Greetings, All! I'm still on the topic, but probably I read too much stuff lately and can't have my head set straight. Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04. The machine is also a network gateway and access (VPN/ssh) server. Target goals: 1. Upgrade to Samba4 (4.1 seems possible). 2. Convert to ADS. 3. Get rid of PAM-LDAP. 4. Retain ability for domain users to login locally (VPN/ssh) to the system. I've done some experimentation in the virtualized copy of the environment, first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba) classicupgrade seems to be working, so as the bind_dlz and client workstation domain logins. Now, there's a problem: getent passwd doesn't list domain users. Even though winbind is listed in pam-auth-update as part of the authentication stack. Domain users can't connect to SSH - "access denied". Relevant auth.log is this: Feb 22 23:23:34 userl sshd[2576]: Invalid user natali from 192.168.56.1 Feb 22 23:23:34 userl sshd[2576]: input_userauth_request: invalid user natali [preauth] Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): check pass; user unknown Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): getting password (0x00000388) Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): pam_get_item returned a password Feb 22 23:23:46 userl sshd[2576]: Failed password for invalid user natali from 192.168.56.1 port 51422 ssh2 However, # wbinfo -u | grep natali && echo Found. natali Found. On top of that, I've been stuck in Microsoft article https://technet.microsoft.com/en-us/library/cc726016.aspx and I'm wondering, how it is applicable to Samba ADS? Could it be worthwhile to, let's say, run Samba in LXC container? P.S. The page https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD) is outdated/incomplete - there's no "slaps.conf" file for late releases of OpenLDAP. On systems with schema storage based configuration, it is need to add olcSizeLimit: unlimited to /etc/ldap/slapd.d/cn=config.ldif (if i'm not mistaken). -- WBR, Andrey Repin (anrdaemon at yandex.ru) 22.02.2015, <21:29> Sorry for my terrible english...
On 22/02/15 20:25, Andrey Repin wrote:> Greetings, All! > > I'm still on the topic, but probably I read too much stuff lately and can't > have my head set straight. > > Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04. > The machine is also a network gateway and access (VPN/ssh) server. > > Target goals: > 1. Upgrade to Samba4 (4.1 seems possible). > 2. Convert to ADS. > 3. Get rid of PAM-LDAP. > 4. Retain ability for domain users to login locally (VPN/ssh) to the system. > > I've done some experimentation in the virtualized copy of the environment, > first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then > upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba) > classicupgrade seems to be working, so as the bind_dlz and client workstation > domain logins. > > Now, there's a problem: > getent passwd doesn't list domain users. Even though winbind is listed in > pam-auth-update as part of the authentication stack. > Domain users can't connect to SSH - "access denied". > > Relevant auth.log is this: > Feb 22 23:23:34 userl sshd[2576]: Invalid user natali from 192.168.56.1 > Feb 22 23:23:34 userl sshd[2576]: input_userauth_request: invalid user natali [preauth] > Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): check pass; user unknown > Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 > Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): getting password (0x00000388) > Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): pam_get_item returned a password > Feb 22 23:23:46 userl sshd[2576]: Failed password for invalid user natali from 192.168.56.1 port 51422 ssh2 > > However, > # wbinfo -u | grep natali && echo Found. > natali > Found. > > > On top of that, I've been stuck in Microsoft article > https://technet.microsoft.com/en-us/library/cc726016.aspx and I'm wondering, > how it is applicable to Samba ADS? > > Could it be worthwhile to, let's say, run Samba in LXC container? > > P.S. > The page > https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD) > is outdated/incomplete - there's no "slaps.conf" file for late releases of > OpenLDAP. On systems with schema storage based configuration, it is need to > add > olcSizeLimit: unlimited > to /etc/ldap/slapd.d/cn=config.ldif (if i'm not mistaken). > >You probably don't have winbind setup correctly, start by having a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland
Hi Andrey> Greetings, All! > > I'm still on the topic, but probably I read too much stuff lately and can't > have my head set straight. > > Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04. > The machine is also a network gateway and access (VPN/ssh) server. > > Target goals: > 1. Upgrade to Samba4 (4.1 seems possible). > 2. Convert to ADS. > 3. Get rid of PAM-LDAP. > 4. Retain ability for domain users to login locally (VPN/ssh) to the system. > > I've done some experimentation in the virtualized copy of the environment, > first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then > upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba) > classicupgrade seems to be working, so as the bind_dlz and client workstation > domain logins. > > Now, there's a problem: > getent passwd doesn't list domain users. Even though winbind is listed in > pam-auth-update as part of the authentication stack. > Domain users can't connect to SSH - "access denied".are you trying to setup pam/nss winbind directly on the samba4 DC? From reading your samba3 setup, it looks like you want to have everything on the same machine. You should better try to set up all the non DC services on a separate member server and see if you get the expected result. Winbind is kinda special on a DC in 4.0 and 4.1. I guess it will be easier to make your kind of setup on samba 4.2, but anyway, it won't be such a great idea, in the time of virtualisation and container, it is easier to split up the things. Cheers, Denis> > Relevant auth.log is this: > Feb 22 23:23:34 userl sshd[2576]: Invalid user natali from 192.168.56.1 > Feb 22 23:23:34 userl sshd[2576]: input_userauth_request: invalid user natali [preauth] > Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): check pass; user unknown > Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 > Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): getting password (0x00000388) > Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): pam_get_item returned a password > Feb 22 23:23:46 userl sshd[2576]: Failed password for invalid user natali from 192.168.56.1 port 51422 ssh2 > > However, > # wbinfo -u | grep natali && echo Found. > natali > Found. > > > On top of that, I've been stuck in Microsoft article > https://technet.microsoft.com/en-us/library/cc726016.aspx and I'm wondering, > how it is applicable to Samba ADS? > > Could it be worthwhile to, let's say, run Samba in LXC container? > > P.S. > The page > https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD) > is outdated/incomplete - there's no "slaps.conf" file for late releases of > OpenLDAP. On systems with schema storage based configuration, it is need to > add > olcSizeLimit: unlimited > to /etc/ldap/slapd.d/cn=config.ldif (if i'm not mistaken). > >
Greetings, Denis Cardon!> Hi Andrey >> Greetings, All! >> >> I'm still on the topic, but probably I read too much stuff lately and can't >> have my head set straight. >> >> Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04. >> The machine is also a network gateway and access (VPN/ssh) server. >> >> Target goals: >> 1. Upgrade to Samba4 (4.1 seems possible). >> 2. Convert to ADS. >> 3. Get rid of PAM-LDAP. >> 4. Retain ability for domain users to login locally (VPN/ssh) to the system. >> >> I've done some experimentation in the virtualized copy of the environment, >> first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then >> upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba) >> classicupgrade seems to be working, so as the bind_dlz and client workstation >> domain logins. >> >> Now, there's a problem: >> getent passwd doesn't list domain users. Even though winbind is listed in >> pam-auth-update as part of the authentication stack. >> Domain users can't connect to SSH - "access denied". > are you trying to setup pam/nss winbind directly on the samba4 DC?Of course. I see no reason to not do it. Hardware must work, or it gets written off the balance.> From reading your samba3 setup, it looks like you want to have everything on > the same machine. You should better try to set up all the non DC services on > a separate member serverAssuming I have a spare server lying around just for the occasion to set up a DC/winbind on it? Sorry, but that simply doesn't happen. Not in this country. Not in this life.> and see if you get the expected result. Winbind is kinda special on a DC in > 4.0 and 4.1. I guess it will be easier to make your kind of setup on samba > 4.2, but anyway, it won't be such a great idea, in the time of > virtualisation and container, it is easier to split up the things.I'm currently trying to stuff my pipe with LXC/LXD docs. We'll see how far I can go from here. If you allow me a question, assuming I set up LXC container on current server (32-bit), make all the configuration in it, and then reinstall 64-bit OS (same version of every software) and pull up the configured container, would that work OOB? -- WBR, Andrey Repin (anrdaemon at yandex.ru) 23.02.2015, <01:43> Sorry for my terrible english...