samba - Jan 2005 - Help with Samba (net vampire) not pulling passwords into openLDAP backend - fails pam_ldap authentication - pam_unix used instead ?

Hi All,

Hope someone here can help me ?

*See end for background and system information...


I'm looking for advice or links to clear documentation on the use and
configuration of "net vampire" and it's ability to download PDC
accounts
with passwords intact.

I have successfully used "net vampire" to synchronize my Samba BDC --
with my companies PDC.  I've switched my linux box authentication --
using "authconfig" -- to authenticate against LDAP.

Seems to be working for all but accounts "net vampired" over.....

My original users (root - stored in /etc/passwd) as well as newly
created users (created with smbldap-useradd - stored in LDAP) -- can log
into my system fine -- OK.

My problem....  all the newly created users (from PDC using net vampire)
can be switched to as root using: 
    su - newDomainAccountUser
BUT -- These users cannot log into the system console themselves....
All the /home/userX directories have been created -- and LDAP is
populated with everything it seems but the correct password -- I think ?

-----------------------------------------
tail -f /var/log/message reveals:
>>Jan  7 17:05:04 host06 su(pam_unix)[26618]: check pass; user unknown
>>Jan  7 17:05:04 host06 su(pam_unix)[26618]: authentication failure;  
       logname=fXXXX uid=500 euid=0 tty= ruser=fXXXX rhost>>Jan  7
17:05:04 host06 su[26618]: pam_ldap: error trying to bind as
       user "uid=product,ou=Users,dc=XXXXX,dc=ca" (Invalid
credentials)
NOTE:  XXXX replaced sensitive information...
-----------------------------------------

An ldap client I'm using reveals {CRYPT} X  -- in place of the NT
password hashes....

I'm unclear why -- "net vampire" -- did not pull down the user
passwords
correctly. I've searched the internet/forums etc. -- and cannot find any
solution that helps or clearly explains what's going on;  though many
people seem to be having similar issues with "net vampire"

I've tried the following:
    - different pam_ldap versions  (156 & 176)
    - tweaking /etc/ldap.conf settings including pam_password key
    - tweaking various pam.d config files
    - confirm my local SID matches the PDC/remote SID

  Questions:
==========I'm unclear about the following -- and see many conflicting
suggestions
on the internet:
*) Should /etc/samba/smb.conf => encrypt passwords =yes
*) My BDC /etc/samba/smb.conf is setup with:
   security = user
   password level = 8                                          
   username level = 8 
   encrypt passwords = yes                                     
   smb passwd file = /etc/samba/smbpasswd 
   obey pam restrictions = no                                    
   ldap passwd sync = yes  
   domain master = no 
   preferred master = no
   domain logons = yes
   name resolve order = wins lmhosts bcast
   wins server = X.X.X.X  (our company WINS server...)
   dns proxy = no
   passdb backend = ldapsam:ldap://127.0.0.1/
   ...
   ... And all remaining LDAP settings/scripts/admin/suffix etc.
   ...
   Dos charset =850                                             
   Unix charset = ISO8859-1 
   
*) Should /etc/ldap.conf    => pam_password md5    or    crypt
*) Should my /etc/openldap/slapd.conf   roopw==> be encrypted ?  for now
I'm using plain text with /etc/ldap.conf: bindpw & rootbinddn used in
combination with  plain text /etc/ldap.secret
*) Beside removing my host from the PDC's list of detected BDC prior to:
       net rpc join -S MY_PDC -UAdministrator%myAdminPassWd
I'm not doing anything on the remote PDC machine ?
Is there any remote configuration I need to perform for "trust" ?

   Note:  My BDC -- has the same SID and Workgroup name as my PDC and
   I'm able to "join" the domain OK... no errors.
*) I'm using IDEALX scripts -- why doesn't Samba provide similar
utilities ?  Are there better 3rd party scripts out there ?
**) What might I be missing ?  What must I do to get "net vampire" to
pull and store the PDC/SAM passwords OK ?
*) Should I be using SambaTNG instead ?
*) Could I use "net rpc samdump" instead -- and manual scripts to
convert to LDIF ?



