samba - Nov 2012 - Samba file server using ldap backend without AD or PDC?

Hi all,

 

I've been using samba for a few years now on a couple of file servers with a
tdbsam backend for our user accounts. We use openldap for the vast majority
of our identity management, so I would love to be able to tie into this. We
recently started using sambaNTPassword in openldap for radius
authentication, so this is populated for most of our users now.

 
>From reading through some of the documentation though, I'm a bit
confused as
to how this would be implemented. We don't currently have Active Directory
and don't have any samba PDC/BDCs set up. Would it be necessary for us to
have a PDC/BDC in order to use openldap as our backend?

 

Thanks,

Brian

Can you clarify one thing -  why are you using the sambaNTPassword in 
openldap if openldap is not currently used samba authentication?   I 
would have thought that you would use the standard password field.

I use Samba 3.x DC's with an ldap back end.   I also use the ldap 
backend for unix authentication as well as authentication to various 
other systems that support LDAP authentication.       If you are using 
one or more BDC's you really do have to use an LDAP back end.  But there 
is no reason why member server's can use an LDAP backend.      If the 
underlying unix account for each samba account is in /etc/passwd and not 
LDAP, you should consolidate it all into LDAP.

Do the sambaNTPassword (and other samba attributes)  in LDAP match those 
in the tdb backend?    You may find you want to blast away the existing 
sambaNTPassword entries in LDAP before  you migrate the TDB data to LDAP.





On 11/30/12 08:28, Brian Gold wrote:
> Hi all,
>
>   
>
> I've been using samba for a few years now on a couple of file servers
with a
> tdbsam backend for our user accounts. We use openldap for the vast majority
> of our identity management, so I would love to be able to tie into this. We
> recently started using sambaNTPassword in openldap for radius
> authentication, so this is populated for most of our users now.
>
>   
>
>  From reading through some of the documentation though, I'm a bit
confused as
> to how this would be implemented. We don't currently have Active
Directory
> and don't have any samba PDC/BDCs set up. Would it be necessary for us
to
> have a PDC/BDC in order to use openldap as our backend?
>
>   
>
> Thanks,
>
> Brian
>

On 2012-11-30 9:22 am, Gaiseric Vandal wrote:
> Can you clarify one thing -  why are you using the sambaNTPassword in
> openldap if openldap is not currently used samba authentication?   I
> would have thought that you would use the standard password field.
We are using the standard userPassword field for most things, but for 
radius authentication via PEAP/MSCHAPv2, we needed to use 
sambaNTPassword instead.

> I use Samba 3.x DC's with an ldap back end.   I also use the ldap
> backend for unix authentication as well as authentication to various
> other systems that support LDAP authentication.       If you are 
> using
> one or more BDC's you really do have to use an LDAP back end.  But
> there is no reason why member server's can use an LDAP backend.
> If the underlying unix account for each samba account is in
> /etc/passwd and not LDAP, you should consolidate it all into LDAP.
We currently don't want to deploy a PDC or BDC if we don't need to. All 
we want to do is have a file server that can authenticate using the 
username/password stored in openldap.
> Do the sambaNTPassword (and other samba attributes)  in LDAP match
> those in the tdb backend?    You may find you want to blast away the
> existing sambaNTPassword entries in LDAP before  you migrate the TDB
> data to LDAP.
No, our current Samba file server has a totally separate set of 
passwords. When we transition over to this new Samba file server, we 
will be having all our users use their openldap password instead. We do 
not want to sync their existing tdb passwords over to LDAP.

On 2012-11-30 11:15 am, Gaiseric Vandal wrote:
> No, you wouldn't sync passwords to TDB.      Does your LDAP entry for
> each user currently have a SambaSID value?  Also, when you type
> "pdbedit -Lv someuser" you should see the unix account for the
user.
> The unix account is either explicitly created (e.g. in /etc/passwd or
> ldap or nis) or dynamically created by winbind.
>
No, currently our users do not have SambaSID values in ldap.
>
> # pdbedit -Lv someuser
>
> Unix username:        someuser
> NT username:          someuser
> Account Flags:        [U          ]
> User SID:             S-1-5-21-xxxxx
> Primary Group SID:    S-1-5-21-xxx
> Full Name:            Some User
> Home Directory:       \\someserver\users\someuser
> HomeDir Drive:        X:
> Logon Script:         logon.bat
> Profile Path:
> Domain:               SOMEDOMAIN
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          0
> Kickoff time:         0
> Password last set:    Fri, 30 Sep 2011 09:40:43 EDT
> Password can change:  Fri, 30 Sep 2011 09:40:43 EDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> #
>
> Assuming you are not using winbind to allocate uid's and gid's for
> samba users, your LDAP  user entry will eventually look something 
> like
>
> dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: Some User
> gidNumber: xx
> homeDirectory: /home/someuser
> sambaSID: S-1-5-21-xxxx
> sn: UserLastName
> uid: someuser
> uidNumber: 123
> displayName: Some User
> gecos: Some User
> givenName: Some User
> loginShell: /bin/tcsh
> sambaAcctFlags: [UX         ]
> sambaHomeDrive: X:
> sambaHomePath: \\someserver\users\someuser
> sambaLogonScript: logon.bat
> sambaNTPassword: xxxxxxxxxxxxxxxxxxxx
> sambaPasswordHistory: 
> 000000000000000000000000000000000000000000000000000000
>  0000000000
> sambaPwdLastSet: 1291843237
> st: xxxxxx
> street: xxxxxxxxx
> telephoneNumber: xxxxxxxxx
> userPassword:: xxxxxxxxxxxx
>
>
> Although the login script and network home directory probably not
> relevant in a non-DC setup.
We are not using winbind at all currently.

Here is a sample user's ldap data:

dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu
uid: tstaff
sn: Staff
uinSR: tstaff-false
givenName: Test
genderSR: m
loginShell: /bin/false
cn: Test Staff
gecos: Test Staff
mailSR: testaff at simons-rock.edu
homeDirectory: /home/testaff
objectClass: person
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: personSR
objectClass: extensibleObject
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 11551
shadowWarning: 7
gidNumber: 100
shadowMax: 99999
uidNumber: 7391
mail: testaff at simons-rock.edu
groupSR: staff
groupSR: hidden
employeeNumber: 991991991
sambaNTPassword: REDACTED
sambaPwdLastSet: 1354296936
userPassword:: REDACTED

On 2012-11-30 4:01 pm, Gaiseric Vandal wrote:
> So when you run pdbedit -Lv for a user, is the "Unix user" name
is an
> account in ldap?   If that is the case, then you probably just want 
> to
> have a script that runs that runs thru a list of user names and they
> runs ldapmodify to add the appropriate samba attributes.    In theory
> you can use pdbedit to export the data, then change the backend, then
> import it back. I found that didn't quite work.
>
>
> I had originally used nis backend for unix accounts and TBD backend
> for samba.   I moved from NIS to LDAP for unix accounts. Then when I
> added a BDC I moved the samba data into ldap.    I had used smbpasswd
> to dump the data to a text file, then wrote a perl script to parse 
> the
> file into user name,  samba SID, and samba password and then rewrite
> it into an ldapmodify ldif file.  I used this file to update the
> existing LDAP accounts.
>
> You MAYBE can use smbpasswd or pdbedit to create the samba accounts
> in LDAP but I suspect that either it won't preserve the existing
> password OR it may refuse to create the account.
>
Here is the output for that same user when I do a pdbedit. The "unix 
username" is being pulled from ldap.
pdbedit -Lv testaff
Unix username:        testaff
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2531268310-2106678637-3833209162-15782
Primary Group SID:    S-1-5-21-2531268310-2106678637-3833209162-513
Full Name:            Test Staff
Home Directory:       \\elephant\testaff
HomeDir Drive:
Logon Script:
Profile Path:         \\elephant\testaff\profile
Domain:               ELEPHANT
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Fri, 27 Jun 2008 16:50:45 EDT
Password can change:  Fri, 27 Jun 2008 16:50:45 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF



Worth a try I guess.

As it is, I'm planning on totally scrapping this existing samba file 
server when we move to using ldap passwords. The only things that need 
to carry over are the files on the file server itself. I'm totally fine 
with not using any of the data that is in tbd currently.
Is there a way to autogenerate the samba SID (since I don't necessarily 
need the one that is being used in my current samba file server) and 
whatever other samba fields might be needed for all of my existing ldap 
accounts?

On Fri, 2012-11-30 at 08:28 -0500, Brian Gold wrote:
> Hi all,
> 
>  
> 
> I've been using samba for a few years now on a couple of file servers
with a
> tdbsam backend for our user accounts. We use openldap for the vast majority
> of our identity management, so I would love to be able to tie into this. We
> recently started using sambaNTPassword in openldap for radius
> authentication, so this is populated for most of our users now.
> 
>  
> 
> >From reading through some of the documentation though, I'm a bit
confused as
> to how this would be implemented. We don't currently have Active
Directory
> and don't have any samba PDC/BDCs set up. Would it be necessary for us
to
> have a PDC/BDC in order to use openldap as our backend?
Yes, if you have multiple servers that you wish to use this for.
Essentially you make your file servers DCs, even if you don't ever join
clients to the domain.  That way, they have the same SID, which is
stored in LDAP (normally the domain SID is per-machine).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org