samba - Mar 2006 - samba3 and heimdal: both using ldap as backends

samba-3.0.21c, heimdal-0.7.2

The heimdal documentation[1] talks about a samba integration when both
samba and heimdal are using ldap as their backends. I quote:

"Now you can proceed as in See Using LDAP to store the database. Heimdal
will pick up the Samba LDAP entries if they are in the same search space
as the Kerberos entries."

There is absolutely no further documentation.
I tried with this tree:

dc=mycnc,dc=com
ou=People,dc=mycnc,dc=com

heimdal is configured to use ou=people (I also tried with
ou=KerberosPrincipals), where I already have some entries.

My goal is to use only one password to avoid the
sambaNTPassword/userPassword/kerberos mess (three passwords). I was
under the impression that this setup should get me that.

If I add a principal with a name that is already in ou=people as a posix
and samba account, I get this:
(...)
joao@MYCNC.COM's Password:
Verifying - joao@MYCNC.COM's Password:
kadmin: kadm5_create_principal: ldap_search_s: No such object
kadmin: adding joao: Principal or policy already exists

The ldap logs show these queries (first collumn is the number of entries
returned):
1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default@MYCNC.COM))"
0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0
filter="(objectClass=krb5Principal)"
1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default@MYCNC.COM))"
0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0
filter="(objectClass=krb5Principal)"
0 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5Principal)(krb5PrincipalName=joao@MYCNC.COM))"
1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))"

A few questions:
a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com?
That's
the binddn after authz-regexp;

b) It found my user's entry (last search), why doesn't it add the
kerberos attributes
to it? Or, better yet, what is supposed to be happening?


If I run kadmin to add an user that doesn't exist with
posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created,
which samba doesn't see.

Andreas Hasenack ?rta:
>samba-3.0.21c, heimdal-0.7.2
>
>The heimdal documentation[1] talks about a samba integration when both
>samba and heimdal are using ldap as their backends. I quote:
>
>"Now you can proceed as in See Using LDAP to store the database.
Heimdal
>will pick up the Samba LDAP entries if they are in the same search space
>as the Kerberos entries."
>
>There is absolutely no further documentation.
>I tried with this tree:
>
>dc=mycnc,dc=com
>ou=People,dc=mycnc,dc=com
>
>heimdal is configured to use ou=people (I also tried with
>ou=KerberosPrincipals), where I already have some entries.
>
>My goal is to use only one password to avoid the
>sambaNTPassword/userPassword/kerberos mess (three passwords). I was
>under the impression that this setup should get me that.
>
>If I add a principal with a name that is already in ou=people as a posix
>and samba account, I get this:
>(...)
>joao@MYCNC.COM's Password:
>Verifying - joao@MYCNC.COM's Password:
>kadmin: kadm5_create_principal: ldap_search_s: No such object
>kadmin: adding joao: Principal or policy already exists
>
>The ldap logs show these queries (first collumn is the number of entries
returned):
>1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default@MYCNC.COM))"
>0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2
deref=0 filter="(objectClass=krb5Principal)"
>1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default@MYCNC.COM))"
>0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2
deref=0 filter="(objectClass=krb5Principal)"
>0 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5Principal)(krb5PrincipalName=joao@MYCNC.COM))"
>1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0
filter="(&(|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))"
>
>A few questions:
>a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com?
That's
>the binddn after authz-regexp;
>
>b) It found my user's entry (last search), why doesn't it add the
kerberos attributes
>to it? Or, better yet, what is supposed to be happening?
>
>
>If I run kadmin to add an user that doesn't exist with
>posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created,
>which samba doesn't see.
>
>  
>
My config:

Debian Sarge
with:
heimdal 0.7.1-3.1 from testing rebuilt on sarge
libsasl2 2.1.19-1.9 from testing rebuilt on sarge
slapd 2.2.23-8 from sarge

slapd.conf:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/hdb.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        256

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

# SASL related options

sasl-realm example.net
sasl-host devel.example.net
sasl-authz-policy both

sasl-regexp
"uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
        "cn=admin,dc=example,dc=net"

sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth
        ldap:///dc=example,dc=net??sub?uid=$1

sasl-regexp uid=(.*),cn=example.net,cn=gssapi,cn=auth
        ldap:///dc=example,dc=net??sub?uid=$1

sasl-secprops minssf=0

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb
checkpoint 512 30

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=example,dc=net"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index           objectClass,uid,krb5PrincipalName,cn eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only


access to attrs=userPassword,krb5Key,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=net" write
        by dn="uid=root,ou=users,dc=example,dc=net" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=example,dc=net" write
        by dn="cn=admin,dc=example,dc=net" write
        by dn="uid=root,ou=users,dc=example,dc=net" write
        by * read


my hdb.schema:

# $Id: hdb.schema,v 1.3 2000/02/22 21:51:53 lukeh Exp $

# Definitions for a Kerberos V KDC schema

# OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(532

2) kdcSchema(10)

