Randy Rue
2012-May-31 18:24 UTC
[Samba] Tangential Issue: idmap backend = ad and Active Directory 2008R2
Tried single quotes on Domain Admins in the pam.d file as well as a backslash on
the space with no effect. I've found several references that just say
"no spaces in group names." Is there really no way to do this?
Also, most references I find to using these lines in pam.d say that
"sufficient" should work, but I'm finding that users in the named
group can then log in with or without their correct password. Do I understand
correctly that "sufficient" means "hey, this user is in this
group, good enough even if their password is bogus?" What needs to change?
Is this the right forum for these questions?
Randy
-----Original Message-----
From: Randy Rue [mailto:rrue at fhcrc.org]
Sent: Thursday, May 31, 2012 8:23 AM
To: 'samba at lists.samba.org'
Subject: RE: [Samba] idmap backend = ad and Active Directory 2008R2
I've swapped in my domain name/etc and commented the lines that I believe
don't apply to my environment, if I disabled something necessary please
let me know. Here's the smb.conf I tried:
[global]
netbios name = HAPPYTOBEHERE
security = ads
workgroup = FOO
realm = FOO.ORG
password server = dcx.foo.org dcy.foo.org dcz.foo.org
<----I also tried it with a single DC entry
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
# vfs objects = shadow_copy2 fileid gpfs
# unix extensions = no
# mangled names = no
# case sensitive = no
# map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
# ea support = yes
# store dos attributes = yes
# map readonly = no
# map archive = no
# map system = no
# the ctdb clustering and GPFS stuff
# clustering = yes
# ctdbd socket = /tmp/ctdb.socket
# fileid : algorithm = fsname
# gpfs : sharemodes = yes
# gpfs : winattr = yes
# force unknown acl user = yes
# nfs4 : mode = special
# nfs4 : chown = no
# nfs4 : acedup = merge
# enable shadow copies
# shadow : snapdir = /happytobehere/.snapshots
# shadow : basedir = /happytobehere
# shadow : fixinodes = yes
# silence warnings about CUPS
# printing = bsd
# printcap name = /etc/printcap
# load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
# guest account = nobody
# map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
# dfree cache time = 15
# dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config FOO : backend = ad
idmap config FOO : schema_mode = rfc2307
idmap config FOO : readonly = yes
idmap config FOO : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
Here's /etc/pam.d/password-auth-ac if that helps:
[root at happytobehere samba]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_succeed_if.so user ingroup
adm_it_sops_lessadmins_mod
auth sufficient pam_succeed_if.so user ingroup "domain
admins"
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[BTW, when this does work I still see errors in syslog about accounts I
know are Domain Admins still not being recognized as members of the group
"domain," do I need to do something else to escape that space in the
group
name? Maybe a backslash?]
And here's what syslog sees for an attempt via SSH:
May 31 08:11:54 happytobehere sshd[12713]: Invalid user should_work from
www.xxx.yyy.zzz May 31 08:11:54 happytobehere sshd[12716]:
input_userauth_request: invalid user should_work May 31 08:12:01
happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving
information about user should_work May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:01 happytobehere sshd[12713]:
pam_unix(sshd:auth): check pass; user unknown May 31 08:12:01
happytobehere sshd[12713]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=machineX.foo.org May 31
08:12:01 happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error
retrieving information about user should_work May 31 08:12:03
happytobehere sshd[12713]: Failed password for invalid user should_work
from www.xxx.yyy.zzz port 51602 ssh2 May 31 08:12:06 happytobehere
sshd[12716]: Received disconnect from www.xxx.yyy.zzz: 13: Unable to
authenticate
Grateful for you help...
Randy Rue
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Thursday, May 31, 2012 5:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2
This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6
configuration against a Windows 2008R2 domain. Note we are using GPFS as
our underlying file system and CTDB. All I have changed is the names
[global]
netbios name = NEMO
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.MEGACORP.COM
password server = *
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
vfs objects = shadow_copy2 fileid gpfs
unix extensions = no
mangled names = no
case sensitive = no
map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
# the ctdb clustering and GPFS stuff
clustering = yes
ctdbd socket = /tmp/ctdb.socket
fileid : algorithm = fsname
gpfs : sharemodes = yes
gpfs : winattr = yes
force unknown acl user = yes
nfs4 : mode = special
nfs4 : chown = no
nfs4 : acedup = merge
# enable shadow copies
shadow : snapdir = /nemo/.snapshots
shadow : basedir = /nemo
shadow : fixinodes = yes
# silence warnings about CUPS
printing = bsd
printcap name = /etc/printcap
load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
guest account = nobody
map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
dfree cache time = 15
dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : readonly = yes
idmap config MYDOMAIN : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rue, Randy
2012-May-31 18:25 UTC
[Samba] Tangential Issue: idmap backend = ad and Active Directory 2008R2
Tried single quotes on Domain Admins in the pam.d file as well as a backslash on
the space with no effect. I've found several references that just say
"no spaces in group names." Is there really no way to do this?
