>> > >> * Attributes: sambaGroupType, sambaSID
>> > >>
>> > >> The Users must belong to one or more of the samba groups that you
>> > have
>> > >> setup.
>> > >>
>> > >> If you don't have something similar to the above (which sounds
like
>> > it
>> > is
>> > >> the case), then something went wrong applying the extensions. It
>> > would
>> > be
>> > >> worth testing comparing a new user / group created post adding
the
>> > >> extensions to a previous existing user.
>> > >>
>> > >> i.e.
>> > >> are the extensions missing on existing users / groups?
>> > >> are the extensions missing on new users / groups?
>> > >>
>> > >> Cheers
>> > >>
>> > >> Chris
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> From: Youenn PIOLET <piolet.y at gmail.com>
>> > >> To: "Matt ." <yamakasi.014 at gmail.com>
>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
>> > >> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> > >> Date: 04.08.2015 18:56
>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
>> > against
>> > IPA
>> > >>
>> > >>
>> > >>
>> > >> Hi there,
>> > >>
>> > >> I have difficulties to follow you at this point :)
>> > >> Here is what I've done and what I've understood:
>> > >>
>> > >> ## SMB Side
>> > >> - Testparm OK
>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect.
>> > >> - pdbedit -Lv output is all successfull but I can see there is a
>> > filter :
>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't
>> > have
>> > >> sambaSamAccount.
>> > >>
>> > >> ## LDAP / FreeIPA side
>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my
>> > FreeIPA
>> > >> server to get samba LDAP extensions.
>> > >> - I can see samba classes exist in LDAP but are not used on my
>> > group
>> > >> objects nor my user objects
>> > >> - I have add sambaSamAccount in FreeIPA default user classes,
>> > >> and sambaGroupMapping to default group classes. In that state I
>> > can't
>> > >> create user nor groups anymore, as new samba attributes are
needed
>> > for
>> > >> instantiation.
>> > >> - I have add in etc ipaCustomFields: 'Samba Group
>> > > Type,sambagrouptype,true'
>> > >> but I don't get what it does.
>> > >> - I tried to add the samba.js plugin. It works, and adds the
>> > "local"
>> > > option
>> > >> when creating a group in FreeIPA, supposed to set sambagrouptype
to
>> > 4
>> > or
>> > > 2
>> > >> (domain). It doesn't work and tells that sambagrouptype attribute
>> > doesn't
>> > >> exist (but it should now I put sambaGroupType class by
default...)
>> > >>
>> > >> ## Questions
>> > >> 0) Can I ask samba not to search sambaSamAccount and use unix /
>> > posix
>> > >> instead? I guess no.
>> > >> 1) How to generate the user/group SIDs ? They are requested to
add
>> > >> sambaSamAccount classes.
>> > >> This article doesn't seem relevant since we don't use domain
>> > controller
>> > >>
>> > >
>> >
>> >
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
>> >
>> > >> and netgetlocalsid returns an error.
>> > >> 2) How to fix samba.js plugin?
>> > >> 3) I guess an equivalent of samba.js is needed for user creation,
>> > where
>> > > can
>> > >> I find it?
>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not only
>> > Windows
>> > >> 7?
>> > >>
>> > >> Thanks a lot for your previous and future answers
>> > >>
>> > >> --
>> > >> Youenn Piolet
>> > >> piolet.y at gmail.com
>> > >>
>> > >>
>> > >> 2015-08-04 17:55 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> > >> Hi,
>> > >>
>> > >> Yes, log is anonymised.
>> > >>
>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also when
I
>> > >> change it's password it doesn't get it in ldap.
>> > >>
>> > >> There must be something going wrong I guess.
>> > >>
>> > >> Matt
>> > >>
>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb
>> > > <christopher.lamb at ch.ibm.com
>> > >> >:
>> > >> > Hi Matt
>> > >> >
>> > >> > I assume [username] is a real username, identical to that in
>> > the
>> > >> FreeIPA
>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log
>> > extract).
>> > >> >
>> > >> > You user should be a member of the appropriate samba groups
>> > that
>> > you
>> > >> setup
>> > >> > in FreeIPA.
>> > >> >
>> > >> > You should check that the user attribute SambaPwdLastSet is
set
>> > to
>> > a
>> > >> > positive value (e.g. 1). If not you get an error in the Samba
>> > logs
>> > -
>> > > I
>> > >> > would need to play around again with a test user to find out
>> > the
>> > > exact
>> > >> > error.
>> > >> >
>> > >> > I don't understand what you mean about syncing the users
local,
>> > but
>> > > we
>> > >> did
>> > >> > not need to do anything like that.
>> > >> >
>> > >> > Chris
>> > >> >
>> > >> >
>> > >> >
>> > >> >
>> > >> > From: "Matt ." <yamakasi.014 at gmail.com>
>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH
>> > >> > Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> > >> > Date: 04.08.2015 15:33
>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
>> > against
>> > >> IPA
>> > >> >
>> > >> >
>> > >> >
>> > >> > Hi Chris,
>> > >> >
>> > >> > A puppet run added another passdb backend, that was causing
my
>> > issue.
>> > >> >
>> > >> > What I still experience is:
>> > >> >
>> > >> >
>> > >> > [2015/08/04 15:29:45.477783, 3]
>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security)
>> > >> > check_sam_security: Couldn't find user 'username' in
passdb.
>> > >> > [2015/08/04 15:29:45.478026, 2]
>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password)
>> > >> > check_ntlm_password: Authentication for user [username] ->
>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER
>> > >> >
>> > >> >
>> > >> > I also wonder if I shall still sync the users local, or is it
>> > > needed ?
>> > >> >
>> > >> > Thanks again,
>> > >> >
>> > >> > Matt
>> > >> >
>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb <
>> > >> christopher.lamb at ch.ibm.com>:
>> > >> >> Hi Matt
>> > >> >>
>> > >> >> From our smb.conf file:
>> > >> >>
>> > >> >> [global]
>> > >> >> security = user
>> > >> >> passdb backend =
>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com
>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com
>> > >> >> ldap admin dn = cn=Directory Manager
>> > >> >>
>> > >> >> So yes, we use Directory Manager, it works for us. I have
not
>> > tried
>> > >> with
>> > >> > a
>> > >> >> less powerful user, but it is conceivable that a lesser user
>> > may
>> > not
>> > >> see
>> > >> >> all the required attributes, resulting in "no such user"
>> > errors.
>> > >> >>
>> > >> >> Chris
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> From: "Matt ." <yamakasi.014 at gmail.com>
>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH
>> > >> >> Cc: "freeipa-users at redhat.com"
<freeipa-users at redhat.com>
>> > >> >> Date: 04.08.2015 13:32
>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
>> > against
>> > >> IPA
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> Hi Chris,
>> > >> >>
>> > >> >> Thanks for the heads up, indeed local is 4 I see now when I
>> > add a
>> > >> >> group from the GUI, great thanks!
>> > >> >>
>> > >> >> But do you use Directory Manager as ldap admin user or some
>> > other
>> > >> >> admin account ?
>> > >> >>
>> > >> >> I'm not sure id DM is needed and it should get that deep
into
>> > IPA.
>> > >> >> Also when starting samba it cannot find "such user" as that
>> > sounds
>> > >> >> quite known as it has no UID.
>> > >> >>
>> > >> >> From your config I see you use DM, this should work ?
>> > >> >>
>> > >> >> Thanks!
>> > >> >>
>> > >> >>
>> > >> >> Matt
>> > >> >>
>> > >> >>
>> > >> >
>> > >> >
>> > >> >
>> > >> >
>> > >>
>> > >> --
>> > >> Manage your subscription for the Freeipa-users mailing list:
>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >> Go to http://freeipa.org for more info on the project
>> > >>
>> > >>
>> > >>
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Manage your subscription for the Freeipa-users mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go to http://freeipa.org for more info on the project
>> > >
>> > >
>> > >
>> > >
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>> >
>> >
>> >
>
>
More information about the Freeipa-users
mailing list