Fedora directory users - Jan 2006 - Samba & Fedora Directory Server Integration

I''ve followed the Samba & Fedora Directory Server Integration
How-To
located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and
I''m
about to upload my user accounts into the DS. I have two questions
before I proceed, though:

1) At the end of the How-To, a "testuser" is added to the Samba server
with the "smbpasswd -a" command. Wouldn''t the DS make the
user accounts
visible to the Samba server, making it unecessary to add them via
smbpasswd? If it''s really necessary to add the accounts via smbpasswd,
then the DS isn''t really a backend to the Samba Server: they would be
acting in parallel.

2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference
Guide" 
(http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
mentions quite a few attributes for the sambaSamAccount ObjectClass,
such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID,
sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not
present in the ldif files generated by the openldap migrate_passwd.pl
script recommended by the How-To. How should these attributes be added,
if one follows the How-To?
-- 
Oscar A. Valdez

On Sat, 2006-01-14 at 18:58 -0600, Oscar A. Valdez
wrote:
> I''ve followed the Samba & Fedora Directory Server Integration
How-To
> located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and
I''m
> about to upload my user accounts into the DS. I have two questions
> before I proceed, though:
> 
> 1) At the end of the How-To, a "testuser" is added to the Samba
server
> with the "smbpasswd -a" command. Wouldn''t the DS make
the user accounts
> visible to the Samba server, making it unecessary to add them via
> smbpasswd? If it''s really necessary to add the accounts via
smbpasswd,
> then the DS isn''t really a backend to the Samba Server: they would
be
> acting in parallel.
> 
> 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference
> Guide" 
> (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
> mentions quite a few attributes for the sambaSamAccount ObjectClass,
> such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
> sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID,
> sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not
> present in the ldif files generated by the openldap migrate_passwd.pl
> script recommended by the How-To. How should these attributes be added,
> if one follows the How-To?
----
In general, the administrator is responsible for the client tools used
to create attributes for LDAP dn''s

If you are going to use a tool like the PADL migration tool
(migrate_passwd.pl), obviously you aren''t going to get attributes
beyond
the posixAccount stuff. Samba has some tools - smbldap-tools which can
attributes for the samba-schema and then there are some other tools such
as GQ, phpldapadmin, LAM and Webmin which can do a wide variety of LDAP
entry.

Just guessing at what you are trying to accomplish (taking an
existing /etc/passwd - list and importing it into LDAP while inserting
necessary samba attributes simultaneously...I would suggest that you use
Webmin''s LDAP Users and Groups which does have mass importing and is
capable of adding a ''pre-configured'' samba-schema attributes.

Craig

Oscar A. Valdez wrote:
> I''ve followed the Samba & Fedora Directory Server Integration
How-To
> located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and
I''m
> about to upload my user accounts into the DS. I have two questions
> before I proceed, though:
You may want to read this for some further background information:

http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html
> 1) At the end of the How-To, a "testuser" is added to the Samba
server
> with the "smbpasswd -a" command. Wouldn''t the DS make
the user accounts
> visible to the Samba server, making it unecessary to add them via
> smbpasswd? If it''s really necessary to add the accounts via
smbpasswd,
> then the DS isn''t really a backend to the Samba Server: they would
be
> acting in parallel.
What''s happening here (and relatively simple and not entirely correct
language, because it''s not really explained in depth above) is:  Samba
knows your root DN and bind password for your LDAP server.  Samba
therefore knows how to add users to LDAP.  Samba has a couple of
object classes and attributes that it needs, and will therefore use
these object classes and attributes on every user object that it
creates.  So you may as well let Samba create the users in your
LDAP server.

Sure, you could do it yourself using any old LDAP tool.  But you may
as well let Samba do it, either from the command line using smbpasswd -a
or using the user manager for domains tool.

At the very least let Samba create a few accounts for you and have a
look at the structure of those accounts in detail before you use another
LDAP tool.  LAM (http://lam.sourceforge.net/) will be able to add the
attributes required by Samba as well, but I''d make a few accounts using
Samba and then some using LAM to compare the two before relying on LAM.
Same goes for any other LDAP account management tool you choose to use,
whether it''s a pre-done or roll-your-own.
> 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference
> Guide" 
> (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
> mentions quite a few attributes for the sambaSamAccount ObjectClass,
> such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
> sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID,
> sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not
> present in the ldif files generated by the openldap migrate_passwd.pl
> script recommended by the How-To. How should these attributes be added,
> if one follows the How-To?
/usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba
documentation is installed on your distro).