  Background:
===========All I want to do is reproduce MSWinNT&2000-PDC/SAM
user/computer/group
information in LDAP so I can authenticate web applications and other
applications without having to manually maintain all this user
information by hand.  Later I may also want to synch. with
account/address information in LotusNotes and ADP....
I dont't care to have my host as fulltime BDC -- I don't need my host to
replace the PDC -- I don't need the host to authenticate Windows users
on the WinDOMAIN;  A cron job to synch with PDC each night -- and then
shutdown would be OK.



 SYSTEM INFORMATION:
====================uname -a
     >>Linux host06 2.4.21-20.ELsmp #1 SMP 
     >>Wed Aug 18 20:46:40 EDT 2004 i686 i686 i386 GNU/Linux
cat /etc/redhat-release
     >>Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
rpm -qa | grep -i '???'
     >>samba-3.0.6-2.3E
     >>nss_ldap-207-11
     >>openldap-2.0.27-17
     >>pam-0.75-58
     >>Note: I've tried pam_ldap v156   & v176 ? no difference
SambaPDC/LDAP Scripts
     >> I'm using IDEALX scripts and tried several documents/guides
     >> most follow the following link closely:
        https://mams.melcoe.mq.edu.au/zope/mams/kb/all/samba-ldap/view
Samba Schema
     >> I had to download the samba.schema from the Samba groups CVS
     >> server Note: My samba.schema was from source base for:
     >> Samba v3.1.0

On Fri, 2005-01-07 at 23:01 -0500, Franciszek Michal Misa
wrote:
> Hi All,
> 
> Hope someone here can help me ?
---
you REALLY need to read through the documentation on samba site.

<http://us1.samba.org/samba/docs/man/Samba-Guide/>
<http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/>

John Terpstra has done a phenomenal job documenting just about all you
need to know.
----
> I'm looking for advice or links to clear documentation on the use and
> configuration of "net vampire" and it's ability to download
PDC accounts
> with passwords intact.
> 
> I have successfully used "net vampire" to synchronize my Samba
BDC --
> with my companies PDC.  I've switched my linux box authentication --
> using "authconfig" -- to authenticate against LDAP.
> 
> Seems to be working for all but accounts "net vampired" over.....
> 
> My original users (root - stored in /etc/passwd) as well as newly
> created users (created with smbldap-useradd - stored in LDAP) -- can log
> into my system fine -- OK.
> 
> My problem....  all the newly created users (from PDC using net vampire)
> can be switched to as root using: 
>     su - newDomainAccountUser
> BUT -- These users cannot log into the system console themselves....
> All the /home/userX directories have been created -- and LDAP is
> populated with everything it seems but the correct password -- I think ?
> 
> -----------------------------------------
> tail -f /var/log/message reveals:
> >>Jan  7 17:05:04 host06 su(pam_unix)[26618]: check pass; user
unknown
> >>Jan  7 17:05:04 host06 su(pam_unix)[26618]: authentication failure;
>        logname=fXXXX uid=500 euid=0 tty= ruser=fXXXX rhost> >>Jan 
7 17:05:04 host06 su[26618]: pam_ldap: error trying to bind as
>        user "uid=product,ou=Users,dc=XXXXX,dc=ca" (Invalid
credentials)
> NOTE:  XXXX replaced sensitive information...
----
invalid credentials is significant.