#

# Syntaxes are under 1.3.6.1.4.1.5322.10.0

# Attributes types are under 1.3.6.1.4.1.5322.10.1

# Object classes are under 1.3.6.1.4.1.5322.10.2

# Syntax definitions

#krb5KDCFlagsSyntax SYNTAX ::= {

#   WITH SYNTAX            INTEGER

#--        initial(0),             -- require as-req

#--        forwardable(1),         -- may issue forwardable

#--        proxiable(2),           -- may issue proxiable

#--        renewable(3),           -- may issue renewable

#--        postdate(4),            -- may issue postdatable

#--        server(5),              -- may be server

#--        client(6),              -- may be client

#--        invalid(7),             -- entry is invalid

#--        require-preauth(8),     -- must use preauth

#--        change-pw(9),           -- change password service

#--        require-hwauth(10),     -- must use hwauth

#--        ok-as-delegate(11),     -- as in TicketFlags

#--        user-to-user(12),       -- may use user-to-user auth

#--        immutable(13)           -- may not be deleted

#   ID                     { 1.3.6.1.4.1.5322.10.0.1 }

#}

#krb5PrincipalNameSyntax SYNTAX ::= {

#   WITH SYNTAX            OCTET STRING

#-- String representations of distinguished names as per RFC1510

#   ID                     { 1.3.6.1.4.1.5322.10.0.2 }

#}

# Attribute type definitions
attributetype ( 1.3.6.1.4.1.5322.10.1.1
        NAME 'krb5PrincipalName'
        DESC 'The unparsed Kerberos principal name'
        EQUALITY caseExactIA5Match
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.5322.10.1.2
        NAME 'krb5KeyVersionNumber'
        EQUALITY integerMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.3
        NAME 'krb5MaxLife'
        EQUALITY integerMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.4
        NAME 'krb5MaxRenew'
        EQUALITY integerMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.5
        NAME 'krb5KDCFlags'
        EQUALITY integerMatch
        SINGLE-VALUE
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.6
        NAME 'krb5EncryptionType'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.7
        NAME 'krb5ValidStart'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
        SINGLE-VALUE )
#       ORDERING generalizedTimeOrderingMatch


attributetype ( 1.3.6.1.4.1.5322.10.1.8
        NAME 'krb5ValidEnd'
        SINGLE-VALUE )
#       ORDERING generalizedTimeOrderingMatch

attributetype ( 1.3.6.1.4.1.5322.10.1.9
        NAME 'krb5PasswordEnd'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
        SINGLE-VALUE )
#       ORDERING generalizedTimeOrderingMatch

# this is temporary; keys will eventually
# be child entries or compound attributes.
attributetype ( 1.3.6.1.4.1.5322.10.1.10
        NAME 'krb5Key'
        DESC 'Encoded ASN1 Key as an octet string'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 1.3.6.1.4.1.5322.10.1.11
        NAME 'krb5PrincipalRealm'
        DESC 'Distinguished name of krb5Realm entry'
        SUP distinguishedName )

attributetype ( 1.3.6.1.4.1.5322.10.1.12
        NAME 'krb5RealmName'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

# Object class definitions

objectclass ( 1.3.6.1.4.1.5322.10.2.1
        NAME 'krb5Principal'
        SUP top
        AUXILIARY
        MUST ( krb5PrincipalName )
        MAY ( cn $ krb5PrincipalRealm ) )

objectclass ( 1.3.6.1.4.1.5322.10.2.2
        NAME 'krb5KDCEntry'
        SUP krb5Principal
        AUXILIARY
        MUST ( krb5KeyVersionNumber )
        MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $
              krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $
              krb5EncryptionType $ krb5Key ) )

objectclass ( 1.3.6.1.4.1.5322.10.2.3
        NAME 'krb5Realm'
        SUP top
        AUXILIARY
        MUST ( krb5RealmName ) )

my slapd also listens at /var/run/ldapi

my krb5.conf:

[libdefaults]
        default_realm = EXAMPLE.NET
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = false

[realms]
EXAMPLE.NET = {
         kdc = kdc.example.net
        admin_server = kdc.example.net
}

[domain_realm]
	.example.net = EXAMPLE.NET

[login]
        krb4_convert = true
        krb4_get_tickets = true

[kdc]
        database = {
# The first dbname is used for the realm init, then change to the second.
#               dbname = ldap:ou=KerberosPrincipals,dc=example,dc=net
                dbname = ldap:dc=example,dc=net
        }



An example ldif:

dn: uid=test,ou=users,dc=example,dc=net

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

objectClass: sambaSamAccount

objectClass: krb5Principal

sn: Account

userPassword: {SASL}test@EXAMPLE.NET

displayName: Account

gidNumber: 4

loginShell: /bin/bash

gecos: Account

shadowLastChange: 13555

shadowMax: 60

shadowWarning: 7

shadowInactive: 30

sambaSID: S-1-5-21-...

sambaLMPassword:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXREMOVEDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

sambaNTPassword:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXREMOVEDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

sambaPwdMustChange: 1173725355

sambaPwdLastSet: 1080799858

sambaLogonTime: 2147483647

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 1080799858

sambaAcctFlags: [U          ]

sambaPrimaryGroupSID: S-1-5-21-...

uidNumber: 1000

cn: Account

cn: test

mail: test@example.net

uid: test

homeDirectory: /home/test

krb5PrincipalName: test


Hope that it helps.

I've also switched dbname temporary to ou=services,...
for creating few host/... like accounts, then switched it back and then
copied the existing ones and changed the password under kadmin.

Regards,

Geza