Also, most references I find to using these lines in pam.d say that
"sufficient" should work, but I'm finding that users in the named
group can then log in with or without their correct password. Do I understand
correctly that "sufficient" means "hey, this user is in this
group, good enough even if their password is bogus?" What needs to change?
Is this the right forum for these questions?
Randy
-----Original Message-----
From: Randy Rue [mailto:rrue at fhcrc.org]
Sent: Thursday, May 31, 2012 8:23 AM
To: 'samba at lists.samba.org'
Subject: RE: [Samba] idmap backend = ad and Active Directory 2008R2
I've swapped in my domain name/etc and commented the lines that I believe
don't apply to my environment, if I disabled something necessary please
let me know. Here's the smb.conf I tried:
[global]
netbios name = HAPPYTOBEHERE
security = ads
workgroup = FOO
realm = FOO.ORG
password server = dcx.foo.org dcy.foo.org dcz.foo.org
<----I also tried it with a single DC entry
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
# vfs objects = shadow_copy2 fileid gpfs
# unix extensions = no
# mangled names = no
# case sensitive = no
# map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
# ea support = yes
# store dos attributes = yes
# map readonly = no
# map archive = no
# map system = no
# the ctdb clustering and GPFS stuff
# clustering = yes
# ctdbd socket = /tmp/ctdb.socket
# fileid : algorithm = fsname
# gpfs : sharemodes = yes
# gpfs : winattr = yes
# force unknown acl user = yes
# nfs4 : mode = special
# nfs4 : chown = no
# nfs4 : acedup = merge
# enable shadow copies
# shadow : snapdir = /happytobehere/.snapshots
# shadow : basedir = /happytobehere
# shadow : fixinodes = yes
# silence warnings about CUPS
# printing = bsd
# printcap name = /etc/printcap
# load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
# guest account = nobody
# map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
# dfree cache time = 15
# dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config FOO : backend = ad
idmap config FOO : schema_mode = rfc2307
idmap config FOO : readonly = yes
idmap config FOO : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
Here's /etc/pam.d/password-auth-ac if that helps:
[root at happytobehere samba]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_succeed_if.so user ingroup
adm_it_sops_lessadmins_mod
auth sufficient pam_succeed_if.so user ingroup "domain
admins"
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[BTW, when this does work I still see errors in syslog about accounts I
know are Domain Admins still not being recognized as members of the group
"domain," do I need to do something else to escape that space in the
group
name? Maybe a backslash?]
And here's what syslog sees for an attempt via SSH:
May 31 08:11:54 happytobehere sshd[12713]: Invalid user should_work from
www.xxx.yyy.zzz May 31 08:11:54 happytobehere sshd[12716]:
input_userauth_request: invalid user should_work May 31 08:12:01
happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving
information about user should_work May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:01 happytobehere sshd[12713]:
pam_unix(sshd:auth): check pass; user unknown May 31 08:12:01
happytobehere sshd[12713]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=machineX.foo.org May 31
08:12:01 happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error
retrieving information about user should_work May 31 08:12:03
happytobehere sshd[12713]: Failed password for invalid user should_work
from www.xxx.yyy.zzz port 51602 ssh2 May 31 08:12:06 happytobehere
sshd[12716]: Received disconnect from www.xxx.yyy.zzz: 13: Unable to
authenticate
Grateful for you help...
Randy Rue
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Thursday, May 31, 2012 5:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2
This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6
configuration against a Windows 2008R2 domain. Note we are using GPFS as
our underlying file system and CTDB. All I have changed is the names
[global]
netbios name = NEMO
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.MEGACORP.COM
password server = *
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
vfs objects = shadow_copy2 fileid gpfs
unix extensions = no
mangled names = no
case sensitive = no
map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
# the ctdb clustering and GPFS stuff
clustering = yes
ctdbd socket = /tmp/ctdb.socket
fileid : algorithm = fsname
gpfs : sharemodes = yes
gpfs : winattr = yes
force unknown acl user = yes
nfs4 : mode = special
nfs4 : chown = no
nfs4 : acedup = merge
# enable shadow copies
shadow : snapdir = /nemo/.snapshots
shadow : basedir = /nemo
shadow : fixinodes = yes
# silence warnings about CUPS
printing = bsd
printcap name = /etc/printcap
load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
guest account = nobody
map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
dfree cache time = 15
dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : readonly = yes
idmap config MYDOMAIN : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba