On 11/30/22 3:56 AM, Alexander Harm || ApfelQ via samba wrote:> Not from my side. I tried it a couple of times but for us containers were always a mess when it came to Samba. Starting from permission issues and problems forwarding all the ports necessary (which conflicted with the host). That is why we only use virtual machines now.We have no problem running Samba AD as OCI containers, the trick is to use host networking and setup an extra IP address for the DC and bind only to it, This way there is no conflicts with the host. It was required because Samba insist in adding the container internal IP to DNS when host networking isn't used, and that IP isn't reachable by clients.> >> On Wednesday, Nov 30, 2022 at 8:14 AM, Zombie Ryushu via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote: >> On 11/30/22 02:01, Joachim Lindenberg via samba wrote: >>> Hello Andrew, >>> good point. Actually I would love to run freeradius + samba in one or two docker containers. However, while there are descriptions on how to run freeradius in a container, there aren?t a lot for a samba member server. Any pointer for that? >>> Thanks, >>> Joachim >>> >>> -----Urspr?ngliche Nachricht----- >>> Von: Andrew Bartlett <abartlet at samba.org> >>> Gesendet: Mittwoch, 30. November 2022 00:51 >>> An: Joachim Lindenberg <samba at lindenberg.one>; samba at lists.samba.org >>> Betreff: Re: [Samba] freeradius on dc? >>> >>> On Tue, 2022-11-29 at 22:31 +0100, Joachim Lindenberg via samba wrote: >>>> Hello, >>>> >>>> I am wondering whether it is possible / recommended or not, to install >>>> and use freeradius on a domain controller. The documentation at >>>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Act >>>> ive_Directory is about installation/configuration on member servers >>>> only. >>>> >>>> Any thoughts? What changes on a dc? >>> It should still just work, as the same winbindd is under the hood and this mode of operation is connected, but running a member server allows more separation of concerns and avoids any DC being 'special'. >>> >>> VMs or containers are good for this. >>> >>> Andrew Bartlett >> >> I might be able to chime in on here, if your DC is RFC2307 Compliant, >> you might be able to treat Samba like OpenLDAP and Heimdal. >> >> I used to do this with my old OpenLDAP/Heimdal/Samba 3 Setup. I know for >> a fact, the OpenLDAP Schema for FreeRadius can be converted and imported >> into Samba 4 AD, but this "breaks" Samba 4's compatibility with other AD >> Forests wherein actual Windows Servers need the same Schema. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
Hello: I have implemented an Ad samba4 and for process issues I need the user password changes to be done from an external system. Currently the password changes are made from that system by connecting to the ldaps port, but our idea is that the operations are centralized in an api rest and we are trying to make a method that receives the hash from the external system and apply it in samba4 (for audit issues we do not want to receive the flat password with any reversible method that involves the administration in some instance of our part of the flat password). I have been testing to generate the hash and insert it through "ldbmodify" with bash: user=123456789 user_pass="password" UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) ldbmodify -H /.../sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF dn: CN=$user,OU=user,DC=company,DC=com changetype: modify delete: unicodePwd - add: unicodePwd unicodePwd:: $UNICODEPWD EOF My question is if the script is correct, because even if I apply the new password, when I want to test with kinit it doesn't give ok. I was reading a thread on the list but I was not clear if the method is correct or just suggestions to try. I was also trying to identify in the samba-tool source code how it performs the password change (setpassword) but I did not find the code it uses. Regards Marcos Negrini
30.11.2022 16:18, Robert Marcano via samba wrote:> On 11/30/22 3:56 AM, Alexander Harm || ApfelQ via samba wrote: >> Not from my side. I tried it a couple of times but for us containers were always a mess when it came to Samba. Starting from permission issues and >> problems forwarding all the ports necessary (which conflicted with the host). That is why we only use virtual machines now. > > We have no problem running Samba AD as OCI containers, the trick is to use host networking and setup an extra IP address for the DC and bind only to > it, This way there is no conflicts with the host.A much easier trick is to use *container* networking with its own IP address given to/used by exclusively by this container. This might require setting up a bridge on host though. Once this is done, any number of containers can be run, including running a service (samba in this case) in the regular root filesystem but with unique configuration (eg. I bind /etc/samba.$container to /etc/samba, /var/lib/samba.$container to /var/lib/samba/ etc). /mjt
On Wed, 2022-11-30 at 09:18 -0400, Robert Marcano via samba wrote:> On 11/30/22 3:56 AM, Alexander Harm || ApfelQ via samba wrote: > > Not from my side. I tried it a couple of times but for us > > containers were always a mess when it came to Samba. Starting from > > permission issues and problems forwarding all the ports necessary > > (which conflicted with the host). That is why we only use virtual > > machines now. > > We have no problem running Samba AD as OCI containers, the trick is > to use host networking and setup an extra IP address for the DC and > bind only to it, This way there is no conflicts with the host. > It was required because Samba insist in adding the container internal > IP to DNS when host networking isn't used, and that IP isn't > reachable by clients.The samba_dnsupdate script can be controlled for that, but I think host networking just makes much more sense for this, given how many ports we open etc. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open SourceSolutions