ldap admin in samba must have write privileges to LDAP
smbpasswd -w secret #encrypts password for use with ldap admin 
                    #access to ldap
----
> 
> An ldap client I'm using reveals {CRYPT} X  -- in place of the NT
> password hashes....
----
passwords didn't migrate - PDC didn't trust your samba machine enough to
transmit sam info
----
>   Questions:
> ==========> I'm unclear about the following -- and see many
conflicting suggestions
> on the internet:
> *) Should /etc/samba/smb.conf => encrypt passwords =yes
----
that's the default of samba 3.x - doesn't hurt though
----
> *) My BDC /etc/samba/smb.conf is setup with:
>    domain master = no 
----
I think you will need domain master = yes in order to get passwords to
vampire over - depends upon whether PDC trusts your computer enough. At
the moment you execute the rpc net vampire command, your computer is
supposed to be recognized by PDC as a BDC
----
>    preferred master = no
>    domain logons = yes
>    name resolve order = wins lmhosts bcast
>    wins server = X.X.X.X  (our company WINS server...)
>    dns proxy = no
>    passdb backend = ldapsam:ldap://127.0.0.1/
>    ...
>    ... And all remaining LDAP settings/scripts/admin/suffix etc.
----
these might be significant
----
>    ...
>    Dos charset =850                                             
>    Unix charset = ISO8859-1 
>    
> *) Should /etc/ldap.conf    => pam_password md5    or    crypt
----
mine is set to 
pam_password md5
----
> *) Should my /etc/openldap/slapd.conf   roopw==> be encrypted ?  for now
> I'm using plain text with /etc/ldap.conf: bindpw & rootbinddn used
in
> combination with  plain text /etc/ldap.secret
----
should be easy enough...
slappasswd -c crypt -s secret or omit the -c crypt and you'll probably
get an SSHA passwd
----
> *) Beside removing my host from the PDC's list of detected BDC prior
to:
>        net rpc join -S MY_PDC -UAdministrator%myAdminPassWd
> I'm not doing anything on the remote PDC machine ?
----
not that I can see
----
> Is there any remote configuration I need to perform for "trust" ?
----
I think that you're supposed to join the domain first
----
>    Note:  My BDC -- has the same SID and Workgroup name as my PDC and
>    I'm able to "join" the domain OK... no errors.
> *) I'm using IDEALX scripts -- why doesn't Samba provide similar
> utilities ?  Are there better 3rd party scripts out there ?
----
none that I know of
----
> **) What might I be missing ?  What must I do to get "net
vampire" to
> pull and store the PDC/SAM passwords OK ?
----
you're close
----
> *) Should I be using SambaTNG instead ?
----
I wouldn't
----
> *) Could I use "net rpc samdump" instead -- and manual scripts to
> convert to LDIF ?
----
never done that
----
> 
> 
>   Background:
> ===========> All I want to do is reproduce MSWinNT&2000-PDC/SAM
user/computer/group
> information in LDAP so I can authenticate web applications and other
> applications without having to manually maintain all this user
> information by hand.  Later I may also want to synch. with
> account/address information in LotusNotes and ADP....
> I dont't care to have my host as fulltime BDC -- I don't need my
host to
> replace the PDC -- I don't need the host to authenticate Windows users
> on the WinDOMAIN;  A cron job to synch with PDC each night -- and then
> shutdown would be OK.
----
evidently, you haven't read the documentation on samba web site
enough.
>From what you are describing, you should bother with LDAP or BDC.
winbind is all you need. vampire is a one time process. A samba based
BDC cannot co-exist with Windows PDC - read the documentation.

net rpc vampire command is difficult to get working with LDAP. You have
to set up base LDAP and slapcat it to an ldif. Try to vampire the PDC
and see what doesn't work right, dump the db, slapadd it, slapindex it,
fix what was wrong with setup and vampire again. It's Groundhog
Day...you have to keep doing it until you get it right. You are however,
in my opinion from your 'background' going about it the wrong way. Let
Windows handle the authentication elements and access it via winbind.

Craig

On Fri, 2005-01-07 at 23:01 -0500, Franciszek Michal Misa
wrote:
> Hi All,
> 
> Hope someone here can help me ?
> 
> *See end for background and system information...
> 
> 
> I'm looking for advice or links to clear documentation on the use and
> configuration of "net vampire" and it's ability to download
PDC accounts
> with passwords intact.
> 
> I have successfully used "net vampire" to synchronize my Samba
BDC --
> with my companies PDC.  I've switched my linux box authentication --
> using "authconfig" -- to authenticate against LDAP.
> 
> Seems to be working for all but accounts "net vampired" over.....
The one thing that the 'vampire' process will not do is return the
plaintext password.  This means that Samba cannot set the 'ldap
password'.  Your options are to use pam_winbind on your local machine,
and authenticate local users against Samba, which then works against the
NT and LM passwords we do have, or to use the Heimdal Krb5 snapshot
described in 
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
and pam_krb5.

Or you can try and have pam_ldap -> OpenLDAP -> SASL PLAIN -> PAM ->
pam_winbindd -> winbindd -> OpenLDAP...

Yes, I know this sucks, and I've tried to have discussions with the
OpenLDAP folks about how we could have OpenLDAP authenticate against
these passwords in a sensible way, and the infrastructure was simply not
up to it.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050109/026e3c91/attachment.bin