Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] OpenSSH auth in SAMBA4 LDAP
460 views
Skip to first unread message
Bruno Vane
Aug 25, 2013, 3:30:02 AM8/25/13
to
Hi,
I have some Ubuntu LTS servers running openssh server authenticating to
external openldap. I installed a new Ubuntu LTS server with Samba4 to
create a domain and is working very well. I managed to make a pfsense
firewall authenticate users in this Samba4 ldap. How to make openssh in
Ubuntu authenticate users in Samba4 ldap?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have some Ubuntu LTS servers running openssh server authenticating to
external openldap. I installed a new Ubuntu LTS server with Samba4 to
create a domain and is working very well. I managed to make a pfsense
firewall authenticate users in this Samba4 ldap. How to make openssh in
Ubuntu authenticate users in Samba4 ldap?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
Aug 25, 2013, 3:50:01 AM8/25/13
to
Hello Bruno,
Am 25.08.2013 09:27, schrieb Bruno Vane:
> I have some Ubuntu LTS servers running openssh server authenticating to
> external openldap. I installed a new Ubuntu LTS server with Samba4 to
> create a domain and is working very well. I managed to make a pfsense
> firewall authenticate users in this Samba4 ldap. How to make openssh in
> Ubuntu authenticate users in Samba4 ldap?
Have you already looked here:
http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD
http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH
Regards,
Marc
Am 25.08.2013 09:27, schrieb Bruno Vane:
> I have some Ubuntu LTS servers running openssh server authenticating to
> external openldap. I installed a new Ubuntu LTS server with Samba4 to
> create a domain and is working very well. I managed to make a pfsense
> firewall authenticate users in this Samba4 ldap. How to make openssh in
> Ubuntu authenticate users in Samba4 ldap?
http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD
http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH
Regards,
Marc
Bruno Vane
Aug 25, 2013, 4:30:02 PM8/25/13
to
Hello Marc,
Yes I read these sections, but I want something different. Users will join
on AD domain (Samba 4) and will connect to an "entry" SSH server, and from
this server they can access other SSH servers on the network. All SSH
servers are configured with /etc/hosts.allow to allow SSH connections only
from this "entry" SSH server. This Ubuntu servers running SSH will not join
in the AD domain, only users of the network. Is this possible?
2013/8/25 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Hello Bruno,
>
> Am 25.08.2013 09:27, schrieb Bruno Vane:
>
> I have some Ubuntu LTS servers running openssh server authenticating to
>> external openldap. I installed a new Ubuntu LTS server with Samba4 to
>> create a domain and is working very well. I managed to make a pfsense
>> firewall authenticate users in this Samba4 ldap. How to make openssh in
>> Ubuntu authenticate users in Samba4 ldap?
>>
>
> Have you already looked here:
>
> http://wiki.samba.org/index.**php/Authenticating_other_**
> services_against_AD#**Authentication_against_AD<http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD>
>
>
> http://wiki.samba.org/index.**php/Authenticating_other_**
> services_against_AD#Secure_**passwordless_SSH<http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH>
>
>
>
> Regards,
> Marc
>
>
>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Yes I read these sections, but I want something different. Users will join
on AD domain (Samba 4) and will connect to an "entry" SSH server, and from
this server they can access other SSH servers on the network. All SSH
servers are configured with /etc/hosts.allow to allow SSH connections only
from this "entry" SSH server. This Ubuntu servers running SSH will not join
in the AD domain, only users of the network. Is this possible?
2013/8/25 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Hello Bruno,
>
> Am 25.08.2013 09:27, schrieb Bruno Vane:
>
> I have some Ubuntu LTS servers running openssh server authenticating to
>> external openldap. I installed a new Ubuntu LTS server with Samba4 to
>> create a domain and is working very well. I managed to make a pfsense
>> firewall authenticate users in this Samba4 ldap. How to make openssh in
>> Ubuntu authenticate users in Samba4 ldap?
>>
>
> Have you already looked here:
>
> services_against_AD#**Authentication_against_AD<http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD>
>
>
> http://wiki.samba.org/index.**php/Authenticating_other_**
> services_against_AD#Secure_**passwordless_SSH<http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH>
>
>
>
> Regards,
> Marc
>
>
>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Marc Muehlfeld
Aug 26, 2013, 4:50:04 AM8/26/13
to
Hello Bruno,
Am 25.08.2013 22:26, schrieb Bruno Vane:
> Yes I read these sections, but I want something different. Users will
> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
> and from this server they can access other SSH servers on the network.
> All SSH servers are configured with /etc/hosts.allow to allow SSH
> connections only from this "entry" SSH server. This Ubuntu servers
> running SSH will not join in the AD domain, only users of the network.
> Is this possible?
I think this shouldn't matter. You can configure the "entry" host with
nslcd to retrieve the account information via LDAP from AD and pam_ldap
to authenticate against AD (without necessity to join the machine to the
domain).
Then you have the other hosts. These you can authenticate on the same
way, if they are not joined to the domain, or you join them and the
authentication is done through winbind.
For the nslcd you can use the following config (you must create an bind
account in your domain for that first):
#Mappings for Active Directory
pagesize 1000
referrals off
# Passwd
filter passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
filter shadow
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
# Groups
filter group
(&(objectClass=group)(objectClass=posixGroup)(gidNumber=*))
map group uniqueMember member
# Local account, nslcd runs under
uid nslcd
gid ldap
# LDAP server settings
uri ldap://127.0.0.1:389/
base dc=SAMDOM,dc=example,dc=com
# Account in AD that is used from Nslcd to bind to the directory
binddn CN=nslcd-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx
pam_ldap config you find here:
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD
Regards,
Marc
Am 25.08.2013 22:26, schrieb Bruno Vane:
> Yes I read these sections, but I want something different. Users will
> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
> and from this server they can access other SSH servers on the network.
> All SSH servers are configured with /etc/hosts.allow to allow SSH
> connections only from this "entry" SSH server. This Ubuntu servers
> running SSH will not join in the AD domain, only users of the network.
> Is this possible?
nslcd to retrieve the account information via LDAP from AD and pam_ldap
to authenticate against AD (without necessity to join the machine to the
domain).
Then you have the other hosts. These you can authenticate on the same
way, if they are not joined to the domain, or you join them and the
authentication is done through winbind.
For the nslcd you can use the following config (you must create an bind
account in your domain for that first):
#Mappings for Active Directory
pagesize 1000
referrals off
# Passwd
filter passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
filter shadow
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
# Groups
filter group
(&(objectClass=group)(objectClass=posixGroup)(gidNumber=*))
map group uniqueMember member
# Local account, nslcd runs under
uid nslcd
gid ldap
# LDAP server settings
uri ldap://127.0.0.1:389/
base dc=SAMDOM,dc=example,dc=com
# Account in AD that is used from Nslcd to bind to the directory
binddn CN=nslcd-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx
pam_ldap config you find here:
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD
Regards,
Marc
Bruno Vane
Aug 26, 2013, 8:20:01 AM8/26/13
to
Thank you Marc,
I will try this configuration. For this to work I need openLDAP proxy?
2013/8/26 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Hello Bruno,
>
> Am 25.08.2013 22:26, schrieb Bruno Vane:
>
> Yes I read these sections, but I want something different. Users will
>> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
>> and from this server they can access other SSH servers on the network.
>> All SSH servers are configured with /etc/hosts.allow to allow SSH
>> connections only from this "entry" SSH server. This Ubuntu servers
>> running SSH will not join in the AD domain, only users of the network.
>> Is this possible?
>>
>
> I think this shouldn't matter. You can configure the "entry" host with
> nslcd to retrieve the account information via LDAP from AD and pam_ldap to
> authenticate against AD (without necessity to join the machine to the
> domain).
>
> Then you have the other hosts. These you can authenticate on the same way,
> if they are not joined to the domain, or you join them and the
> authentication is done through winbind.
>
>
>
>
> For the nslcd you can use the following config (you must create an bind
> account in your domain for that first):
>
> #Mappings for Active Directory
> pagesize 1000
> referrals off
>
> # Passwd
> filter passwd (&(objectClass=user)(!(**objectClass=computer))(**
> services_against_AD#**Authentication_against_AD<https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD>
>
>
>
>
> Regards,
> Marc
>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
I will try this configuration. For this to work I need openLDAP proxy?
2013/8/26 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Hello Bruno,
>
> Am 25.08.2013 22:26, schrieb Bruno Vane:
>
> Yes I read these sections, but I want something different. Users will
>> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
>> and from this server they can access other SSH servers on the network.
