samba - Sep 2015 - Authentication against Apple Open Directory (was: Re: LDAP authentication without Samba schema)

Hi,

I am in a position where I would like to have LDAP authentication for
CIFS shares, but cannot modify the LDAP server. The LDAP server is Open
Directory and does not have the Samba schema included or configured. I
only have read only access, a keytab, and possibly a read only bind
user. Is this possible?

I have attempted to get this working in various ways. I tried enabling
plaintext auth and relying on PAM for authentication (this works for 3.x,
but not 4.x, why is that?). I have also tried to use kerberos, but am
hitting several brick walls just because I'm not familiar with how to
handle host principals correctly on OS X. The last thing I tried was to
use pam_smbpass and have everyone ssh into the Samba server and have
their passwords stored locally in a TDB database.

Clearly there must be another way. I am not happy with any of these
methods. AD works out of the box with minimal fuss. Why can't LDAP? I've
reviewed the authentication code, and perhaps I am missing something,
but it seems straight forward to write an LDAP auth module that does not
require the Samba LDAP schema. 

Does anyone have any input here? I would really appreciate it.

Thanks!

- John

On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> Hi,
> 
> I am in a position where I would like to have LDAP authentication for
> CIFS shares, but cannot modify the LDAP server. The LDAP server is 
> Open
> Directory and does not have the Samba schema included or configured. 
> I
> only have read only access, a keytab, and possibly a read only bind
> user. Is this possible?
Oddly, I've had a client ask me much the same thing, and the approach I
am recommending to them is to use that keytab, and have Samba accept
kerberos logins as you suggest below.
> I have attempted to get this working in various ways. I tried 
> enabling
> plaintext auth and relying on PAM for authentication (this works for 
> 3.x,
> but not 4.x, why is that?). 
We busted plaintext auth in 4.x.  The patch is trivial (it is in a bug
somewhere), but I got stubborn and refused to apply it.  My argument
was that we needed a test for it, as otherwise we would just break it
again, and that needs some work in our auth stack to force use of not
-pam, and then to put a password in nss_wrapper. 

Plaintext auth is a bad idea anyway, it should be avoided where
possible.
> I have also tried to use kerberos, but am
> hitting several brick walls just because I'm not familiar with how to
> handle host principals correctly on OS X. 
Do you have any update on that?  Kerberos should be the right way, but
I'm stuck in a similar spot with my client.  We kept on having the
ticket come back as 'service expired'. 

It seems it should be as simple as: 
kadmin -l
kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
 
kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
kadmin> exit

Sadly, that doesn't work for us yet.
> The last thing I tried was to
> use pam_smbpass and have everyone ssh into the Samba server and have
> their passwords stored locally in a TDB database.
> 
> Clearly there must be another way. I am not happy with any of these
> methods. AD works out of the box with minimal fuss. Why can't LDAP? 
> I've
> reviewed the authentication code, and perhaps I am missing something,
> but it seems straight forward to write an LDAP auth module that does 
> not require the Samba LDAP schema.
> 
The issue is that we need the NT or LM passwords, or someone to
delegate checking them to. 

Ralph,

With all your work on vfs_fruit, I'm wondering if you have an
experience or working set of steps for setting up Samba with Kerberos
in an Apple OD domain?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

On Fri, Sep 04, 2015 at 12:05:56PM +1200, Andrew Bartlett
wrote:
> On Wed, 2015-08-12 at 06:18 -0700, John Hixson wrote:
> > Hi,
> > 
> > I am in a position where I would like to have LDAP authentication for
> > CIFS shares, but cannot modify the LDAP server. The LDAP server is 
> > Open
> > Directory and does not have the Samba schema included or configured. 
> > I
> > only have read only access, a keytab, and possibly a read only bind
> > user. Is this possible?
> 
> Oddly, I've had a client ask me much the same thing, and the approach I
> am recommending to them is to use that keytab, and have Samba accept
> kerberos logins as you suggest below.
> 
> > I have attempted to get this working in various ways. I tried 
> > enabling
> > plaintext auth and relying on PAM for authentication (this works for 
> > 3.x,
> > but not 4.x, why is that?). 
> 
> We busted plaintext auth in 4.x.  The patch is trivial (it is in a bug
> somewhere), but I got stubborn and refused to apply it.  My argument
> was that we needed a test for it, as otherwise we would just break it
> again, and that needs some work in our auth stack to force use of not
> -pam, and then to put a password in nss_wrapper. 
> 
> Plaintext auth is a bad idea anyway, it should be avoided where
> possible.
> 
> > I have also tried to use kerberos, but am
> > hitting several brick walls just because I'm not familiar with how
to
> > handle host principals correctly on OS X. 
> 
> Do you have any update on that?  Kerberos should be the right way, but
> I'm stuck in a similar spot with my client.  We kept on having the
> ticket come back as 'service expired'. 
> 
> It seems it should be as simple as: 
> kadmin -l
> kadmin> add --random-key cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> Policy [default]:
>  
> kadmin> ext_keytab cifs/mynas.apples-od.local at APPLES-OD.LOCAL
> kadmin> exit
This is exactly the problem I am having on OS X. 

- John
> 
> Sadly, that doesn't work for us yet.
> 
> > The last thing I tried was to
> > use pam_smbpass and have everyone ssh into the Samba server and have
> > their passwords stored locally in a TDB database.
> > 
> > Clearly there must be another way. I am not happy with any of these
> > methods. AD works out of the box with minimal fuss. Why can't
LDAP?
> > I've
> > reviewed the authentication code, and perhaps I am missing something,
> > but it seems straight forward to write an LDAP auth module that does 
> > not require the Samba LDAP schema.
> > 
> 
> The issue is that we need the NT or LM passwords, or someone to
> delegate checking them to. 
> 
> Ralph,
> 
> With all your work on vfs_fruit, I'm wondering if you have an
> experience or working set of steps for setting up Samba with Kerberos
> in an Apple OD domain?
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 
>