Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] login via Samba 4 LDAP
1,789 views
Skip to first unread message
steve
Dec 28, 2011, 2:30:01 PM12/28/11
to
Hi
I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search the
database and view it with phpldapadmin. I can't login from a linux console:
ldapsearch -LLL "(cn=steve4)"
SASL/GSSAPI authentication started
SASL username: ste...@HH3.SITE
SASL SSF: 56
SASL data security layer installed.
dn: CN=steve4,CN=Users,DC=hh3,DC=site
cn: steve4
instanceType: 4
whenCreated: 20111228090516.0Z
uSNCreated: 3796
name: steve4
objectGUID:: SmOVmHoGLEKtIAG387qdKg==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAb3HIjuGOMdR6frbzWQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve4
sAMAccountType: 805306368
userPrincipalName: ste...@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129695367160000000
userAccountControl: 512
gidNumber: 100
unixHomeDirectory: /home/CACTUS/steve4
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: user
uidNumber: 3000019
uid: steve4
whenChanged: 20111228160534.0Z
uSNChanged: 3815
distinguishedName: CN=steve4,CN=Users,DC=hh3,DC=site
# refldap://hh3.site/CN=Configuration,DC=hh3,DC=site
# refldap://hh3.site/DC=DomainDnsZones,DC=hh3,DC=site
# refldap://hh3.site/DC=ForestDnsZones,DC=hh3,DC=site
But when I try to login from an openSUSE box:
su steve4
su: user steve4 does not exist
and the logs give:
Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Dec 28 20:20:04 hh3 worker_nscd: nss_ldap: could not search LDAP server
- Server is unavailable
I have tried with and without tls using the ca.pem and cert.pem
provisioned in /usr/local/samba/private/tls (it seems that the
certificates CN does not match the FQDN of the server).
Samba gives me:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
etc/nsswitch.conf
passwd: compat
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
passwd_compat: ldap
Anyone been this way before?
Thanks Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search the
database and view it with phpldapadmin. I can't login from a linux console:
ldapsearch -LLL "(cn=steve4)"
SASL/GSSAPI authentication started
SASL username: ste...@HH3.SITE
SASL SSF: 56
SASL data security layer installed.
dn: CN=steve4,CN=Users,DC=hh3,DC=site
cn: steve4
instanceType: 4
whenCreated: 20111228090516.0Z
uSNCreated: 3796
name: steve4
objectGUID:: SmOVmHoGLEKtIAG387qdKg==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAb3HIjuGOMdR6frbzWQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve4
sAMAccountType: 805306368
userPrincipalName: ste...@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129695367160000000
userAccountControl: 512
gidNumber: 100
unixHomeDirectory: /home/CACTUS/steve4
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: user
uidNumber: 3000019
uid: steve4
whenChanged: 20111228160534.0Z
uSNChanged: 3815
distinguishedName: CN=steve4,CN=Users,DC=hh3,DC=site
# refldap://hh3.site/CN=Configuration,DC=hh3,DC=site
# refldap://hh3.site/DC=DomainDnsZones,DC=hh3,DC=site
# refldap://hh3.site/DC=ForestDnsZones,DC=hh3,DC=site
But when I try to login from an openSUSE box:
su steve4
su: user steve4 does not exist
and the logs give:
Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Dec 28 20:20:04 hh3 worker_nscd: nss_ldap: could not search LDAP server
- Server is unavailable
I have tried with and without tls using the ca.pem and cert.pem
provisioned in /usr/local/samba/private/tls (it seems that the
certificates CN does not match the FQDN of the server).
Samba gives me:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
etc/nsswitch.conf
passwd: compat
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
passwd_compat: ldap
Anyone been this way before?
