samba - Sep 2018 - Authenticating against Samba 4 AD LDAP service

Rowland Penny via samba писал 2018-09-05 16:10:
> On Wed, 05 Sep 2018 15:46:04 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>> 
>> One of Samba 3 -> Samba 4 migration task I am solving is changing
>> authentication against new Samba 4 AD domain.
>> 
>> Existing services use LDAP directory of Samba 3 to authenticate. The
>> simplest way to go would be just to replace LDAP credentials;
>> however, I don't quite understand which LDAP credentials to use/how
>> to create them for Samba 4 AD.
>> 
>> Sample command against Samba 4 LDAP service:
>> 
>> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password]
-H
>> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
>> returns
>> ldap_bind: Strong(er) authentication required (8)
>> 	additional info: BindSimple: Transport encryption required.
>> 
>> I would appreciate a link to possible source of wisdom, or
>> explanations in here.
>> 
>> Note: I can do searches using Kerberos authentication on Samba 4
>> installation, like this:
>> 
>> # kinit administrator
>> # ldbsearch -H ldap://dc.ad-lan.com -k yes
'(objectclass=person)'
>> 
>> but Kerberos is not an option for some existing services.
>> 
>> Sincerely,
>> Konstantin
>> 
> 
> Try this:
> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
> 
> NOTE, you can (and probably should) replace '10.100.0.4' with the
DC's
> short hostname.
That works, thank you, with actual domain name in LDAP URL.
> However, are you sure you cannot use kerberos ?
> What are your existing services ?
to name most important ones:

- Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
- Shell (SSH) server (same, using nslcd)
- Apache 2.* LDAP authentication module
- Atlassian Confluence
- GitLab

Sincerely,
Konstantin

On Thu, 06 Sep 2018 12:47:02 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Rowland Penny via samba писал 2018-09-05 16:10:
> > However, are you sure you cannot use kerberos ?
> > What are your existing services ?
> 
> to name most important ones:
> 
> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
> - Shell (SSH) server (same, using nslcd)
> - Apache 2.* LDAP authentication module
> - Atlassian Confluence
> - GitLab
> 
I am positive that most of the above will work with kerberos
authentication, the only exception is 'Mail server'. This is only
because saying 'Mail server' is a bit like saying 'I have a
computer',
it could be anything, but whatever it is, you probably can use kerberos
and if Dovecot is in the mix, you definitely can use kerberos.

Rowland

Rowland Penny via samba wrote 2018-09-06 14:50:
> On Thu, 06 Sep 2018 12:47:02 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Rowland Penny via samba писал 2018-09-05 16:10:
>> > However, are you sure you cannot use kerberos ?
>> > What are your existing services ?
>> 
>> to name most important ones:
>> 
>> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> - Shell (SSH) server (same, using nslcd)
>> - Apache 2.* LDAP authentication module
>> - Atlassian Confluence
>> - GitLab
>> 
> 
> I am positive that most of the above will work with kerberos
> authentication, the only exception is 'Mail server'. This is only
> because saying 'Mail server' is a bit like saying 'I have a
computer',
> it could be anything, but whatever it is, you probably can use kerberos
> and if Dovecot is in the mix, you definitely can use kerberos.
Thanks for the reassuring. The mail server/SSH server are using pam_ldap 
and nss_ldap to authenticate and get attributes from LDAP (via 
nss_pam_ldapd CentOS package).

Basically, I have configured nslcd to get info from Samba4, according to

https://wiki.samba.org/index.php/Nslcd

The further questions are:

1. I have to add uidNumber/gidNumber manually per user/group, as said in

https://wiki.samba.org/index.php/Adding_users_with_samba_tool

Is it possible to do that in batch mode, as well (i.e. create kind of 
.ldif and update the sam.ldb with it)?

2. I have no luck setting up pam_ldap.conf to allow  authentication 
against Samba4. There are no visible hints in Samba Wiki. I could only 
guess I have to try Kerberos, perhaps, instead of pam_ldap.

Thanks.

Sincerely,
Konstantin