Either create the attributes manually, or use the ol-schema-migrate.pl
script in the FDS wiki to convert it to a FDS compatible schema file,
and then install it into your /opt/fedora-ds/slapd-`hostname -s`/config/schema/
directory as 61samba.ldif

-- 
Del

On Sat, 2006-01-14 at 18:58 -0600, Oscar A. Valdez
wrote:
> I''ve followed the Samba & Fedora Directory Server Integration
How-To
> located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and
I''m
> about to upload my user accounts into the DS. I have two questions
> before I proceed, though:
> 
> 1) At the end of the How-To, a "testuser" is added to the Samba
server
> with the "smbpasswd -a" command. Wouldn''t the DS make
the user accounts
> visible to the Samba server, making it unecessary to add them via
> smbpasswd? If it''s really necessary to add the accounts via
smbpasswd,
> then the DS isn''t really a backend to the Samba Server: they would
be
> acting in parallel.
	Yeah, it sucks.

	One of the main issues is that for SMB authentication each user''s
password needs to be stored in LM and NT formats in the sambaNTPassword
and sambaLMPassword attributes. So, when the user set its password, some
code needs to have access to the plaintext password and translate it
into LM and NT format. The easiest way is to use smbpassword, but you
could use your own code to set the password in all formats at once ....
or, I''m sure you could right a fedora-ds plugin which would save the
password in those formats whenever it is set.

	But it doesn''t end there. Even just for SMB authentication, there are
other attributes which smbpasswd manages and there''s a lot of voodoo
involved.

	To give you idea of the kind of stuff you need to do in order to not
use smbpasswd, see the code below. I wish I could explain the code in
detail, but I''ve forgotten a lot of the details.

Cheers,
Mark.

...
#
# Copyright (C) 2006 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

SAMBA_RID_MULTIPLIER = 2
SAMBA_RID_BASE = 1000
SAMBA_USER_RID_TYPE = 0x0
SAMBA_USER_GID_TYPE = 0x1
SAMBA_LM_HASH_MAGIC = "KGS!@#$%"

...
    def _get_machine_sid (self):
        if not self.machine_sid is None:
            return self.machine_sid

        output = commands.getoutput ("net getlocalsid")
        for line in output.split ("\n"):
            if line.startswith ("SID for domain"):
                parts = line.split (":")
                if len (parts) >= 2:
                    self.machine_sid = parts[1].strip ()
                    break

        return self.machine_sid

    def _get_user_sid (self, uid):
        machine_sid = self._get_machine_sid ()

        user_rid = ((uid * SAMBA_RID_MULTIPLIER) + SAMBA_RID_BASE) |
SAMBA_USER_RID_TYPE

        return machine_sid + "-" + str (user_rid)

    def _get_group_sid (self, gid):
        machine_sid = self._get_machine_sid ()

        group_rid = ((gid * SAMBA_RID_MULTIPLIER) + SAMBA_RID_BASE) |
SAMBA_USER_GID_TYPE

        return machine_sid + "-" + str (group_rid)

    def add_user_attributes (self, username, uid, gid, password):
        def get_nt_password (plaintext):
            hash = MD4.new ()
            hash.update (plaintext.encode ("utf-16-le"))
            return hash.hexdigest ().upper ()

        def get_lm_password (plaintext):
            def lm_hash (pw7):
                a7 = array.array ("B", pw7.upper ().encode
("850"))

                while len (a7) < 7:
                    a7.append (0)

                a8 = array.array ("B")

                a8.append (                         a7[0] >> 1 )
                a8.append (((a7[0] & 0x01) << 6) | (a7[1] >> 2))
                a8.append (((a7[1] & 0x03) << 5) | (a7[2] >> 3))
                a8.append (((a7[2] & 0x07) << 4) | (a7[3] >> 4))
                a8.append (((a7[3] & 0x0F) << 3) | (a7[4] >> 5))
                a8.append (((a7[4] & 0x1F) << 2) | (a7[5] >> 6))
                a8.append (((a7[5] & 0x3F) << 1) | (a7[6] >> 7))
                a8.append (  a7[6] & 0x7F                      )

                for i in range (8):
                    a8[i] <<= 1

                ciph = DES.new (a8.tostring ()).encrypt (SAMBA_LM_HASH_MAGIC)

                return ciph.encode ("hex").upper ()

            return lm_hash (plaintext[0:7]) + lm_hash (plaintext[7:14])

        samba_user_sid  = self._get_user_sid  (uid)
        samba_group_sid = self._get_group_sid (gid)

        nt_password = get_nt_password (password)
        lm_password = get_lm_password (password)

        directory.add_samba_user_attributes (username,
                                             samba_user_sid,
                                             samba_group_sid,
                                             nt_password,
                                             lm_password)
...

    def add_samba_user_attributes (self, username, samba_user_sid,
samba_group_sid, nt_password, lm_password):
        ldap_connection = self.get_ldap_connection ()
        user_suffix     = self.get_user_suffix ()

        ldap_connection.modify_s ("uid=%s,%s" % (username,
user_suffix),
                                  [
                                    ( ldap.MOD_ADD, "objectClass",    
[ "sambaSamAccount" ] ),
                                    ( ldap.MOD_ADD, "sambaSID",       
[ samba_user_sid ] ),
                                    ( ldap.MOD_ADD,
"sambaPrimaryGroupSID", [ samba_group_sid ] ),
                                    ( ldap.MOD_ADD, "sambaNTPassword",
[ nt_password ] ),
                                    ( ldap.MOD_ADD, "sambaLMPassword",
[ lm_password ] )
                                  ])
...

El sáb, 14-01-2006 a las 23:08 -0700, Craig White
escribió:
> On Sat, 2006-01-14 at 18:58 -0600, Oscar A. Valdez wrote:
> > I''ve followed the Samba & Fedora Directory Server
Integration How-To
> > located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and
I''m
> > about to upload my user accounts into the DS. I have two questions
> > before I proceed, though:
> > 
> > 1) At the end of the How-To, a "testuser" is added to the
Samba server
> > with the "smbpasswd -a" command. Wouldn''t the DS
make the user accounts
> > visible to the Samba server, making it unecessary to add them via
> > smbpasswd? If it''s really necessary to add the accounts via
smbpasswd,
> > then the DS isn''t really a backend to the Samba Server: they
would be
> > acting in parallel.
> > 
> > 2) The section on ldapsam of "The Official Samba-3 HOWTO and
Reference
> > Guide" 
> >
(http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
> > mentions quite a few attributes for the sambaSamAccount ObjectClass,
> > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
> > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet,
sambaSID,
> > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are
not
> > present in the ldif files generated by the openldap migrate_passwd.pl
> > script recommended by the How-To. How should these attributes be
added,
> > if one follows the How-To?
> ----
> In general, the administrator is responsible for the client tools used
> to create attributes for LDAP dn''s
> 
> If you are going to use a tool like the PADL migration tool
> (migrate_passwd.pl), obviously you aren''t going to get attributes
beyond
> the posixAccount stuff. Samba has some tools - smbldap-tools which can
> attributes for the samba-schema and then there are some other tools such
> as GQ, phpldapadmin, LAM and Webmin which can do a wide variety of LDAP
> entry.
> 
> Just guessing at what you are trying to accomplish (taking an
> existing /etc/passwd - list and importing it into LDAP while inserting
> necessary samba attributes simultaneously...I would suggest that you use
> Webmin''s LDAP Users and Groups which does have mass importing and
is
> capable of adding a ''pre-configured'' samba-schema
attributes.
Thanks for your response. I''m going to read the "SMB LDAP PDC
Howto"
found at http://samba.idealx.org/samba-ldap-howto.pdf. It''s by the
folks
who put together the smbldap-tools.