Thanks Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gémes Géza
Dec 28, 2011, 3:30:01 PM12/28/11
to
(samba-tool domain exportkeytab --principal=....) and configure nss-ldap
to use that keytab for authenticating. Most probably you aren't allowed
to bind anonymously to your AD server (you can try with ldapsearch -x)
Regards
Geza
Bernd Markgraf
Dec 28, 2011, 4:10:02 PM12/28/11
to
> You should create a user in AD for nss-ldap and extract a keytab for it
> (samba-tool domain exportkeytab --principal=....) and configure nss-ldap
> to use that keytab for authenticating. Most probably you aren't allowed
> to bind anonymously to your AD server (you can try with ldapsearch -x)
LDAP works with an anonymous bind. You need the Kerberos keytab for
> (samba-tool domain exportkeytab --principal=....) and configure nss-ldap
> to use that keytab for authenticating. Most probably you aren't allowed
> to bind anonymously to your AD server (you can try with ldapsearch -x)
authentication though.
steve
Dec 29, 2011, 4:10:02 AM12/29/11
to
On 28/12/11 21:59, Bernd Markgraf wrote:
>> You should create a user in AD for nss-ldap and extract a keytab for it
>> (samba-tool domain exportkeytab --principal=....) and configure nss-ldap
>> to use that keytab for authenticating. Most probably you aren't allowed
>> to bind anonymously to your AD server (you can try with ldapsearch -x)
> LDAP works with an anonymous bind. You need the Kerberos keytab for
> authentication though.
>
steve@hh3:~> ldapsearch -x
>> You should create a user in AD for nss-ldap and extract a keytab for it
>> (samba-tool domain exportkeytab --principal=....) and configure nss-ldap
>> to use that keytab for authenticating. Most probably you aren't allowed
>> to bind anonymously to your AD server (you can try with ldapsearch -x)
> LDAP works with an anonymous bind. You need the Kerberos keytab for
> authentication though.
>
# extended LDIF
#
# LDAPv3
# base <DC=hh3,DC=site> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00002020: Operation unavailable without authentication
# numResponses: 1
I found this usage:
samba-tool export keytab PATH_TO_KEYTAB
How can I find my PATH_TO_KEYTAB
?
Thanks
steve
Dec 29, 2011, 4:20:01 AM12/29/11
to
samba-tool domain exportkeytab /var/lib/named/master --principal
Usage: samba-tool domain exportkeytab <keytab> [options]
samba-tool domain exportkeytab: error: --principal option requires an
argument
Gémes Géza
Dec 29, 2011, 6:00:02 AM12/29/11
to
/path/to/the/keytab/file/you/want/to/create/or/update
--principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
Regards
Geza
steve
Dec 29, 2011, 7:00:02 AM12/29/11
to
samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
restarted samba but:
su steve4
su: user steve4 does not exist
Steve
steve
Dec 29, 2011, 7:00:02 AM12/29/11
to
On 29/12/11 11:58, Gémes Géza wrote:
Got as far as this:
samba-tool domain exportkeytab /your/key.tab --principal=SERVICE/host@realm
so I used:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=DNS/HH3.SITE
But that's not the SERVICE I need I don't think.
THanks
Steve
Gémes Géza
Dec 29, 2011, 1:20:02 PM12/29/11
to
I've found example configurations for nslcd (the daemon part of
nss-ldapd a fork of nss-ldap) at:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
http://ubuntuforums.org/archive/index.php/t-1335022.html
Regards
Geza
steve
Dec 30, 2011, 3:40:01 AM12/30/11
to
I have nslcd installed. I've looked at the links and it seems as though
I need this in /etc/nslcd.conf
uri ldap://127.0.0.1/
base dc=hh3,dc=site
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /dont/know
It's the krb5_ccname I can't get.
I have:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ste...@HH3.SITE
Valid starting Expires Service principal
12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/HH3....@HH3.SITE
renew until 12/31/11 09:27:12
The link you gave suggests:
krb5_ccname /var/run/nslcd/nslcd.tkt
But doesn't say where that came from.
Any ideas?
Saludos
Steve
steve
Dec 30, 2011, 7:20:02 AM12/30/11
to
getent passwd works and steve4 can finally login
The next bit is this:
getent passwd does not show the home directory:
steve4:x:3000019:100:steve4::/bin/bash
even though I can see it in the ldap ldif
steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him
to create and edit files correctly and with the correct permissions.
Any ideas?
Thanks
Steve.
steve
Dec 30, 2011, 7:30:01 AM12/30/11
to
map passwd homeDirectory unixHomeDirectory
so /etc/nslcd.conf looks like this:
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
Cheers,
Steve
Gémes Géza
Dec 31, 2011, 6:50:02 AM12/31/11
to
I'm glad it works now
Sorry for the late answer yesterday my ISPs (I have two just to be sure)
both decided at the same time to redo the routing of their networks ==>
got off-line for most of the day :-(.
Happy New Year!
Regards
Geza
steve
Dec 31, 2011, 10:20:01 AM12/31/11
to
Nearly works. Getent passwd works and su user works from root but the
user can't login unless he's in a root shell. I think this has something
to do with pam. I had it working fine this morning until I disabled the
ldap client in opensuse having thought that it would be affecting the
process. Now no logins apart from in a root shell. I played around with
some pam libraries a few weeks ago:
Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting
Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections
Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service
Daemon..done
Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0
Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR
steve2, Authentication failure
Dec 31 16:10:17 hh3 systemd[1]: ge...@tty1.service holdoff time over,
scheduling restart.
Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search
LDAP server - Server is unavailable
Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to
LDAP server (sleeping 4 seconds)...
Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting to
LDAP server (sleeping 8 seconds)...
Dec 31 16:10:39 hh3 polkitd(authority=local): nss_ldap: reconnecting to
LDAP server (sleeping 16 seconds)...
Dec 31 16:10:55 hh3 polkitd(authority=local): nss_ldap: reconnecting to
LDAP server (sleeping 32 seconds)...
Dec 31 16:11:20 hh3 su: FAILED SU (to steve5) steve on /dev/pts/0
Dec 31 16:11:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to
LDAP server (sleeping 64 seconds)...
Am so close on this I feel.
Any ideas where to look?
Que nos traigan suerte las uvas!!
Feliz 2012
Steve
steve
Dec 31, 2011, 11:50:01 AM12/31/11
to
Dec 31 17:34:24 hh3 su: pam_unix(su:auth): authentication failure;
logname=steve uid=1000 euid=0 tty=pts/1 ruser=steve rhost= user=lynn2
steve is the logged in local user, lynn2 the samba4/ldap user
Ahggh!!
Where do I change that?
steve
Dec 31, 2011, 1:20:02 PM12/31/11
to
Sorry 2 b such a pain. It was a pam problem. I logged off and could not
get back in. Fortunately I could overwrite pam.d with a copy from a
working machine that also had ldap.
So, its not been easy but that's win 7 domain logons, linux logons and
nfs4 file server all from the same Samba 4 box. Is this good enough to
join Samba Technical and argue my point about Samba4/rfc2307 for Linux
clients? I'll blog my findings anyway. I just don't want to trouble anyone.
Steve
Gémes Géza
Dec 31, 2011, 3:50:02 PM12/31/11
to
You weren't a pain. We are here to help, and to get helped as well, that
is called community support (in my experience it works lot more reliable
than some commercial one).
IMHO a head-ups about winbind4 in the samba-technical mailing list
wouldn't hurt.
Happy New Year!
Geza
steve
Dec 31, 2011, 4:30:02 PM12/31/11
to
is way better than anything you can get commercially. I'll think about
winbind and what I've done here instead and how I could make my feelings
felt to the Samba guys. Meanwhile, I bundled together something, mainly
so that I myself don't miss anything out:
http://linuxcostablanca.blogspot.com It's not complete and it needs
tidying up/correcting. . .Maybe a few screenshots. Hopefully it may help
us argue our case and help others. My closing thought for the year would
be, 'It serves Windows out of the box. Why not Linux?'
Happy new 2012!
Steve
0 new messages