Sorry for the repost: my message delivery was set to digest, and that was hard to manage use for conversation. I changed that setting. So starting clean with the same subject... I don't care about SSSD or whether it's even on the machine or not. Right now, it's only used by the machine for login. It isn't used by Samba, and I am very careful to let libwbclient-sssd nowhere near the system to avoid the problems that causes. I have looked into the idmap_rid backend, and I do not understand how it could be helpful here. I'm not saying I think it isn't; I'm just saying I don't understand. If I'm missing something, please do help if you can. What I essentially need, which is accomplished by the configuration in the wiki article I provided for old Samba versions when winbindd is not used is: 1. Windows user attempts to access share with credentials from either already having logged in on a machine with a domain account or by employing "Connect using different credentials" to spontaneously login with a domain account. 2. Samba (with winbindd) performs authentication of username %U against Active Directory domain EXAMPLE.COM, effectively authenticating EXAMPLE.COM \%U 3. If authentication fails, stop. If authentication succeeds, ignore SID, groups and everything else from the AD server, because that server is *only* to be used for authentication of %U. Continue processing. 4. Use username %U to query the LDAP server at ldap.mydomain.com for UID, GID, and UNIX groups. 5. Given information returned from step 4, check user authorization against share definition requirements and permit access for user with UID and GID set as per LDAP lookup. And it's essentially just: https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP that works with Samba 4.8.0 and winbindd instead of relying on the old Samba fallback mechanism. How can this be accomplished with winbind? Kind regards, Ryan P.S. This may be a fairly common use case, since each large organization may deploy Kerberos authentication via AD but relatively many smaller sub-organizations may want to rely on the existing authentication architecture while managing their own authorization (e.g. physics, chemistry, mathematics, and computer science departments who each want autonomous authorization without deploying un-synced authentication themselves and leaving users with more credentials to manage). The current use is the third organization I've seen it in or needed it in professionally, but since EL 7 picked up Samba 4.8.0, it is broken as deployed. :-(
Hi Ryan,> Sorry for the repost: my message delivery was set to digest, and that was > hard to manage use for conversation. I changed that setting. So starting > clean with the same subject... > > I don't care about SSSD or whether it's even on the machine or not. Right > now, it's only used by the machine for login. It isn't used by Samba, and I > am very careful to let libwbclient-sssd nowhere near the system to avoid > the problems that causes. > > I have looked into the idmap_rid backend, and I do not understand how it > could be helpful here. I'm not saying I think it isn't; I'm just saying I > don't understand. If I'm missing something, please do help if you can. > > What I essentially need, which is accomplished by the configuration in the > wiki article I provided for old Samba versions when winbindd is not used is: > > 1. Windows user attempts to access share with credentials from either > already having logged in on a machine with a domain account or by employing > "Connect using different credentials" to spontaneously login with a domain > account. > > 2. Samba (with winbindd) performs authentication of username %U against > Active Directory domain EXAMPLE.COM, effectively authenticating EXAMPLE.COM > \%U > > 3. If authentication fails, stop. If authentication succeeds, ignore SID, > groups and everything else from the AD server, because that server is > *only* to be used for authentication of %U. Continue processing. > > 4. Use username %U to query the LDAP server at ldap.mydomain.com for UID, > GID, and UNIX groups.you can achieve the same thing in copying your uidnumber/gidnumber in the AD attribute and use rfc2307 idmap module on your member server.> 5. Given information returned from step 4, check user authorization against > share definition requirements and permit access for user with UID and GID > set as per LDAP lookup. > > And it's essentially just: > > https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAPI'd say it isn't, in the sense that you want to have share definition authorization, which are enforced by Samba (which then would require Samba to know about group membership et al.). If you don't have any share authorization, then UI guess you should be able to use filesystem UGO/ACL restriction (as per the wiki page you mentionned). But anyway, I encourage you to use more common configuration type. Samba let you do many strange setups, but the less standard the setup, the most chance you'll get to fall on strange non expected behavior... rfc2307 is you friend here. Cheers, Denis> > that works with Samba 4.8.0 and winbindd instead of relying on the old > Samba fallback mechanism. > > How can this be accomplished with winbind? > > Kind regards, > > Ryan > > P.S. This may be a fairly common use case, since each large organization > may deploy Kerberos authentication via AD but relatively many smaller > sub-organizations may want to rely on the existing authentication > architecture while managing their own authorization (e.g. physics, > chemistry, mathematics, and computer science departments who each want > autonomous authorization without deploying un-synced authentication > themselves and leaving users with more credentials to manage). The current > use is the third organization I've seen it in or needed it in > professionally, but since EL 7 picked up Samba 4.8.0, it is broken as > deployed. :-( >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint S?bastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
On 14/06/2019 15:31, Denis Cardon via samba wrote:> Hi Ryan, > >> Sorry for the repost: my message delivery was set to digest, and that >> was >> hard to manage use for conversation. I changed that setting. So starting >> clean with the same subject... >> >> I don't care about SSSD or whether it's even on the machine or not. >> Right >> now, it's only used by the machine for login. It isn't used by Samba, >> and I >> am very careful to let libwbclient-sssd nowhere near the system to avoid >> the problems that causes. >> >> I have looked into the idmap_rid backend, and I do not understand how it >> could be helpful here. I'm not saying I think it isn't; I'm just >> saying I >> don't understand. If I'm missing something, please do help if you can. >> >> What I essentially need, which is accomplished by the configuration >> in the >> wiki article I provided for old Samba versions when winbindd is not >> used is: >> >> 1. Windows user attempts to access share with credentials from either >> already having logged in on a machine with a domain account or by >> employing >> "Connect using different credentials" to spontaneously login with a >> domain >> account. >> >> 2. Samba (with winbindd) performs authentication of username %U against >> Active Directory domain EXAMPLE.COM, effectively authenticating >> EXAMPLE.COM >> \%U >> >> 3. If authentication fails, stop. If authentication succeeds, ignore >> SID, >> groups and everything else from the AD server, because that server is >> *only* to be used for authentication of %U. Continue processing. >> >> 4. Use username %U to query the LDAP server at ldap.mydomain.com for >> UID, >> GID, and UNIX groups. > > you can achieve the same thing in copying your uidnumber/gidnumber in > the AD attribute and use rfc2307 idmap module on your member server. > >> 5. Given information returned from step 4, check user authorization >> against >> share definition requirements and permit access for user with UID and >> GID >> set as per LDAP lookup. >> >> And it's essentially just: >> >> https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP > > I'd say it isn't, in the sense that you want to have share definition > authorization, which are enforced by Samba (which then would require > Samba to know about group membership et al.). If you don't have any > share authorization, then UI guess you should be able to use > filesystem UGO/ACL restriction (as per the wiki page you mentionned).Totally agree and I don't think the method on that page is relevant any more, I don't think it will work either, it was written for use with Samba 3.3.x at most. Rowland
On Fri, Jun 14, 2019 at 10:31 AM Denis Cardon <dcardon at tranquil.it> wrote:> Hi Ryan, > > > Sorry for the repost: my message delivery was set to digest, and that was > > hard to manage use for conversation. I changed that setting. So starting > > clean with the same subject... > > > > I don't care about SSSD or whether it's even on the machine or not. Right > > now, it's only used by the machine for login. It isn't used by Samba, > and I > > am very careful to let libwbclient-sssd nowhere near the system to avoid > > the problems that causes. > > > > I have looked into the idmap_rid backend, and I do not understand how it > > could be helpful here. I'm not saying I think it isn't; I'm just saying I > > don't understand. If I'm missing something, please do help if you can. > > > > What I essentially need, which is accomplished by the configuration in > the > > wiki article I provided for old Samba versions when winbindd is not used > is: > > > > 1. Windows user attempts to access share with credentials from either > > already having logged in on a machine with a domain account