In the future, I would like to be able to create user account in the DS,
and have it automatically create the samba-schema attributes. Does this
sound feasible?
-- 
Oscar A. Valdez

El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez
escribió:
> El sáb, 14-01-2006 a las 23:08 -0700, Craig White escribió:
> > In general, the administrator is responsible for the client tools used
> > to create attributes for LDAP dn''s
> > 
> > If you are going to use a tool like the PADL migration tool
> > (migrate_passwd.pl), obviously you aren''t going to get
attributes beyond
> > the posixAccount stuff. Samba has some tools - smbldap-tools which can
> > attributes for the samba-schema and then there are some other tools
such
> > as GQ, phpldapadmin, LAM and Webmin which can do a wide variety of
LDAP
> > entry.
> > 
> > Just guessing at what you are trying to accomplish (taking an
> > existing /etc/passwd - list and importing it into LDAP while inserting
> > necessary samba attributes simultaneously...I would suggest that you
use
> > Webmin''s LDAP Users and Groups which does have mass importing
and is
> > capable of adding a ''pre-configured'' samba-schema
attributes.
> 
> Thanks for your response. I''m going to read the "SMB LDAP PDC
Howto"
> found at http://samba.idealx.org/samba-ldap-howto.pdf. It''s by the
folks
> who put together the smbldap-tools.
Just a word of caution: the above URI points to a Samba 2.2.4 LDAP PDC
Howto. An updated Samba 3.0 LDAP Howto is at
http://samba.idealx.org/dist/samba3-ldap-howto.pdf
-- 
Oscar A. Valdez

El dom, 15-01-2006 a las 17:11 +1100, Del escribió:
> Oscar A. Valdez wrote:
> > 2) The section on ldapsam of "The Official Samba-3 HOWTO and
Reference
> > Guide" 
> >
(http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
> > mentions quite a few attributes for the sambaSamAccount ObjectClass,
> > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
> > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet,
sambaSID,
> > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are
not
> > present in the ldif files generated by the openldap migrate_passwd.pl
> > script recommended by the How-To. How should these attributes be
added,
> > if one follows the How-To?
> 
> /usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba
> documentation is installed on your distro).
> 
> Either create the attributes manually, or use the ol-schema-migrate.pl
> script in the FDS wiki to convert it to a FDS compatible schema file,
> and then install it into your /opt/fedora-ds/slapd-`hostname
-s`/config/schema/
> directory as 61samba.ldif
Thanks for your response. I''ve already converted the schema file and
placed it at /opt/fedora-ds/slapd-<server>/config/schema/61samba.ldif.

More precisely, how should these attributes be populated with data,
following the Howto? I''m looking into the smbldap-tools from Idealx,
because I prefer a single step to the two steps proposed by the Howto:
smbpasswd and ldif import.
-- 
Oscar A. Valdez

On Tue, 2006-01-17 at 09:08 -0600, Oscar A. Valdez
wrote:
> El dom, 15-01-2006 a las 17:11 +1100, Del escribió:
> > Oscar A. Valdez wrote:
> > > 2) The section on ldapsam of "The Official Samba-3 HOWTO and
Reference
> > > Guide" 
> > >
(http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
> > > mentions quite a few attributes for the sambaSamAccount
ObjectClass,
> > > such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
> > > sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet,
sambaSID,
> > > sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that
are not
> > > present in the ldif files generated by the openldap
migrate_passwd.pl
> > > script recommended by the How-To. How should these attributes be
added,
> > > if one follows the How-To?
> > 
> > /usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba
> > documentation is installed on your distro).
> > 
> > Either create the attributes manually, or use the ol-schema-migrate.pl
> > script in the FDS wiki to convert it to a FDS compatible schema file,
> > and then install it into your /opt/fedora-ds/slapd-`hostname
-s`/config/schema/
> > directory as 61samba.ldif
> 
> Thanks for your response. I''ve already converted the schema file
and
> placed it at
/opt/fedora-ds/slapd-<server>/config/schema/61samba.ldif.
> 
> More precisely, how should these attributes be populated with data,
> following the Howto? I''m looking into the smbldap-tools from
Idealx,
> because I prefer a single step to the two steps proposed by the Howto:
> smbpasswd and ldif import.
----
smbldap-tools by Idealx should be installed and configured.

The tool suggested in official Samba documentation
<http://samba.org/samba/docs/> is the Microsoft tool - User manager for
Domains which is downloadable from Microsoft - see the samba
documentation. This tool requires smbldap-tools from Idealx to be
installed and properly configured.

I previously suggested...and would still highly recommend you use a tool
such as:
Webmin or LAM for adding users as you can template create users and
automatically assign virtually all posixAccount and sambaSamAccount
attributes.

Craig

El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez
escribió:
> El sáb, 14-01-2006 a las 23:08 -0700, Craig White escribió:
> > If you are going to use a tool like the PADL migration tool
> > (migrate_passwd.pl), obviously you aren''t going to get
attributes beyond
> > the posixAccount stuff. Samba has some tools - smbldap-tools which can
> > attributes for the samba-schema...
> 
> Thanks for your response. I''m going to read the "SMB LDAP PDC
Howto"
> found at http://samba.idealx.org/samba-ldap-howto.pdf. It''s by the
folks
> who put together the smbldap-tools.
Do the smbldap-tools work "out of the box" with the Fedora Directory
Server? They''re not tailored too tightly to OpenLDAP?
-- 
Oscar A. Valdez

El mié, 18-01-2006 a las 15:24 -0600, Oscar A. Valdez
escribió:
> El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez escribió:
> > El sáb, 14-01-2006 a las 23:08 -0700, Craig White escribió:
> > > If you are going to use a tool like the PADL migration tool
> > > (migrate_passwd.pl), obviously you aren''t going to get
attributes beyond
> > > the posixAccount stuff. Samba has some tools - smbldap-tools
which can
> > > attributes for the samba-schema...
> > 
> > Thanks for your response. I''m going to read the "SMB
LDAP PDC Howto"
> > found at http://samba.idealx.org/samba-ldap-howto.pdf. It''s
by the folks
> > who put together the smbldap-tools.
> 
> Do the smbldap-tools work "out of the box" with the Fedora
Directory
> Server? They''re not tailored too tightly to OpenLDAP?
To answer my own question: they seem to work with FDS. I just installed
them, and tried the smbldap-passwd command on a test account. The error
I get seems to be a permissions error:

Unable to change password: Insufficient ''write'' privilege to
the
''userPassword'' attribute of entry
''uid=ovaldez,ou=people,dc=duraflex,dc=com,dc=sv''

Any ideas on how to fix this?
-- 
Oscar A. Valdez

On Wed, 2006-01-18 at 18:57 -0600, Oscar A. Valdez
wrote:
> El mié, 18-01-2006 a las 15:24 -0600, Oscar A. Valdez escribió:
> > El lun, 16-01-2006 a las 18:01 -0600, Oscar A. Valdez escribió:
> > > El sáb, 14-01-2006 a las 23:08 -0700, Craig White escribió:
> > > > If you are going to use a tool like the PADL migration tool
> > > > (migrate_passwd.pl), obviously you aren''t going to
get attributes beyond
> > > > the posixAccount stuff. Samba has some tools - smbldap-tools
which can
> > > > attributes for the samba-schema...
> > > 
> > > Thanks for your response. I''m going to read the
"SMB LDAP PDC Howto"
> > > found at http://samba.idealx.org/samba-ldap-howto.pdf.
It''s by the folks
> > > who put together the smbldap-tools.
> > 
> > Do the smbldap-tools work "out of the box" with the Fedora
Directory
> > Server? They''re not tailored too tightly to OpenLDAP?
> 
> To answer my own question: they seem to work with FDS. I just installed
> them, and tried the smbldap-passwd command on a test account. The error
> I get seems to be a permissions error:
> 
> Unable to change password: Insufficient ''write'' privilege
to the
> ''userPassword'' attribute of entry
> ''uid=ovaldez,ou=people,dc=duraflex,dc=com,dc=sv''
> 
> Any ideas on how to fix this?
----
sure - you need to use a dn with sufficient access...

i.e. cn=Directory Manager

or by default, uid=ovaldez,ou=people,dc=duraflex,dc=com,dc=sv should
have sufficient access to the userPasswd attribute

you probably want to create a ''super user'' account which can
change all
entries in ''dc=duraflex,dc=com,dc=sv'' tree (see ACi) and set
that to be
the user that is ''ldap admin'' in smb.conf and in
smbldap-tools.

Craig