>> All SSH servers are configured with /etc/hosts.allow to allow SSH
>> connections only from this "entry" SSH server. This Ubuntu servers
>> running SSH will not join in the AD domain, only users of the network.
>> Is this possible?
>>
>
> I think this shouldn't matter. You can configure the "entry" host with
> nslcd to retrieve the account information via LDAP from AD and pam_ldap to
> authenticate against AD (without necessity to join the machine to the
> domain).
>
> Then you have the other hosts. These you can authenticate on the same way,
> if they are not joined to the domain, or you join them and the
> authentication is done through winbind.
>
>
>
>
> For the nslcd you can use the following config (you must create an bind
> account in your domain for that first):
>
> #Mappings for Active Directory
> pagesize 1000
> referrals off
>
> # Passwd
> uidNumber=*))
> map passwd uid sAMAccountName
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
>
> # Shadow
> filter shadow (&(objectClass=user)(!(**objectClass=computer))(**
> map passwd uid sAMAccountName
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
>
> # Shadow
> uidNumber=*))
> map shadow uid sAMAccountName
> map shadow shadowLastChange pwdLastSet
>
> # Groups
> filter group (&(objectClass=group)(**objectClass=posixGroup)(**
> map shadow uid sAMAccountName
> map shadow shadowLastChange pwdLastSet
>
> # Groups
> gidNumber=*))
> map group uniqueMember member
>
> # Local account, nslcd runs under
> uid nslcd
> gid ldap
>
> # LDAP server settings
> uri ldap://127.0.0.1:389/
> base dc=SAMDOM,dc=example,dc=com
>
> # Account in AD that is used from Nslcd to bind to the directory
> binddn CN=nslcd-connect,cn=Users,dc=**SAMDOM,dc=example,dc=com
> map group uniqueMember member
>
> # Local account, nslcd runs under
> uid nslcd
> gid ldap
>
> # LDAP server settings
> uri ldap://127.0.0.1:389/
> base dc=SAMDOM,dc=example,dc=com
>
> # Account in AD that is used from Nslcd to bind to the directory
> bindpw xxxxx
>
>
>
> pam_ldap config you find here:
> https://wiki.samba.org/index.**php/Authenticating_other_**
>
>
>
> pam_ldap config you find here:
> services_against_AD#**Authentication_against_AD<https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD>
>
>
>
>
> Regards,
> Marc
>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Marc Muehlfeld
Aug 26, 2013, 9:20:02 AM8/26/13
to
Am 26.08.2013 14:10, schrieb Bruno Vane:
> I will try this configuration. For this to work I need openLDAP proxy?
No. You can access AD via LDAP direclty.
> I will try this configuration. For this to work I need openLDAP proxy?
Bruno Vane
Aug 26, 2013, 10:20:02 AM8/26/13
to
Marc, sorry to bother you with this, but I can not access a SSH server
using these settings.
Could you take a look if you have time to find out if my settings are wrong?
When I do a "ssh -l nslcd-connect" (or any other user) to the server, i got
this in /var/log/auth.log:
Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
nslcd-connect [preauth]
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
unknown
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
nslcd-connect from MY_MACHINE port 51004 ssh2
Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]
============> This is my samba4 server LDAP test:
root@samba:~# ldapsearch -U nslcd-connect -h localhost -b
DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedName
SASL/NTLM authentication started
Please enter your password:
SASL username: nslcd-connect
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <DC=corporativo,DC=mydomain,DC=net> with scope subtree
# filter: cn=nslcd-connect
# requesting: distinguishedName
#
# nslcd-connect, Users, corporativo.sodobrasil.net.br
dn: CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net
distinguishedName:
CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net
# search reference
ref: ldap://
corporativo.sodobrasil.net.br/CN=Configuration,DC=corporativo,DC=mydomain,DC=net
# search reference
ref: ldap://
corporativo.sodobrasil.net.br/DC=DomainDnsZones,DC=corporativo,DC=mydomain,DC=net
# search reference
ref: ldap://
corporativo.sodobrasil.net.br/DC=ForestDnsZones,DC=corporativo,DC=mydomain,DC=net
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
=============== > This is /etc/nslcd.conf
#map group uniqueMember member
# Local account, nslcd runs under
uid nslcd
gid nslcd
# LDAP server settings
uri ldap://IP_OF_SAMBA_SERVER
base dc=corporativo,dc=mydomain,dc=net
# Account in AD that is used from Nslcd to bind to the directory
#binddn cn=teste,cn=Users,dc=corporativo,dc=mydomain,dc=net
binddn CN=nslcd-connect,CN=Users,DC=corporativo,dc=mydomain,dc=net
bindpw nslcd-connect_password
=================> This is /usr/share/libpam-ldap/ldap.conf
base DC=corporativo,dc=mydomain,dc=net
binddn cn=nslcd-connect,cn=Users,DC=corporativo,dc=mydomain,dc=net
bindpw mudar123
bind_policy soft
pam_login_attribute sAMAccountName
uri ldap://IP_OF_SAMBA_SERVER
ssl no
2013/8/26 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Am 26.08.2013 14:10, schrieb Bruno Vane:
>
> I will try this configuration. For this to work I need openLDAP proxy?
>>
>
> No. You can access AD via LDAP direclty.
>
>
--
using these settings.
Could you take a look if you have time to find out if my settings are wrong?
When I do a "ssh -l nslcd-connect" (or any other user) to the server, i got
this in /var/log/auth.log:
Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
nslcd-connect [preauth]
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
unknown
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
nslcd-connect from MY_MACHINE port 51004 ssh2
Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]
============> This is my samba4 server LDAP test:
root@samba:~# ldapsearch -U nslcd-connect -h localhost -b
DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedName
SASL/NTLM authentication started
Please enter your password:
SASL username: nslcd-connect
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <DC=corporativo,DC=mydomain,DC=net> with scope subtree
# filter: cn=nslcd-connect
# requesting: distinguishedName
#
# nslcd-connect, Users, corporativo.sodobrasil.net.br
dn: CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net
distinguishedName:
CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net
# search reference
ref: ldap://
corporativo.sodobrasil.net.br/CN=Configuration,DC=corporativo,DC=mydomain,DC=net
# search reference
ref: ldap://
corporativo.sodobrasil.net.br/DC=DomainDnsZones,DC=corporativo,DC=mydomain,DC=net
# search reference
ref: ldap://
corporativo.sodobrasil.net.br/DC=ForestDnsZones,DC=corporativo,DC=mydomain,DC=net
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
=============== > This is /etc/nslcd.conf
#Mappings for Active Directory
pagesize 1000
referrals off
# Passwd
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
pagesize 1000
referrals off
# Passwd
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
# Groups
filter group (&(objectClass=group)(objectClass=posixGroup)(gidNumber=*))
map shadow shadowLastChange pwdLastSet
# Groups
#map group uniqueMember member
# Local account, nslcd runs under
uid nslcd
# LDAP server settings
uri ldap://IP_OF_SAMBA_SERVER
base dc=corporativo,dc=mydomain,dc=net
# Account in AD that is used from Nslcd to bind to the directory
binddn CN=nslcd-connect,CN=Users,DC=corporativo,dc=mydomain,dc=net
bindpw nslcd-connect_password
=================> This is /usr/share/libpam-ldap/ldap.conf
base DC=corporativo,dc=mydomain,dc=net
binddn cn=nslcd-connect,cn=Users,DC=corporativo,dc=mydomain,dc=net
bindpw mudar123
bind_policy soft
pam_login_attribute sAMAccountName
uri ldap://IP_OF_SAMBA_SERVER
ssl no
2013/8/26 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Am 26.08.2013 14:10, schrieb Bruno Vane:
>
> I will try this configuration. For this to work I need openLDAP proxy?
>>
>
> No. You can access AD via LDAP direclty.
>
>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Marc Muehlfeld
Aug 26, 2013, 1:10:02 PM8/26/13
to
Am 26.08.2013 16:11, schrieb Bruno Vane:
> Marc, sorry to bother you with this, but I can not access a SSH server
> using these settings.
> Could you take a look if you have time to find out if my settings are wrong?
>
> When I do a "ssh -l nslcd-connect" (or any other user) to the server, i
> got this in /var/log/auth.log:
>
> Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
> Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
> nslcd-connect [preauth]
> Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
> unknown
> Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
> nslcd-connect from MY_MACHINE port 51004 ssh2
> Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]
You don't connect with the "nslcd-connect" account via ssh to the
> Marc, sorry to bother you with this, but I can not access a SSH server
> using these settings.
> Could you take a look if you have time to find out if my settings are wrong?
>
> When I do a "ssh -l nslcd-connect" (or any other user) to the server, i
> got this in /var/log/auth.log:
>
> Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
> Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
> nslcd-connect [preauth]
> Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
> unknown
> Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
> nslcd-connect from MY_MACHINE port 51004 ssh2
> Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]
server. Each user connect with his/her domain account.
You need this account (nslcd-connect) in your AD, to allow nslcd to
connect to your directory (you can give it any name you want, of
course), because Samba/AD doesn't allow anonymous bind.
This are the steps you do:
- Create a new account (i named it nslcd-connect) in your AD
- Put the accounts DN + password in your nslcd.conf
- Restart nslcd.conf
- Add "ldap" to the following three lines in your /etc/nsswitch.conf
(sorry. I forgot this in my previous post):
passwd: files ldap
shadow: files ldap
group: files ldap
- Now you should be able to see all accounts (the local and domain
accounts), when you type
# getent passwd
- If you don't see the domain accounts, add "acl:search = no" to the
[global] section of your smb.conf and restart Samba. (Workaround for bug
#9788)
- If there's nothing else preventing (missing home, missing keyfile,
etc), you should be able now, to login via ssh by
# ssh -l {domainusername} {entryservername}
The domainusername is the attribute that is mapped in nslcd.conf to
uid (If you use my nslcd.conf example, the domainusername is what stand
in the AD attribute sAMAccountName).
> ============> This is my samba4 server LDAP test:
> root@samba:~# ldapsearch -U nslcd-connect -h localhost -b
> DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedName
(sAMAccountName, unixHomeDirectory, etc.) and you don't get result for
all of them, you need the workaround for bug #9788 (see above) or these
attributes are not filled in AD.
I'm currently still working on a HowTo about sssd, nslcd and winbind,
which would contain this all in a much more detailed depth. But I had to
less time at the moment to finish it yet. Maybe next week it will be
done and published in the Wiki.
Regards,
Marc
steve
Aug 26, 2013, 1:30:01 PM8/26/13
to
On Mon, 2013-08-26 at 19:09 +0200, Marc Muehlfeld wrote:
> passwd: files ldap
> shadow: files ldap
> group: files ldap
@marc
> passwd: files ldap
> shadow: files ldap
> group: files ldap
Just curious, but why are you trying to pull shadow from the directory?
Marc Muehlfeld
Aug 26, 2013, 1:40:02 PM8/26/13
to
Am 26.08.2013 19:19, schrieb steve:
> On Mon, 2013-08-26 at 19:09 +0200, Marc Muehlfeld wrote:
>
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>
> @marc
> Just curious, but why are you trying to pull shadow from the directory?
Luca Olivetti
Aug 26, 2013, 2:20:02 PM8/26/13
to
Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
> - Now you should be able to see all accounts (the local and domain
> accounts), when you type
> # getent passwd
I tried it on a test VM, but it only showed accounts migrated from samba
3+ldap (since they have the posix attributes), new users/groups added
via samba-tool or windows didn't appear.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> - Now you should be able to see all accounts (the local and domain
> accounts), when you type
> # getent passwd
3+ldap (since they have the posix attributes), new users/groups added
via samba-tool or windows didn't appear.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Marc Muehlfeld
Aug 26, 2013, 2:30:02 PM8/26/13
to
Am 26.08.2013 20:12, schrieb Luca Olivetti:
>> - Now you should be able to see all accounts (the local and domain
>> accounts), when you type
>> # getent passwd
>
> I tried it on a test VM, but it only showed accounts migrated from samba
> 3+ldap (since they have the posix attributes), new users/groups added
> via samba-tool or windows didn't appear.
directory.
If you don't want to manage them in AD, you can use winbind or sssd. But
there you have other requirements (machine joined to domain, kerberos, ...).
Regards,
Marc
Bruno Vane
Aug 26, 2013, 4:00:01 PM8/26/13
to
Marc, it seems that the problem was actually that the "posix information"
were blank and I could not edit them. Made domain provision again with the
option "--use RFC2307." After creating the user in AD (via RSAT in Win7) I
need to manually enable NIS domain info for that user. After this, I got to
access via SSH using the Samba4 LDAP. Now i have to research how to
auto-create the home dir and change the shell to /bin/bash.
Very thank you for your help!
root@samba:~# getent passwd bruno.vane
bruno.vane:*:10000:513:Bruno Vane:/home/bruno.vane:/bin/sh
bruno.vane@Suporte-VR:~$ ssh -l bruno.vane 177.84.70.200
bruno...@177.84.70.200's password:
Could not chdir to home directory /home/bruno.vane: No such file or
directory
$
2013/8/26 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
were blank and I could not edit them. Made domain provision again with the
option "--use RFC2307." After creating the user in AD (via RSAT in Win7) I
need to manually enable NIS domain info for that user. After this, I got to
access via SSH using the Samba4 LDAP. Now i have to research how to
auto-create the home dir and change the shell to /bin/bash.
Very thank you for your help!
root@samba:~# getent passwd bruno.vane
bruno.vane:*:10000:513:Bruno Vane:/home/bruno.vane:/bin/sh
bruno.vane@Suporte-VR:~$ ssh -l bruno.vane 177.84.70.200
bruno...@177.84.70.200's password:
Could not chdir to home directory /home/bruno.vane: No such file or
directory
$
2013/8/26 Marc Muehlfeld <sa...@marc-muehlfeld.de>
>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Ricky Nance
Aug 26, 2013, 4:30:02 PM8/26/13
to
If you are using winbind, you can use template home directory = and
template shell = in your smb.conf (man smb.conf for a more accurate
description)..
Ricky
template shell = in your smb.conf (man smb.conf for a more accurate
description)..
Ricky
Bruno Vane
Aug 26, 2013, 4:50:02 PM8/26/13
to
Hi Ricky,
I'm not using winbind.
To auto create home dir I added:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
in "/etc/pam.d/common-session" file.
I'm using Marc instructions to log in via SSH whithout join the machine in
the domain. Can I also use winbind with this setup?
2013/8/26 Ricky Nance <ricky...@gmail.com>
I'm not using winbind.
To auto create home dir I added:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
in "/etc/pam.d/common-session" file.
I'm using Marc instructions to log in via SSH whithout join the machine in
the domain. Can I also use winbind with this setup?
2013/8/26 Ricky Nance <ricky...@gmail.com>
steve
Aug 26, 2013, 5:00:02 PM8/26/13
to
On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote:
> Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
>
> > - Now you should be able to see all accounts (the local and domain
> > accounts), when you type
> > # getent passwd
>
> I tried it on a test VM, but it only showed accounts migrated from samba
> 3+ldap (since they have the posix attributes), new users/groups added
> via samba-tool or windows didn't appear.
>
Hi
> Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
>
> > - Now you should be able to see all accounts (the local and domain
> > accounts), when you type
> > # getent passwd
>
> I tried it on a test VM, but it only showed accounts migrated from samba
> 3+ldap (since they have the posix attributes), new users/groups added
> via samba-tool or windows didn't appear.
>
You add the attributes yourself when you create the user:
samba-tool user add luca --uid-number=1234567 --gid-number=45678
--home-directory=/some/place --login-shell=/bin/bash
HTH
Steve
steve
Aug 26, 2013, 5:10:01 PM8/26/13
to
On Mon, 2013-08-26 at 18:02 -0300, Bruno Vane wrote:
> Hi Steve,
>
>
> I'm adding users through ADUC, in Remote Server Administration Tool.
> new users/groups added
> > via samba-tool or windows didn't appear.
> >
Ah, I see. It's just that your message said samba-tool (as above).
Managing rfc2307 from windows in not easy. With samba-tool it's very
easy to add the posix attributes which you need for your new users.
> Hi Steve,
>
>
> I'm adding users through ADUC, in Remote Server Administration Tool.
> new users/groups added
> > via samba-tool or windows didn't appear.
> >
Managing rfc2307 from windows in not easy. With samba-tool it's very
easy to add the posix attributes which you need for your new users.
Bruno Vane
Aug 26, 2013, 5:10:02 PM8/26/13
to
Hi Steve,
I'm adding users through ADUC, in Remote Server Administration Tool.
Thank you.
I'm adding users through ADUC, in Remote Server Administration Tool.
2013/8/26 steve <st...@steve-ss.com>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Marc Muehlfeld
Aug 26, 2013, 6:10:03 PM8/26/13
to
Am 26.08.2013 21:58, schrieb Bruno Vane:
> Now i have to research how to auto-create the home dir and
> change the shell to /bin/bash.
For the home auto creation, PAM maybe could help you (pam_mkhomedir).
> Now i have to research how to auto-create the home dir and
> change the shell to /bin/bash.
But this won't help you, if use ssh with keyfiles, because someone have
to place the public key in ~/.ssh.
The shell you can assign on the unix tab in ADUC as well.
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
Luca Olivetti
Aug 26, 2013, 6:20:02 PM8/26/13
to
Al 26/08/13 20:28, En/na Marc Muehlfeld ha escrit:
samba 3 I could manage users and groups with ldap account manager and
they got both samba and posix attributes. Another nice thing is that I
could script the creation of home directory, mailbox, etc.
I though that samba 4 allowed me to do the same, but with windows
administrative client (ADUC?)
> If you don't want to manage them in AD, you can use winbind or sssd. But
> there you have other requirements (machine joined to domain, kerberos,
> ...).
I'd like to avoid winbind if at all possible
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
>
>
> Am 26.08.2013 20:12, schrieb Luca Olivetti:
>>> - Now you should be able to see all accounts (the local and domain
>>> accounts), when you type
>>> # getent passwd
>>
>> I tried it on a test VM, but it only showed accounts migrated from samba
>> 3+ldap (since they have the posix attributes), new users/groups added
>> via samba-tool or windows didn't appear.
>
> Of course this would only work if you have posix information in your
> directory.
The problem is, how do I get the posix information into samba4? With
>
> Am 26.08.2013 20:12, schrieb Luca Olivetti:
>>> - Now you should be able to see all accounts (the local and domain
>>> accounts), when you type
>>> # getent passwd
>>
>> I tried it on a test VM, but it only showed accounts migrated from samba
>> 3+ldap (since they have the posix attributes), new users/groups added
>> via samba-tool or windows didn't appear.
>
> Of course this would only work if you have posix information in your
> directory.
samba 3 I could manage users and groups with ldap account manager and
they got both samba and posix attributes. Another nice thing is that I
could script the creation of home directory, mailbox, etc.
I though that samba 4 allowed me to do the same, but with windows
administrative client (ADUC?)
> If you don't want to manage them in AD, you can use winbind or sssd. But
> there you have other requirements (machine joined to domain, kerberos,
> ...).
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Marc Muehlfeld
Aug 26, 2013, 6:20:03 PM8/26/13
to
Am 25.08.2013 09:27, schrieb Bruno Vane:
> I have some Ubuntu LTS servers running openssh server authenticating to
> external openldap. I installed a new Ubuntu LTS server with Samba4 to
> create a domain and is working very well. I managed to make a pfsense
> firewall authenticate users in this Samba4 ldap. How to make openssh in
> Ubuntu authenticate users in Samba4 ldap?
As the "Winbind, sshd and nslcd"-HowTo I am currently working on is
> external openldap. I installed a new Ubuntu LTS server with Samba4 to
> create a domain and is working very well. I managed to make a pfsense
> firewall authenticate users in this Samba4 ldap. How to make openssh in
> Ubuntu authenticate users in Samba4 ldap?
getting longer and longer, I decited to split it into the three parts,
so it won't get to confusing. Also then I can publish the already
finished and validated nslcd part. And here it is:
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
@Bruno: This HowTo should contain all the short information I already
gave you here on the list in a more detailed depth.
@All: Feel free to give comments. Or let me know if something is
missing/wrong.
Regards,
Marc
Marc Muehlfeld
Aug 26, 2013, 6:30:01 PM8/26/13
to
Hello Luca,
Am 27.08.2013 00:11, schrieb Luca Olivetti:
> The problem is, how do I get the posix information into samba4? With
> samba 3 I could manage users and groups with ldap account manager and
> they got both samba and posix attributes.
I have a windows workstation at work. There I use ADUC. Everything I
need to administrate users/groups, etc. And if you delegate permissions
(https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Add.2Fchange.2Fdelete_accounts.2Fgroups.27-permissions),
you don't have to work with an domain administrator account the whole day.
ADUC has for me some advantages:
- I can administrate all accounts in a nice clear GUI (I know that linux
admins shouldn't say that :-))
- I don't have to track the last UID/GID I give, because it's stored in
AD and ADUC automatically incements.
- I can delegate permissions down to attribute level to other
departments (like human resources for changing phone numbers, etc.)
- and some more
> Another nice thing is that I
> could script the creation of home directory, mailbox, etc.
> I though that samba 4 allowed me to do the same, but with windows
> administrative client (ADUC?)
Maybe this can be a solution for you:
https://lists.samba.org/archive/samba/2013-July/174252.html
>> If you don't want to manage them in AD, you can use winbind or sssd. But
>> there you have other requirements (machine joined to domain, kerberos,
>> ...).
>
> I'd like to avoid winbind if at all possible
In Samba 4 you don't need to have the users local. You can completely
skip ldap/winbind/whatever. Permission changing can be done from windows
on directories/shares.
Only if you don't want to see only UIDs/GIDs on the filesystem or other
services require them, you need a way to get the users/groups mapped.
Regards,
Marc
Am 27.08.2013 00:11, schrieb Luca Olivetti:
> The problem is, how do I get the posix information into samba4? With
> samba 3 I could manage users and groups with ldap account manager and
> they got both samba and posix attributes.
need to administrate users/groups, etc. And if you delegate permissions
(https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Add.2Fchange.2Fdelete_accounts.2Fgroups.27-permissions),
you don't have to work with an domain administrator account the whole day.
ADUC has for me some advantages:
- I can administrate all accounts in a nice clear GUI (I know that linux
admins shouldn't say that :-))
- I don't have to track the last UID/GID I give, because it's stored in
AD and ADUC automatically incements.
- I can delegate permissions down to attribute level to other
departments (like human resources for changing phone numbers, etc.)
- and some more
> Another nice thing is that I
> could script the creation of home directory, mailbox, etc.
> I though that samba 4 allowed me to do the same, but with windows
> administrative client (ADUC?)
https://lists.samba.org/archive/samba/2013-July/174252.html
>> If you don't want to manage them in AD, you can use winbind or sssd. But
>> there you have other requirements (machine joined to domain, kerberos,
>> ...).
>
> I'd like to avoid winbind if at all possible
skip ldap/winbind/whatever. Permission changing can be done from windows
on directories/shares.
Only if you don't want to see only UIDs/GIDs on the filesystem or other
services require them, you need a way to get the users/groups mapped.
Regards,
Marc
Luca Olivetti
Aug 26, 2013, 6:30:02 PM8/26/13
to
Al 26/08/13 22:54, En/na steve ha escrit:
(this is from samba 4.0.8)
But even if it worked it could be an option if it was me managing the
users/groups (though I'm not keen on manually keeping track of uids when
currently "ldap account manager" does it for me), unfortunately I have
to delegate that function to somebody less technically inclined (and
even with LAM they managed to do some bad things).
I tried ADUC (again, in a test VM joined to the domain), which could be
suitable, but I couldn't see any unix tab (and if I have to manually
assign uids/gids there it's not an option).
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote:
>> Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
>>
>>> - Now you should be able to see all accounts (the local and domain
>>> accounts), when you type
>>> # getent passwd
>>
>> I tried it on a test VM, but it only showed accounts migrated from samba
>> 3+ldap (since they have the posix attributes), new users/groups added
>> via samba-tool or windows didn't appear.
>>
> Hi
> You add the attributes yourself when you create the user:
>
> samba-tool user add luca --uid-number=1234567 --gid-number=45678
> --home-directory=/some/place --login-shell=/bin/bash
>
"samba-tool user add: error: no such option --uid-number"
>> Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
>>
>>> - Now you should be able to see all accounts (the local and domain
>>> accounts), when you type
>>> # getent passwd
>>
>> I tried it on a test VM, but it only showed accounts migrated from samba
>> 3+ldap (since they have the posix attributes), new users/groups added
>> via samba-tool or windows didn't appear.
>>
> Hi
> You add the attributes yourself when you create the user:
>
> samba-tool user add luca --uid-number=1234567 --gid-number=45678
> --home-directory=/some/place --login-shell=/bin/bash
>
(this is from samba 4.0.8)
But even if it worked it could be an option if it was me managing the
users/groups (though I'm not keen on manually keeping track of uids when
currently "ldap account manager" does it for me), unfortunately I have
to delegate that function to somebody less technically inclined (and
even with LAM they managed to do some bad things).
I tried ADUC (again, in a test VM joined to the domain), which could be
suitable, but I couldn't see any unix tab (and if I have to manually
assign uids/gids there it's not an option).
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
steve
Aug 26, 2013, 6:50:01 PM8/26/13
to
On Tue, 2013-08-27 at 00:12 +0200, Marc Muehlfeld wrote:
> Am 25.08.2013 09:27, schrieb Bruno Vane:
> > I have some Ubuntu LTS servers running openssh server authenticating to
> > external openldap. I installed a new Ubuntu LTS server with Samba4 to
> > create a domain and is working very well. I managed to make a pfsense
> > firewall authenticate users in this Samba4 ldap. How to make openssh in
> > Ubuntu authenticate users in Samba4 ldap?
>
>
> As the "Winbind, sshd and nslcd"-HowTo I am currently working on is
> getting longer and longer, I decited to split it into the three parts,
> so it won't get to confusing. Also then I can publish the already
> finished and validated nslcd part. And here it is:
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>
> @Bruno: This HowTo should contain all the short information I already
> gave you here on the list in a more detailed depth.
>
>
> @All: Feel free to give comments. Or let me know if something is
> missing/wrong.
>
>
> Regards,
> Marc
> Am 25.08.2013 09:27, schrieb Bruno Vane:
> > I have some Ubuntu LTS servers running openssh server authenticating to
> > external openldap. I installed a new Ubuntu LTS server with Samba4 to
> > create a domain and is working very well. I managed to make a pfsense
> > firewall authenticate users in this Samba4 ldap. How to make openssh in
> > Ubuntu authenticate users in Samba4 ldap?
>
>
> As the "Winbind, sshd and nslcd"-HowTo I am currently working on is
> getting longer and longer, I decited to split it into the three parts,
> so it won't get to confusing. Also then I can publish the already
> finished and validated nslcd part. And here it is:
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>
> @Bruno: This HowTo should contain all the short information I already
> gave you here on the list in a more detailed depth.
>
>
> @All: Feel free to give comments. Or let me know if something is
> missing/wrong.
>
>
> Regards,
> Marc
Hi
1. Nested groups work fine with nslcd. Please use the latest version:
man nslcd.conf(5)
2. We really should encourage users away from plain text passwords
stored in files. nslcd works fine with sasl binds. The devs have worked
hard to give us Kerberos out of the box. I think we should use it:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html
3. nslcd is already AD aware and this is not winbind so let's keep it
simple. The following lines are not required/produce errors/ slow down
lookups.
filter passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map passwd gecos displayName
map passwd gidNumber primaryGroupID
filter group (&(objectClass=group)(gidNumber=*))
map group uniqueMember member
Again, it is important to use the latest version.
Just my €0.02
Thank you for taking the time to document this.
steve
Aug 26, 2013, 6:50:02 PM8/26/13
to
On Tue, 2013-08-27 at 00:28 +0200, Luca Olivetti wrote:
> Al 26/08/13 22:54, En/na steve ha escrit:
> > On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote:
> >> Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
> >>
> >>> - Now you should be able to see all accounts (the local and domain
> >>> accounts), when you type
> >>> # getent passwd
> >>
> >> I tried it on a test VM, but it only showed accounts migrated from samba
> >> 3+ldap (since they have the posix attributes), new users/groups added
> >> via samba-tool or windows didn't appear.
> >>
> > Hi
> > You add the attributes yourself when you create the user:
> >
> > samba-tool user add luca --uid-number=1234567 --gid-number=45678
> > --home-directory=/some/place --login-shell=/bin/bash
> >
>
> "samba-tool user add: error: no such option --uid-number"
> (this is from samba 4.0.8)
It only works with 4.1 and newer. There is a script to do the same for
> Al 26/08/13 22:54, En/na steve ha escrit:
> > On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote:
> >> Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit:
> >>
> >>> - Now you should be able to see all accounts (the local and domain
> >>> accounts), when you type
> >>> # getent passwd
> >>
> >> I tried it on a test VM, but it only showed accounts migrated from samba
> >> 3+ldap (since they have the posix attributes), new users/groups added
> >> via samba-tool or windows didn't appear.
> >>
> > Hi
> > You add the attributes yourself when you create the user:
> >
> > samba-tool user add luca --uid-number=1234567 --gid-number=45678
> > --home-directory=/some/place --login-shell=/bin/bash
> >
>
> "samba-tool user add: error: no such option --uid-number"
> (this is from samba 4.0.8)
4.0.8 which also takes care of the uid increments when adding new users:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html
HTH
Steve
Luca Olivetti
Aug 26, 2013, 7:00:02 PM8/26/13
to
Al 27/08/13 00:24, En/na Marc Muehlfeld ha escrit:
> I have a windows workstation at work. There I use ADUC. Everything I
> need to administrate users/groups, etc. And if you delegate permissions
> (https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Add.2Fchange.2Fdelete_accounts.2Fgroups.27-permissions),
> you don't have to work with an domain administrator account the whole day.
>
> ADUC has for me some advantages:
> - I can administrate all accounts in a nice clear GUI (I know that linux
> admins shouldn't say that :-))
No, actually that would be OK, since I have to delegate those tasks to
people that have no skills in Linux (and barely manage windows) but..
> - I don't have to track the last UID/GID I give, because it's stored in
> AD and ADUC automatically incements.
> - I can delegate permissions down to attribute level to other
> departments (like human resources for changing phone numbers, etc.)
> - and some more
..when I tried to add a user via ADUC I couldn't see it with nslcd.
Maybe I didn't really use ADUC? (dsa.msc)
>> Another nice thing is that I
>> could script the creation of home directory, mailbox, etc.
>> I though that samba 4 allowed me to do the same, but with windows
>> administrative client (ADUC?)
>
> Maybe this can be a solution for you:
> https://lists.samba.org/archive/samba/2013-July/174252.html
Mmh, I don't think so. Is that the only option? Isn't there a way to
hook a script in samba 4 when a user is created?
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> I have a windows workstation at work. There I use ADUC. Everything I
> need to administrate users/groups, etc. And if you delegate permissions
> (https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Add.2Fchange.2Fdelete_accounts.2Fgroups.27-permissions),
> you don't have to work with an domain administrator account the whole day.
>
> ADUC has for me some advantages:
> - I can administrate all accounts in a nice clear GUI (I know that linux
> admins shouldn't say that :-))
people that have no skills in Linux (and barely manage windows) but..
> - I don't have to track the last UID/GID I give, because it's stored in
> AD and ADUC automatically incements.
> - I can delegate permissions down to attribute level to other
> departments (like human resources for changing phone numbers, etc.)
> - and some more
Maybe I didn't really use ADUC? (dsa.msc)
>> Another nice thing is that I
>> could script the creation of home directory, mailbox, etc.
>> I though that samba 4 allowed me to do the same, but with windows
>> administrative client (ADUC?)
>
> Maybe this can be a solution for you:
> https://lists.samba.org/archive/samba/2013-July/174252.html
hook a script in samba 4 when a user is created?
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Marc Muehlfeld
Aug 26, 2013, 7:10:01 PM8/26/13
to
Am 27.08.2013 00:28, schrieb Luca Olivetti:
> I tried ADUC (again, in a test VM joined to the domain), which could be
> suitable, but I couldn't see any unix tab (and if I have to manually
> assign uids/gids there it's not an option).
something additionally if I remember right). But you can only choose the
NIS domain in that tab, if your domain was provisioned/upgraded with the
--use-rfc2307 parameter. Otherwise the required parts in AD were not
created.
I had added this parameter to the provisioning/upgrading commands on the
Wiki pages some time ago, because I'm not sure how to add this things
afterwards (and I think if it's possible, it's not that easy than just
this one parameter).
Does anybody know if this posix stuff can be added afterwards? Not just
simply adding an attribute. I mean the whole thing, like the
cn=ypServ30,cn=RpcServices,cn=System,...
Regards,
Marc
Luca Olivetti
Aug 26, 2013, 7:20:01 PM8/26/13
to
Al 27/08/13 01:11, En/na Marc Muehlfeld ha escrit:
Users migrated from samba 3, yes, new users, no
>
> I published my nslcd HowTo some hours ago. Have a look on it. Maybe you
> missed something.
>
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
Yep, I only had to comment the "map group uniqueMember member" line,
though (migrated) groups show the members fine.
> I'm not 100% sure. But I think there's no "user created" event you can
> hook into with an script.
Bummer. Am I the only one thinking it would be useful?
> Am 27.08.2013 00:56, schrieb Luca Olivetti:
>> ..when I tried to add a user via ADUC I couldn't see it with nslcd.
>> Maybe I didn't really use ADUC? (dsa.msc)
>
> Do the users have posix attributes (uid, shell, etc.)?
>> ..when I tried to add a user via ADUC I couldn't see it with nslcd.