or by > employing > > "Connect using different credentials" to spontaneously login with a > domain > > account. > > > > 2. Samba (with winbindd) performs authentication of username %U against > > Active Directory domain EXAMPLE.COM, effectively authenticating > EXAMPLE.COM > > \%U > > > > 3. If authentication fails, stop. If authentication succeeds, ignore SID, > > groups and everything else from the AD server, because that server is > > *only* to be used for authentication of %U. Continue processing. > > > > 4. Use username %U to query the LDAP server at ldap.mydomain.com for > UID, > > GID, and UNIX groups. > > you can achieve the same thing in copying your uidnumber/gidnumber in > the AD attribute and use rfc2307 idmap module on your member server. >I do not have any access to add or change information on the AD server )aside from joining the machine and thus creating a machine account), and any existing information on the AD server is not relevant to my deployment. My access is purely read-only. I am not sure how rfc2307 will help here, because my understanding is that it deals with what information to retrieve from AD itself.> > > 5. Given information returned from step 4, check user authorization > against > > share definition requirements and permit access for user with UID and GID > > set as per LDAP lookup. > > > > And it's essentially just: > > > > https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP > > I'd say it isn't, in the sense that you want to have share definition > authorization, which are enforced by Samba (which then would require > Samba to know about group membership et al.). If you don't have any > share authorization, then UI guess you should be able to use filesystem > UGO/ACL restriction (as per the wiki page you mentionned). > > I am coming off a CentOS 6 deployment with Samba 3. Here, winbind is notinstalled, but the machine is joined to the AD domain, and Kerberos and OpenLDAP are configured on the machine (but not within Samba itself). When Samba receives a Kerberos ticket (from existing Windows login session or spontaneous login as other user), it authenticates %U against AD, but it queries the local machine, which accesses my OpenLDAP server for UID, GID, and group membership. This correctly authorizes users for a wide variety of shares based on the UNIX groups of which they are a member in my OpenLDAP server and *not* the central AD server (which has no knowledge of these groups at all). I don't honestly know how Samba 3 is getting this information, but it is, because if I change either the @share in the [share] definition or remove user from group share on my OpenLDAP server, the user can no longer access the share provided by [share].> But anyway, I encourage you to use more common configuration type. Samba > let you do many strange setups, but the less standard the setup, the > most chance you'll get to fall on strange non expected behavior... > rfc2307 is you friend here. >In fact, from following other postings on this list, it sounds like I really just need Samba to use the authentication and authorization facilities of the Linux host, Kerberos 5 and the OpenLDAP client. The machine wouldn't even need to be joined to the domain. As a result, I guess I could setup 'security = user'. The only problem with this, I think, and it is fatal, is that users could not authenticate with existing Kerberos tickets from the Windows host, but would need to supply username/password credentials. Is this correct? If it's possible for Windows login tickets to work with a 'security = user' configuration, then I'm very happy to go that route.> > Cheers, > > Denis > > > > > that works with Samba 4.8.0 and winbindd instead of relying on the old > > Samba fallback mechanism. > > > > How can this be accomplished with winbind? > > > > Kind regards, > > > > Ryan > > > > P.S. This may be a fairly common use case, since each large organization > > may deploy Kerberos authentication via AD but relatively many smaller > > sub-organizations may want to rely on the existing authentication > > architecture while managing their own authorization (e.g. physics, > > chemistry, mathematics, and computer science departments who each want > > autonomous authorization without deploying un-synced authentication > > themselves and leaving users with more credentials to manage). The > current > > use is the third organization I've seen it in or needed it in > > professionally, but since EL 7 picked up Samba 4.8.0, it is broken as > > deployed. :-( > > > > -- > Denis Cardon > Tranquil IT > 12 avenue Jules Verne (Bat. A) > 44230 Saint S?bastien sur Loire (FRANCE) > tel : +33 (0) 240 975 755 > http://www.tranquil.it > > Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ > Samba install wiki for Frenchies : https://dev.tranquil.it > WAPT, software deployment made easy : https://wapt.fr >