samba - Mar 2015 - Delegate Samba4 user authentication to an external LDAP server

Good Day All

first of all thank you for this mailing list, it's really great, as great
is Samba :D

I have a question regarding Samba4  and the possibility to delegate
authentication to an external LDAP server using Cyrus SASL.

Basically I have already successfully implemented an authentication
delegation from an OpenLdap server (on CentOs) to another LDAP server (on
AIX) via cyrus SASL. I've done steps similar to what described here:

http://gauvain.pocentek.net/node/42

and all worked fine.

now I want to replicate the same operation on a Samba4 AD domain (on Ubuntu
10.4). The final goal is that users on the Samba4 domain do not need a new
password for it, but they can use the one of the centralized , external
openldap (AIX). I know that Samba4 uses its own internal ldap server, which
is not OpenLdap anymore, so now I hav ethe following questions:

- has any of you ever tried something similar?
- in order to Delegate authentication from OpenLdap to LDAP, I had to
install and use a specific cycrus-sasl plugin on my  CentOs server:
"cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL"; this
does
not seem to be present for samba4, but only from openldap; do you know if I
still need this? is Cyrus-SASL support is already included in samba4?
according to the cyrus-SASL official web page there is no mention of
Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
- I need to change the "password" attribute of each user and make it
look
similar to this {SASL}username at externalldap.com , how can I modify that
attribute?

thanks in advance, any help is welcome!!


___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic52094.gif)

On 03/03/15 14:50, Mario Pio Russo wrote:
> Good Day All
>
> first of all thank you for this mailing list, it's really great, as
great
> is Samba :D
>
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
>
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
>
> http://gauvain.pocentek.net/node/42
>
> and all worked fine.
>
> now I want to replicate the same operation on a Samba4 AD domain (on Ubuntu
> 10.4). The final goal is that users on the Samba4 domain do not need a new
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server, which
> is not OpenLdap anymore, so now I hav ethe following questions:
>
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL";
this does
> not seem to be present for samba4, but only from openldap; do you know if I
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make
it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?
>
> thanks in advance, any help is welcome!!
>
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic52094.gif)
>
>
Lets see if I have got this right, from the link you have posted, you 
want to replace the Openldap side with Samba 4 in AD mode.

If this is the case, I do not think it will work, for one thing an AD 
user does not have a 'password' attribute.
If the opposite way round then probably, but just replace 'AD side' with
'Samba4 AD side'.

You should also be aware that you can use samba4 just like samba3 i.e. 
you can use Openldap instead of the internal AD ldap.

Rowland

Hi Rowland

yes you got it right, I have a samba 4 installation and I'd like to
delegate the authentication to an external ldap server.
I have noticed that in samba 4 we do not have the attribute
"password", so
my question is:

if I use Samba4+Openldap (as backend) and in OpenLdap I manually add the
attribute "password" to each user entry, and password as a link to
SASL
{SASL}username at externalldap.com , do you think that this would work? sorry
but I have not much knowledge of how samba stores its passwords.

thanks
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic44721.gif)



From:	Rowland Penny <rowlandpenny at googlemail.com>
To:	samba at lists.samba.org
Date:	03/03/2015 15:24
Subject:	Re: [Samba] Delegate Samba4 user authentication to an external
            LDAP server
Sent by:	samba-bounces at lists.samba.org



On 03/03/15 14:50, Mario Pio Russo wrote:
> Good Day All
>
> first of all thank you for this mailing list, it's really great, as
great
> is Samba :D
>
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
>
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
>
> http://gauvain.pocentek.net/node/42
>
> and all worked fine.
>
> now I want to replicate the same operation on a Samba4 AD domain (on
Ubuntu
> 10.4). The final goal is that users on the Samba4 domain do not need a
new
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server,
which
> is not OpenLdap anymore, so now I hav ethe following questions:
>
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL";
this does
> not seem to be present for samba4, but only from openldap; do you know if
I
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make
it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?
>
> thanks in advance, any help is welcome!!
>
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic52094.gif)
>
>
Lets see if I have got this right, from the link you have posted, you
want to replace the Openldap side with Samba 4 in AD mode.

If this is the case, I do not think it will work, for one thing an AD
user does not have a 'password' attribute.
If the opposite way round then probably, but just replace 'AD side' with
'Samba4 AD side'.

You should also be aware that you can use samba4 just like samba3 i.e.
you can use Openldap instead of the internal AD ldap.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 2015-03-03 at 14:50 +0000, Mario Pio Russo
wrote:
> Good Day All
> 
> first of all thank you for this mailing list, it's really great, as
great
> is Samba :D
> 
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
> 
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
> 
> http://gauvain.pocentek.net/node/42
> 
> and all worked fine.
> 
> now I want to replicate the same operation on a Samba4 AD domain (on Ubuntu
> 10.4). The final goal is that users on the Samba4 domain do not need a new
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server, which
> is not OpenLdap anymore, so now I hav ethe following questions:
> 
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL";
this does
> not seem to be present for samba4, but only from openldap; do you know if I
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make
it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?
No, it isn't possible.  Samba can only delegate authentication to AD or
Samba domains, not other LDAP servers or SASL, as our authentication
protocols do not disclose the plaintext password.  AD and Samba domains
support pass-though mechanisms for NTLM, and we can accept Kerberos
tickets issued by Kerberos servers.'

To be an AD DC, you need to be the source of truth for passwords.  I can
only suggest you arrange the reverse, that your OpenLDAP servers talk to
the Samba AD DC.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

thanks for your answer, I cannot do the reverse authentication
unfortunately. Everything has to work as I have described. Furthermore I
cannot change my external trust authority for authentication. From this
thread it looks like the only option is to use local password for the
Samba4 domain users, which add some complexity when managing IDs (and above
all passwords), as a single user might have different ids/password in the
Samba4 domain and the LDAP one.

I've read few other threads about using OplenLdap as backend of Samba4 AD
DC, seemingly there was a project to integrate OpenLdap within Samba4 AD
DC, do you know if there is any progress in that direction?

thanks




From:	Andrew Bartlett <abartlet at samba.org>
To:	Mario Pio Russo/Ireland/IBM at IBMIE
Cc:	samba at lists.samba.org
Date:	09/03/2015 07:53
Subject:	Re: [Samba] Delegate Samba4 user authentication to an external
            LDAP server
Sent by:	samba-bounces at lists.samba.org



On Tue, 2015-03-03 at 14:50 +0000, Mario Pio Russo
wrote:
> Good Day All
>
> first of all thank you for this mailing list, it's really great, as
great
> is Samba :D
>
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
>
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
>
> http://gauvain.pocentek.net/node/42
>
> and all worked fine.
>
> now I want to replicate the same operation on a Samba4 AD domain (on
Ubuntu
> 10.4). The final goal is that users on the Samba4 domain do not need a
new
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server,
which
> is not OpenLdap anymore, so now I hav ethe following questions:
>
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL";
this does
> not seem to be present for samba4, but only from openldap; do you know if
I
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make
it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?
No, it isn't possible.  Samba can only delegate authentication to AD or
Samba domains, not other LDAP servers or SASL, as our authentication
protocols do not disclose the plaintext password.  AD and Samba domains
support pass-though mechanisms for NTLM, and we can accept Kerberos
tickets issued by Kerberos servers.'

To be an AD DC, you need to be the source of truth for passwords.  I can
only suggest you arrange the reverse, that your OpenLDAP servers talk to
the Samba AD DC.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba