Fajar Priyanto
2012-Feb-16 13:10 UTC
[Samba] Samba LDAP passthrough authentication to another openLDAP
Hi all,
I have a setup like this. Pls let me know if it's possible or not.
SAMBA + Local LDAP ---> SASLAUTHD --> Global LDAP
Desc:
I'd like to do Samba authentication to LDAP, passthrough to another
LDAP using SASL.
The current situation is:
SSH authentication from LDAP user to that Samba box works.
However, smb authentication doesn't work (yet).
This is what's shown in syslog when doing Samba authentication:
Feb 16 20:47:05 sglabldap slapd[1393]: => access_allowed: read access
to "uid=fajar,ou=people,dc=example,dc=com" "userPassword"
requested
Feb 16 20:47:05 sglabldap slapd[1393]: => acl_get: [1] attr userPassword
Feb 16 20:47:05 sglabldap slapd[1393]: => acl_mask: access to entry
"uid=fajar,ou=people,dc=example,dc=com", attr "userPassword"
requested
Feb 16 20:47:05 sglabldap slapd[1393]: => acl_mask: to value by "",
(=0)
Feb 16 20:47:05 sglabldap slapd[1393]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 16 20:47:05 sglabldap slapd[1393]: <= check a_dn_pat: anonymous
Feb 16 20:47:05 sglabldap slapd[1393]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 16 20:47:05 sglabldap slapd[1393]: <= acl_mask: [2] mask: read(=rscxd)
Feb 16 20:47:05 sglabldap slapd[1393]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 16 20:47:05 sglabldap slapd[1393]: => access_allowed: read access
granted by read(=rscxd)
Feb 16 20:47:05 sglabldap slapd[1393]: conn=1062 op=1 ENTRY
dn="uid=fajar,ou=people,dc=example,dc=com"
Feb 16 20:47:05 sglabldap slapd[1393]: <= send_search_entry: conn 1062 exit.
Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_result: conn=1062 op=1 p=3
Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_result: err=0
matched="" text=""
Feb 16 20:47:05 sglabldap slapd[1393]: send_ldap_response: msgid=2 tag=101 err=0
Feb 16 20:47:05 sglabldap slapd[1393]: conn=1062 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 textFeb 16 20:47:05 sglabldap slapd[1393]: daemon:
activity on 1 descriptor
Feb 16 20:47:05 sglabldap slapd[1393]: daemon: activity on:
Feb 16 20:47:05 sglabldap slapd[1393]: 15r
--------
In /var/log/samba/log.smbd:
[2012/02/16 21:05:46, 3] smbd/negprot.c:672(reply_negprot)
Selected protocol NT LANMAN 1.0
[2012/02/16 21:05:57, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYGROUP]\[fajar]@[SG-ROUTER0] with the new password interface
[2012/02/16 21:05:57, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [LDAPCLIENT]\[fajar]@[SG-ROUTER0]
[2012/02/16 21:05:57, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/02/16 21:05:57, 2] lib/smbldap.c:890(smbldap_open_connection)
smbldap_open_connection: connection opened
[2012/02/16 21:05:57, 3] lib/smbldap.c:1101(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2012/02/16 21:05:57, 2] passdb/pdb_ldap.c:571(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: fajar
[2012/02/16 21:05:57, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2012/02/16 21:05:57, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2012/02/16 21:05:57, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 11000
[2012/02/16 21:05:57, 3] libsmb/ntlm_check.c:350(ntlm_password_check)
ntlm_password_check: NT MD4 password check failed for user fajar
[2012/02/16 21:05:57, 2] passdb/pdb_ldap.c:1199(init_ldap_from_sam)
init_ldap_from_sam: Setting entry for user: fajar
[2012/02/16 21:05:57, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/16 21:05:57, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [fajar] -> [fajar]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2012/02/16 21:05:57, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/02/16 21:05:57, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/16 21:05:57, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2012/02/16 21:05:57, 3] smbd/server.c:849(exit_server_common)
Server exit (failed to receive smb request)
----------------------
This is what's shown in syslog when doing SSH authentication:
Feb 16 20:59:17 sglabldap slapd[1393]: conn=1064 op=2 do_bind
Feb 16 20:59:17 sglabldap slapd[1393]: >>> dnPrettyNormal:
<uid=fajar,ou=people,dc=example,dc=com>
Feb 16 20:59:17 sglabldap slapd[1393]: <<< dnPrettyNormal:
<uid=fajar,ou=people,dc=example,dc=com>,
<uid=fajar,ou=people,dc=example,dc=com>
Feb 16 20:59:17 sglabldap slapd[1393]: conn=1064 op=2 BIND
dn="uid=fajar,ou=people,dc=example,dc=com" method=128
Feb 16 20:59:17 sglabldap slapd[1393]: do_bind: version=3
dn="uid=fajar,ou=people,dc=example,dc=com" method=128
Feb 16 20:59:17 sglabldap slapd[1393]: ==> hdb_bind: dn:
uid=fajar,ou=people,dc=example,dc=com
Feb 16 20:59:17 sglabldap slapd[1393]:
bdb_dn2entry("uid=fajar,ou=people,dc=example,dc=com")
Feb 16 20:59:17 sglabldap slapd[1393]: => access_allowed: result not
in cache (userPassword)
Feb 16 20:59:17 sglabldap slapd[1393]: => access_allowed: auth access
to "uid=fajar,ou=people,dc=example,dc=com" "userPassword"
requested
Feb 16 20:59:17 sglabldap slapd[1393]: => acl_get: [1] attr userPassword
Feb 16 20:59:17 sglabldap slapd[1393]: => acl_mask: access to entry
"uid=fajar,ou=people,dc=example,dc=com", attr "userPassword"
requested
Feb 16 20:59:17 sglabldap slapd[1393]: => acl_mask: to value by "",
(=0)
Feb 16 20:59:17 sglabldap slapd[1393]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 16 20:59:17 sglabldap slapd[1393]: <= check a_dn_pat: anonymous
Feb 16 20:59:17 sglabldap slapd[1393]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 16 20:59:17 sglabldap slapd[1393]: <= acl_mask: [2] mask: read(=rscxd)
Feb 16 20:59:17 sglabldap slapd[1393]: => slap_access_allowed: auth
access granted by read(=rscxd)
Feb 16 20:59:17 sglabldap slapd[1393]: => access_allowed: auth access
granted by read(=rscxd)
Feb 16 20:59:17 sglabldap slapd[1393]: SASL Canonicalize [conn=1064]:
authcid="fajar at sg.ibm.com"
Feb 16 20:59:17 sglabldap slapd[1393]: daemon: activity on 1 descriptor
Feb 16 20:59:17 sglabldap slapd[1393]: daemon: activity on:
Feb 16 20:59:17 sglabldap slapd[1393]:
Feb 16 20:59:17 sglabldap slapd[1393]: daemon: epoll: listen=8
active_threads=0 tvp=zero
------------------------
Let me know if you need anything else, or something to look for in syslog.
P.S.
I'm following the guide from:
https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html
https://help.ubuntu.com/11.04/serverguide/C/samba-ldap.html
Some internal config for the saslauthd.
Adam Tauno Williams
2012-Feb-16 13:22 UTC
[Samba] Samba LDAP passthrough authentication to another openLDAP
On Thu, 2012-02-16 at 21:10 +0800, Fajar Priyanto wrote:> Hi all, > I have a setup like this. Pls let me know if it's possible or not. > SAMBA + Local LDAP ---> SASLAUTHD --> Global LDAPNo. Samba uses the sambaNTPassword attribute in it's LDAP schema which is a crypt of the password. You may be able to get plain-text authentication to work but only by adjusting Samba *and* hacking the registry on every client.> Desc: > I'd like to do Samba authentication to LDAP, passthrough to another > LDAP using SASL. > The current situation is: > SSH authentication from LDAP user to that Samba box works.That doesn't involve Samba unless you are using Kerberos or something like pam_winbind / pam_smbpasswd [I don't even know which if any of those are currently 'active'].> However, smb authentication doesn't work (yet). > This is what's shown in syslog when doing Samba authentication: > Feb 16 20:47:05 sglabldap slapd[1393]: => access_allowed: read access > to "uid=fajar,ou=people,dc=example,dc=com" "userPassword" requestedLooks like pam_ldap authentication to me. There may be a way to proxy authentication via LDAP [there are jillions of things you can do with LDAP] but I doubt involving saslauthd [plain text authentication] is going to work very well. -- System & Network Administrator [ LPI & NCLA ] <http://www.whitemiceconsulting.com> OpenGroupware Developer <http://www.opengroupware.us> Adam Tauno Williams