>> Maybe I didn't really use ADUC? (dsa.msc)
>
Users migrated from samba 3, yes, new users, no
>
> I published my nslcd HowTo some hours ago. Have a look on it. Maybe you
> missed something.
>
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
Yep, I only had to comment the "map group uniqueMember member" line,
though (migrated) groups show the members fine.
> I'm not 100% sure. But I think there's no "user created" event you can
> hook into with an script.
Bummer. Am I the only one thinking it would be useful?
Marc Muehlfeld
Aug 26, 2013, 7:20:01 PM8/26/13
to
Am 27.08.2013 00:56, schrieb Luca Olivetti:
> ..when I tried to add a user via ADUC I couldn't see it with nslcd.
> Maybe I didn't really use ADUC? (dsa.msc)
> Maybe I didn't really use ADUC? (dsa.msc)
Do the users have posix attributes (uid, shell, etc.)?
I published my nslcd HowTo some hours ago. Have a look on it. Maybe you
missed something.
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
missed something.
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>>> Another nice thing is that I
>>> could script the creation of home directory, mailbox, etc.
>>> I though that samba 4 allowed me to do the same, but with windows
>>> administrative client (ADUC?)
>>
>> Maybe this can be a solution for you:
>> https://lists.samba.org/archive/samba/2013-July/174252.html
>
> Mmh, I don't think so. Is that the only option? Isn't there a way to
> hook a script in samba 4 when a user is created?
>>> could script the creation of home directory, mailbox, etc.
>>> I though that samba 4 allowed me to do the same, but with windows
>>> administrative client (ADUC?)
>>
>> Maybe this can be a solution for you:
>> https://lists.samba.org/archive/samba/2013-July/174252.html
>
> Mmh, I don't think so. Is that the only option? Isn't there a way to
> hook a script in samba 4 when a user is created?
I'm not 100% sure. But I think there's no "user created" event you can
hook into with an script.
Regards,
hook into with an script.
Marc
Luca Olivetti
Aug 26, 2013, 7:20:01 PM8/26/13
to
Al 27/08/13 01:03, En/na Marc Muehlfeld ha escrit:
https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro
No unix tab
> But you can only choose the
> NIS domain in that tab, if your domain was provisioned/upgraded with the
> --use-rfc2307 parameter. Otherwise the required parts in AD were not
> created.
I used the instructions here:
https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO
It doesn't mention the "--use-rfc2307" parameter however the generated
smb.conf has an
idmap_ldb:use rfc2307 = Yes
line and the existing users show up with nslcd, so I think the required
AD schema extension is in place.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
>
>
> Am 27.08.2013 00:28, schrieb Luca Olivetti:
>> I tried ADUC (again, in a test VM joined to the domain), which could be
>> suitable, but I couldn't see any unix tab (and if I have to manually
>> assign uids/gids there it's not an option).
>
> In ADUC on Win7 the tab should be there (on XP you need to install
> something additionally if I remember right).
Ah, OK, I'm on XP and I installed the tools here:
>
> Am 27.08.2013 00:28, schrieb Luca Olivetti:
>> I tried ADUC (again, in a test VM joined to the domain), which could be
>> suitable, but I couldn't see any unix tab (and if I have to manually
>> assign uids/gids there it's not an option).
>
> In ADUC on Win7 the tab should be there (on XP you need to install
> something additionally if I remember right).
https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro
No unix tab
> But you can only choose the
> NIS domain in that tab, if your domain was provisioned/upgraded with the
> --use-rfc2307 parameter. Otherwise the required parts in AD were not
> created.
https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO
It doesn't mention the "--use-rfc2307" parameter however the generated
smb.conf has an
idmap_ldb:use rfc2307 = Yes
line and the existing users show up with nslcd, so I think the required
AD schema extension is in place.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Marc Muehlfeld
Aug 26, 2013, 7:40:01 PM8/26/13
to
Hello Steve,
thanks for your suggestions.
Am 27.08.2013 00:40, schrieb steve:
> 1. Nested groups work fine with nslcd. Please use the latest version:
> man nslcd.conf(5)
I use the version Redhat ships. I haven't used that latest version and I
think most will use the one shipped with their distribution, too. But of
course I've changed the information in the HowTo.
> 2. We really should encourage users away from plain text passwords
> stored in files. nslcd works fine with sasl binds. The devs have worked
> hard to give us Kerberos out of the box. I think we should use it:
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
I wanted to first create a very simple and basic HowTo, because during
the last time we often had questions about nslcd, etc. on the list.
But you are right. Kerberos should be the preferred way. I'll have a
look on that the next days and switch the HowTo to Kerberos or add this
as an additional way. But give me some time, because I validate
everything I publish.
> 3. nslcd is already AD aware and this is not winbind so let's keep it
> simple. The following lines are not required/produce errors/ slow down
> lookups.
> filter passwd
> (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> filter group (&(objectClass=group)(gidNumber=*))
> map group uniqueMember member
Can you please give me more details here? I don't get any errors on
RHEL6 here.
Because the removal of this line, I'm not sure, why. I have added them
deliberately out of the following reasons:
If I remove the "filter passwd" line, then "getent passwd" returns
nothing no domain accounts any more.
If I remove the "map passwd gidNumber primaryGroupID", then "id
username" doesn't return the in AD configured primary group in the unix tab.
If I remove the "filter group" line, then "getent group" doesn't return
domain groups any more.
If I remove the "map group uniqueMember member" line, then "id username"
won't tell me, in which groups the user is.
Do you have different results on your system? Or why would you remove
this lines?
> Again, it is important to use the latest version.
I think most users first try the version shipped with their
distribution, like me. Because every self compiled program is something
you have to update manually (and on every server), while everything else
can be done at once via yum/apt/whatever.
I think it's not important to use the latest version, except it contains
something I can't live without it. But everybody has different opinions
on that, I guess. ;-)
Thanks for your comments.
Regards,
Marc
thanks for your suggestions.
Am 27.08.2013 00:40, schrieb steve:
> 1. Nested groups work fine with nslcd. Please use the latest version:
> man nslcd.conf(5)
think most will use the one shipped with their distribution, too. But of
course I've changed the information in the HowTo.
> 2. We really should encourage users away from plain text passwords
> stored in files. nslcd works fine with sasl binds. The devs have worked
> hard to give us Kerberos out of the box. I think we should use it:
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
the last time we often had questions about nslcd, etc. on the list.
But you are right. Kerberos should be the preferred way. I'll have a
look on that the next days and switch the HowTo to Kerberos or add this
as an additional way. But give me some time, because I validate
everything I publish.
> 3. nslcd is already AD aware and this is not winbind so let's keep it
> simple. The following lines are not required/produce errors/ slow down
> lookups.
> filter passwd
> (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> filter group (&(objectClass=group)(gidNumber=*))
> map group uniqueMember member
RHEL6 here.
Because the removal of this line, I'm not sure, why. I have added them
deliberately out of the following reasons:
If I remove the "filter passwd" line, then "getent passwd" returns
nothing no domain accounts any more.
If I remove the "map passwd gidNumber primaryGroupID", then "id
username" doesn't return the in AD configured primary group in the unix tab.
If I remove the "filter group" line, then "getent group" doesn't return
domain groups any more.
If I remove the "map group uniqueMember member" line, then "id username"
won't tell me, in which groups the user is.
Do you have different results on your system? Or why would you remove
this lines?
> Again, it is important to use the latest version.
distribution, like me. Because every self compiled program is something
you have to update manually (and on every server), while everything else
can be done at once via yum/apt/whatever.
I think it's not important to use the latest version, except it contains
something I can't live without it. But everybody has different opinions
on that, I guess. ;-)
Thanks for your comments.
Regards,
Marc
Marc Muehlfeld
Aug 26, 2013, 7:50:01 PM8/26/13
to
Am 27.08.2013 01:13, schrieb Luca Olivetti:
>> In ADUC on Win7 the tab should be there (on XP you need to install
>> something additionally if I remember right).
>
> Ah, OK, I'm on XP and I installed the tools here:
>
> https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro
>
> No unix tab
http://support.microsoft.com/kb/921913/en
>> In ADUC on Win7 the tab should be there (on XP you need to install
>> something additionally if I remember right).
>
> Ah, OK, I'm on XP and I installed the tools here:
>
> https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro
>
> No unix tab
>> But you can only choose the
>> NIS domain in that tab, if your domain was provisioned/upgraded with the
>> --use-rfc2307 parameter. Otherwise the required parts in AD were not
>> created.
