samba - Aug 2016 - Configuration of smb.conf for Active Directory authentication

I've been working through a guide documenting how to do this at
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am
presently deciphering what needs I have in my winbind configuration.
In doing so, I've come across the 'passdb backend = ldapsam' option
and am curious if I can use this, and if it is wise, identifying that key
exchange is complex and a vulnerability at times, but it does provide no local
storage of pw either, which may be a greater vulnerability.

Any insight into this, or if this passdb option even works as I believe it to
would be valuable to me,
Kyle

On Wed, 24 Aug 2016 20:04:24 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> I've been working through a guide documenting how to do this at
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> and am presently deciphering what needs I have in my winbind
> configuration. In doing so, I've come across the 'passdb backend
> ldapsam' option and am curious if I can use this, and if it is wise,
> identifying that key exchange is complex and a vulnerability at
> times, but it does provide no local storage of pw either, which may
> be a greater vulnerability.
> 
> Any insight into this, or if this passdb option even works as I
> believe it to would be valuable to me, Kyle
No it wouldn't, 'ldapsam' is meant to be used with an ldap based
system, like a standalone server or an NT4-style PDC.

Just follow the instructions on the wiki page you have referred to
and if you do not understand anything, just ask.

Basically it boils down to, do you have access to the AD DC and is
the DC 2008R2 or earlier.
if you have access and it isn't a 2012 server, you can add IDMU and
then add RFC2307 attributes with the Unix Attributes tab in ADUC. You
can then use the winbind 'ad' backend.

If you don't have access, or don't want to do the above, use the
winbind 'rid' backend.

Rowland

Kyle—

Keep it simple and follow the guide you linked, and Rowland’s rid
recommendation, and you’ll be set.

Mike

> On Aug 24, 2016, at 3:04 PM, Kyle Manel via samba <samba at
lists.samba.org> wrote:
> 
> I've been working through a guide documenting how to do this at
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am
presently deciphering what needs I have in my winbind configuration.
> In doing so, I've come across the 'passdb backend = ldapsam'
option and am curious if I can use this, and if it is wise, identifying that key
exchange is complex and a vulnerability at times, but it does provide no local
storage of pw either, which may be a greater vulnerability.
> 
> Any insight into this, or if this passdb option even works as I believe it
to would be valuable to me,
> Kyle
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I've completed the configuration specified, and the command 'wbinfo
-g' provides a list of the groups available and 'wbinfo -u' provides
a list of all the users on the system, but I cannot access the shares;  When I
navigate a file explorer to \\ip.ad.dre.ss I am presented with a login screen,
which I cannot log into with my ID; 'The user name or password is
incorrect'

I suspect an issue with my idmap configuration:

[global]
        netbios name = FILESERVER-001
        security = ADS
        workgroup = SUBDOMAIN
        realm = SUBDOMAIN.DOMAIN.COM

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config    CORP:   backend =       ad
        idmap config    CORP:   schema_mode =   rfc2307
        idmap config    CORP:   range =         1000-9999999999
        idmap uid =                             50-9999999999
        idmap gid =                             50-9999999999
        winbind nss info =                      rfc2307

       allow dns updates = nonsecure

[public]
        path = /srv/samba/share
        available =                             yes
        read only =                             no
        browsable =                             yes
        public =                                yes
        guest ok =                              yes
        writable =                              yes

Regards,
Kyle


-----Original Message-----
From: Michael A Weber [mailto:mweber.subscriptions01 at gmail.com] 
Sent: Wednesday, August 24, 2016 5:21 PM
To: Kyle Manel <Kyle.Manel at inbaytech.com>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Configuration of smb.conf for Active Directory
authentication

Kyle—

Keep it simple and follow the guide you linked, and Rowland’s rid
recommendation, and you’ll be set.

Mike

> On Aug 24, 2016, at 3:04 PM, Kyle Manel via samba <samba at
lists.samba.org> wrote:
> 
> I've been working through a guide documenting how to do this at
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am
presently deciphering what needs I have in my winbind configuration.
> In doing so, I've come across the 'passdb backend = ldapsam'
option and am curious if I can use this, and if it is wise, identifying that key
exchange is complex and a vulnerability at times, but it does provide no local
storage of pw either, which may be a greater vulnerability.
> 
> Any insight into this, or if this passdb option even works as I 
> believe it to would be valuable to me, Kyle
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba