samba - Aug 2018 - LDAP SSL

Hi ,

I would really appreciate some suggestions re the following issue.

We have a LDAP based PDC and a member server.  We're use libnss_ldap to auth
the users. The LDAP PDC is setup with self signed SSL , we're trying make
sure the member server connects to the PDC using SSL.

Here is the PDC , smb.conf

[global]
workgroup = SUNTECH
netbios name = SERVER01
security = USER

local master = yes
  domain master = yes
  preferred master = yes
  domain logons = yes
  os level = 66
  passdb backend = ldapsam:ldap://server01.suntech
  ldap admin dn = cn=admin,dc=suntech
  ldap suffix = dc=suntech
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config *: backend = ldap
  idmap config *: range = 10000-19999
  idmap config *: ldap_url = ldap://server01.suntech
  idmap config *: ldap_base_dn = ou=idmap,dc=suntech
  idmap config *: ldap_user_dn = cn=admin,dc=suntech
  ldap delete dn = yes
  ldap password sync = yes
  ldap ssl = start tls


Here is the PDC, ldap.conf

BASE   dc=suntech
URI    ldap://server01.suntech
TLS_CACERT /etc/ldap/ca_certs.pem
#TLS_REQCERT demand

When running the ldapsearch from within the PDC we get the following
ldapwhoami -H ldap://server01.suntech -x -ZZ
anonymous

When running the full ldapsearch from within the PDC we get the following

ldapsearch -x -ZZ -h server01.suntech -b dc=suntech -s sub -D
cn=admin,dc=suntech -w password 'sambadomainname=*'
# extended LDIF
#
# LDAPv3
# base <dc=suntech> with scope subtree
# filter: sambadomainname=*
# requesting: ALL
#

dn: sambaDomainName=suntech,dc=suntech
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: suntech
sambaSID: S-1-5-21-3936576374-1604348213-1812465911
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
gidNumber: 10034
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
uidNumber: 10002
sambaNextRid: 10038

# server02, suntech
dn: sambaDomainName=server02,dc=suntech
sambaDomainName: server02
sambaSID: S-1-5-21-2631908330-1812305667-41686038
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2


Now the member server's smb.conf
  [global]
  workgroup = SUNTECH
  netbios name = SERVER02
  security = user
  local master = no
  domain master = no
  preferred master = no
  domain logons = no
  passdb backend = ldapsam:ldap://server01.suntech
  ldap admin dn = cn=admin,dc=suntech
  ldap suffix = dc=suntech
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config * : ldap_url = ldap://server01.suntech
  idmap config * : ldap_base_dn = ou=idmap,dc=suntech
  idmap config * : ldap_user_dn = cn=admin,dc=suntech
  ldap delete dn = no
  ldap ssl = start tls


When running the ldapsearch we get
ldapsearch -x -ZZ -h server01.suntech -b dc=suntech -s sub -D
cn=admin,dc=suntech -w password 'sambadomainname=*'
ldap_start_tls: Connect error (-11)
        additional info: (unknown error code)

But when we run the ldapsearch without the ZZ, we get the details

ldapsearch -xLLL -H ldap://server01.suntech -b dc=suntech -s sub -D
cn=admin,dc=suntech -w password 'sambadomainname=*'

dn: sambaDomainName=suntech,dc=suntech
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: suntech
sambaSID: S-1-5-21-3936576374-1604348213-1812465911
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
gidNumber: 10034
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
uidNumber: 10002
sambaNextRid: 10038

# server02, suntech
dn: sambaDomainName=server02,dc=suntech
sambaDomainName: server02
sambaSID: S-1-5-21-2631908330-1812305667-41686038
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30


Any suggestions?


The one other thing we see is that Server02 (member server) shows up as 
sambadomain. I went through the old samba list post and came up with the one
which addresses the issues
https://lists.samba.org/archive/samba/2012-January/165972.html

According to the above, do we remove the passdb backend =
ldapsam:ldap://server01.suntech from the member servers smb.conf, if so how do
we auth the users?


Regards,

Praveen Ghimire

On Thu, 9 Aug 2018 02:07:40 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
> 
> I would really appreciate some suggestions re the following issue.
> 
> We have a LDAP based PDC and a member server.  
Ah, no you haven't ;-)
You have a PDC and something that looks like a cross between a BDC and
a standalone server.

A BDC because it is connecting to the ldap on the PDC.
A standalone server because of 'security = user' and 'domain logons
no'

>We're use libnss_ldap
> to auth the users. The LDAP PDC is setup with self signed SSL , we're
> trying make sure the member server connects to the PDC using SSL.
As you shouldn't be trying to do this, it isn't really a problem ;-)

Is this a new domain ?
If so, have you missed all the warnings about setting up new NT4-style
domains ?
You would be much better off setting up an AD domain.

Rowland

Hi Rowland,

Fair comment. This is not a new domain and we are migrating to AD.

The box in question runs Samba 3.6 (PDC and a physical box) and as such we are
not able to directly migrate it.  We are adding a Samba 4 box (a VM) , to which
will become the new PDC . This box will then be used to migrate to AD. The Samba
3 box will converted as a file server.

The confusion in smb.conf is possibly because of the above. We can remove the
connection to LDAP via smb.conf if that helps?

We couldn't use winbind because of the bug whereby winbind doesn't
enumerate users in a Unix domain member. Hence we had to use libnss_ldap



Regards,

Praveen Ghimire



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Thursday, 9 August 2018 5:56 PM
To: samba at lists.samba.org
Subject: Re: [Samba] LDAP SSL

On Thu, 9 Aug 2018 02:07:40 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
> 
> I would really appreciate some suggestions re the following issue.
> 
> We have a LDAP based PDC and a member server.  
Ah, no you haven't ;-)
You have a PDC and something that looks like a cross between a BDC and
a standalone server.

A BDC because it is connecting to the ldap on the PDC.
A standalone server because of 'security = user' and 'domain logons
no'

>We're use libnss_ldap
> to auth the users. The LDAP PDC is setup with self signed SSL , we're
> trying make sure the member server connects to the PDC using SSL.
As you shouldn't be trying to do this, it isn't really a problem ;-)

Is this a new domain ?
If so, have you missed all the warnings about setting up new NT4-style
domains ?
You would be much better off setting up an AD domain.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________