>
> I used the instructions here:
>
> https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO
>
Hm. I thought I had added it there, too. I'm not sure about the
upgrading process yet (my last upgrade was longer ago). I'll have a look
on this. But reworking the upgrade HowTo is still on my list (work and
my real life doesn't leave to much time left for writing currently :-)).
Regards,
Marc
Marc Muehlfeld
Aug 26, 2013, 8:00:02 PM8/26/13
to
Am 27.08.2013 01:19, schrieb Luca Olivetti:
>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
> Yep, I only had to comment the "map group uniqueMember member" line,
> though (migrated) groups show the members fine.
What didn't work when you have this line in?
>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
> Yep, I only had to comment the "map group uniqueMember member" line,
> though (migrated) groups show the members fine.
I have this in production (migrated) and in my test environment (new
provisioned).
Here without this line, "id username" won't show the groups the user is
member:
Without this line:
# id demo1
uid=10002(demo1) gid=513 Gruppen=513
With this line:
# id demo1
uid=10002(demo1) gid=513 Gruppen=513,10001(demo-group)
But for simply "getent group" and "chgrp" this line is not required.
Regards,
Marc
Luca Olivetti
Aug 27, 2013, 3:40:01 AM8/27/13
to
Al 27/08/13 01:52, En/na Marc Muehlfeld ha escrit:
>
> I have this in production (migrated) and in my test environment (new
> provisioned).
>
>
> Here without this line, "id username" won't show the groups the user is
> member:
Works here:
$ id aimaretti
uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
Users),675(intranet),676(portal),507(devel)
$ rpm -qf /usr/sbin/nslcd
nss-pam-ldapd-0.8.12-3.mga3
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> Am 27.08.2013 01:19, schrieb Luca Olivetti:
>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>>>
>>
>> Yep, I only had to comment the "map group uniqueMember member" line,
>> though (migrated) groups show the members fine.
>
> What didn't work when you have this line in?
"nslcd: /etc/nslcd.con:18: unknown attribute to map: 'uniqueMember'"
>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>>>
>>
>> Yep, I only had to comment the "map group uniqueMember member" line,
>> though (migrated) groups show the members fine.
>
> What didn't work when you have this line in?
>
> I have this in production (migrated) and in my test environment (new
> provisioned).
>
>
> Here without this line, "id username" won't show the groups the user is
> member:
$ id aimaretti
uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
Users),675(intranet),676(portal),507(devel)
$ rpm -qf /usr/sbin/nslcd
nss-pam-ldapd-0.8.12-3.mga3
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
steve
Aug 27, 2013, 4:20:03 AM8/27/13
to
Yes. All this changes as from version 0.8.10
> Or why would you remove
> this lines?
some of their best coders at sssd through Fedora, it is understandable
that nss-pam-ldapd maintenance will not be high priority;)
>
>
>
>
>
> > Again, it is important to use the latest version.
>
> I think most users first try the version shipped with their
> distribution, like me. Because every self compiled program is something
> you have to update manually (and on every server), while everything else
> can be done at once via yum/apt/whatever.
>
> I think it's not important to use the latest version, except it contains
> something I can't live without it. But everybody has different opinions
> on that, I guess. ;-)
It seems that the majority of users build samba4 from source. In this
>
>
>
>
> > Again, it is important to use the latest version.
>
> I think most users first try the version shipped with their
> distribution, like me. Because every self compiled program is something
> you have to update manually (and on every server), while everything else
> can be done at once via yum/apt/whatever.
>
> I think it's not important to use the latest version, except it contains
> something I can't live without it. But everybody has different opinions
> on that, I guess. ;-)
case it is a simple step to also build nss-pam-ldapd. As you quite
rightly say, you want to keep it simple. This is all that is needed as
from 0.8.10 (which most distros now have):
uid nslcd
gid nslcd
uri ldap://your.f.q.d.n
base dc=foo,dc=bar
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI
sasl_realm YOUR_REALM
krb5_ccname /your/cache
Your distro must be still using the 0.7 series.
One valid point that users make is that the Samba documentation is out
of date/irrelevant/written for devs by devs. With nslcd and sssd howtos
you have a golden opportunity to produce something both current and
which is relevant and doable by anyone
If you decide to stay with the old version please make it clear by
putting something like, 'This howto has been tested with x.y.z'. If you
like, I'll put a 0.8.10 and newer configuration version to link to. As
we recommend the latest stable version for Samba so should we recommend
the latest version of all accociated kit.
HTH
Thanks for your patience.
Steve
Luca Olivetti
Aug 27, 2013, 4:40:02 AM8/27/13
to
Al 27/08/13 01:46, En/na Marc Muehlfeld ha escrit:
Now I can see the unix tab, but, whenever I click accept, it tells me
"Unable to modify the object property values. Check your credentials.
There could be a network problem. Active Directory could be down.
Contact your system administrator".
However, when I open the user again I can see the modified unix
attributes *but* the added user still doesn't show, unsurprisingly since
it's missing the posixAccount class:
# prueba unix, Users, wetron.es
dn: CN=prueba unix,CN=Users,DC=wetron,DC=es
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: prueba unix
sn: unix
givenName: prueba
instanceType: 4
whenCreated: 20130827101804.0Z
uSNCreated: 7219
name: prueba unix
objectGUID:: Fwa13qYImEyNgXPAE0UU7g==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAHRf8UdaAOYEc27Xqqw8AAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pruebaunix
sAMAccountType: 805306368
userPrincipalName: prueb...@wetron.es
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es
pwdLastSet: 130220722840000000
userAccountControl: 512
msSFU30Name: pruebaunix
uid: pruebaunix
msSFU30NisDomain: wetron
loginShell: /bin/sh
unixHomeDirectory: /home/pruebaunix
gidNumber: 492
uidNumber: 10069
displayName: pruebaunix
whenChanged: 20130827103118.0Z
uSNChanged: 7234
distinguishedName: CN=prueba unix,CN=Users,DC=wetron,DC=es
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> Am 27.08.2013 01:13, schrieb Luca Olivetti:
>>> In ADUC on Win7 the tab should be there (on XP you need to install
>>> something additionally if I remember right).
>>
>> Ah, OK, I'm on XP and I installed the tools here:
>>
>> https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro
>>
>>
>> No unix tab
>
> http://support.microsoft.com/kb/921913/en
Thank you, I was missing idmu.exe
>>> In ADUC on Win7 the tab should be there (on XP you need to install
>>> something additionally if I remember right).
>>
>> Ah, OK, I'm on XP and I installed the tools here:
>>
>> https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro
>>
>>
>> No unix tab
>
> http://support.microsoft.com/kb/921913/en
Now I can see the unix tab, but, whenever I click accept, it tells me
"Unable to modify the object property values. Check your credentials.
There could be a network problem. Active Directory could be down.
Contact your system administrator".
However, when I open the user again I can see the modified unix
attributes *but* the added user still doesn't show, unsurprisingly since
it's missing the posixAccount class:
# prueba unix, Users, wetron.es
dn: CN=prueba unix,CN=Users,DC=wetron,DC=es
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: prueba unix
sn: unix
givenName: prueba
instanceType: 4
whenCreated: 20130827101804.0Z
uSNCreated: 7219
name: prueba unix
objectGUID:: Fwa13qYImEyNgXPAE0UU7g==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAHRf8UdaAOYEc27Xqqw8AAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pruebaunix
sAMAccountType: 805306368
userPrincipalName: prueb...@wetron.es
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es
pwdLastSet: 130220722840000000
userAccountControl: 512
msSFU30Name: pruebaunix
uid: pruebaunix
msSFU30NisDomain: wetron
loginShell: /bin/sh
unixHomeDirectory: /home/pruebaunix
gidNumber: 492
uidNumber: 10069
displayName: pruebaunix
whenChanged: 20130827103118.0Z
uSNChanged: 7234
distinguishedName: CN=prueba unix,CN=Users,DC=wetron,DC=es
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Marc Muehlfeld
Aug 27, 2013, 4:50:03 AM8/27/13
to
Am 27.08.2013 10:38, schrieb Luca Olivetti:
>> http://support.microsoft.com/kb/921913/en
>
> Thank you, I was missing idmu.exe
>
> Now I can see the unix tab, but, whenever I click accept, it tells me
>
> "Unable to modify the object property values. Check your credentials.
> There could be a network problem. Active Directory could be down.
> Contact your system administrator".
>
> However, when I open the user again I can see the modified unix
> attributes *but* the added user still doesn't show, unsurprisingly since
> it's missing the posixAccount class:
I only used a very short time XP together with Samba AD. But I remember,
>> http://support.microsoft.com/kb/921913/en
>
> Thank you, I was missing idmu.exe
>
> Now I can see the unix tab, but, whenever I click accept, it tells me
>
> "Unable to modify the object property values. Check your credentials.
> There could be a network problem. Active Directory could be down.
> Contact your system administrator".
>
> However, when I open the user again I can see the modified unix
> attributes *but* the added user still doesn't show, unsurprisingly since
> it's missing the posixAccount class:
that I got a message about something there too. Do you have a chance to
try it on W7?
Regards
Marc
Marc Muehlfeld
Aug 27, 2013, 5:00:03 AM8/27/13
to
Am 27.08.2013 10:11, schrieb steve:
> Your distro must be still using the 0.7 series.
Yes. RHEL ships 0.7.5.
> Your distro must be still using the 0.7 series.
I had a short search for 0.8 and it seems that since that, some
comfortable changes where done for AD.
If I have time tonight, I'll compile the latest version and try to find
out the differences and comment my examples accordingly. Then the users
can decite to stay on their old version (if the use an enterprise
distribution) of to use the new one.
Thanks for that information.
Regards,
Marc
Luca Olivetti
Aug 27, 2013, 5:20:03 AM8/27/13
to
Al 27/08/13 10:45, En/na Marc Muehlfeld ha escrit:
Does windows 7 ADUC add the posixAccount class?
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> Am 27.08.2013 10:38, schrieb Luca Olivetti:
>>> http://support.microsoft.com/kb/921913/en
>>
>> Thank you, I was missing idmu.exe
>>
>> Now I can see the unix tab, but, whenever I click accept, it tells me
>>
>> "Unable to modify the object property values. Check your credentials.
>> There could be a network problem. Active Directory could be down.
>> Contact your system administrator".
>>
>> However, when I open the user again I can see the modified unix
>> attributes *but* the added user still doesn't show, unsurprisingly since
>> it's missing the posixAccount class:
>
>
> I only used a very short time XP together with Samba AD. But I remember,
> that I got a message about something there too. Do you have a chance to
> try it on W7?
Not right now, but I'll try when I manage to setup a W7 VM.
>>> http://support.microsoft.com/kb/921913/en
>>
>> Thank you, I was missing idmu.exe
>>
>> Now I can see the unix tab, but, whenever I click accept, it tells me
>>
>> "Unable to modify the object property values. Check your credentials.
>> There could be a network problem. Active Directory could be down.
>> Contact your system administrator".
>>
>> However, when I open the user again I can see the modified unix
>> attributes *but* the added user still doesn't show, unsurprisingly since
>> it's missing the posixAccount class:
>
>
> I only used a very short time XP together with Samba AD. But I remember,
> that I got a message about something there too. Do you have a chance to
> try it on W7?
Does windows 7 ADUC add the posixAccount class?
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
Bruno Vane
Aug 27, 2013, 11:00:02 AM8/27/13
to
Hi Luca,
If you provisioned your domain with "--use-rfc2307", then in Win7 ADUC you
can see the posixAccount (UNIX Attributes) of the users.
2013/8/27 Luca Olivetti <lu...@wetron.es>
If you provisioned your domain with "--use-rfc2307", then in Win7 ADUC you
can see the posixAccount (UNIX Attributes) of the users.
2013/8/27 Luca Olivetti <lu...@wetron.es>
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu
www.zamix.com.br | www.superonda.com.br
Luca Olivetti
Aug 27, 2013, 11:10:02 AM8/27/13
to
Al 27/08/13 16:56, En/na Bruno Vane ha escrit:
attributes of the migrated users, the problem is the error message when
modifying them and the fact that _new_ users don't have a "class:
posixAccount" in the directory.
> Hi Luca,
>
> If you provisioned your domain with "--use-rfc2307", then in Win7 ADUC
> you can see the posixAccount (UNIX Attributes) of the users.
I did a classicupgrade, not a provisioning, and I can see the unix
>
> If you provisioned your domain with "--use-rfc2307", then in Win7 ADUC
> you can see the posixAccount (UNIX Attributes) of the users.
attributes of the migrated users, the problem is the error message when
modifying them and the fact that _new_ users don't have a "class:
posixAccount" in the directory.
Marc Muehlfeld
Aug 28, 2013, 7:50:01 PM8/28/13
to
Am 27.08.2013 10:52, schrieb Marc Muehlfeld:
> I had a short search for 0.8 and it seems that since that, some
> comfortable changes where done for AD.
>
> If I have time tonight, I'll compile the latest version and try to find
> out the differences and comment my examples accordingly. Then the users
> can decite to stay on their old version (if the use an enterprise
> distribution) of to use the new one.
I published a larger rework of the HowTo. It's containing Kerberos and
> I had a short search for 0.8 and it seems that since that, some
> comfortable changes where done for AD.
>
> If I have time tonight, I'll compile the latest version and try to find
> out the differences and comment my examples accordingly. Then the users
> can decite to stay on their old version (if the use an enterprise
> distribution) of to use the new one.
other information I collected from the discussions from the last days
about nslcd.
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
@All: Please give some feedback. Thanks.
steve
Aug 29, 2013, 6:40:02 AM8/29/13
to
On Thu, 2013-08-29 at 01:41 +0200, Marc Muehlfeld wrote:
>
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>
> @All: Please give some feedback. Thanks.
Hi
>
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>
> @All: Please give some feedback. Thanks.
The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
we already have? How about this instead?
1. For a client joined to the domain, please skip to (3) below.
2. On the DC:
Extract the machine key:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
3. Get tickets and create the cache:
k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt
- Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start
nslcd.
It's unfortunate we still have to cater for the old versions too. The
extra mappings slow things down considerably for large domains
especially as enumeration is enabled.
HTH
Steve
Marc Muehlfeld
Aug 29, 2013, 7:10:02 AM8/29/13
to
Am 29.08.2013 12:31, schrieb steve:
> The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
> we already have? How about this instead?
>
> 1. For a client joined to the domain, please skip to (3) below.
> 2. On the DC:
> Extract the machine key:
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
> 3. Get tickets and create the cache:
> k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt
I had a look on my production site. I don't have a krb5.keytab on any of
> The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
> we already have? How about this instead?
>
> 1. For a client joined to the domain, please skip to (3) below.
> 2. On the DC:
> Extract the machine key:
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
> 3. Get tickets and create the cache:
> k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt
my Samba 3 or 4 servers in my AD. After some reading, I found out, that
I must have a "kerberos method" entry in my smb.conf file for that. I'm
not sure, how many people this are having this option.
As the HowTo should be usable for as many people as possible, I would
keep this short steps. They don't bring problems and works even if
there's already a keytab on the machine.
> - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start
> nslcd.
> It's unfortunate we still have to cater for the old versions too. The
> extra mappings slow things down considerably for large domains
> especially as enumeration is enabled.
versions of everything, because they run enterprise distributions like
RHEL, SLES, Debian, etc.
At work we only run self compiled software, when there's a requirement
for that, because everything that isn't updated through the paket
manager, is extra work (steady check for security updates, manual
patching on all servers, etc.). Also packages in the enterprise software
are more tested and stable. That's why I think it's worth to take care
of such situations and not only serve users running the latest versions
(of course not ancient versions).
But I already have some comments in the configuration examples about the
mappings. It's up to the admin to review what he/she uses in production
and fine tune. :-)
Thanks for your comments.
Regards,
Marc
steve
Aug 29, 2013, 8:20:02 AM8/29/13
to
On Thu, 2013-08-29 at 13:08 +0200, Marc Muehlfeld wrote:
>
> I think most companies running Samba in production don't use the latest
> versions of everything, because they run enterprise distributions like
> RHEL, SLES, Debian, etc.
>
> At work we only run self compiled software, when there's a requirement
> for that, because everything that isn't updated through the paket
> manager, is extra work
Not everyone has the luxury of being able to take hardware for granted.
>
> I think most companies running Samba in production don't use the latest
> versions of everything, because they run enterprise distributions like
> RHEL, SLES, Debian, etc.
>
> At work we only run self compiled software, when there's a requirement
> for that, because everything that isn't updated through the paket
> manager, is extra work
Most of us have to make do with what we have. E.g. running a Samba
domain in a school of 600 students with 80 10 year old machines is
simply impossible with old versions of software.
As far as AD is concerned, it is unfortunate that Red Hat have decided
to retain the 0.7 series of nss-pam-ldapd. Everyone else has at least
0.8.10, the one where AD compatibility was addressed.
Thanks for inviting comments. I think that by doing so, you are in a
strong position to produce a howto that will be accurate, useful and
above all, doable.
0 new messages