samba - Sep 2018 - Authenticating against Samba 4 AD LDAP service

Rowland Penny via samba wrote 2018-09-06 14:50:
> On Thu, 06 Sep 2018 12:47:02 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Rowland Penny via samba писал 2018-09-05 16:10:
>> > However, are you sure you cannot use kerberos ?
>> > What are your existing services ?
>> 
>> to name most important ones:
>> 
>> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> - Shell (SSH) server (same, using nslcd)
>> - Apache 2.* LDAP authentication module
>> - Atlassian Confluence
>> - GitLab
>> 
> 
> I am positive that most of the above will work with kerberos
> authentication, the only exception is 'Mail server'. This is only
> because saying 'Mail server' is a bit like saying 'I have a
computer',
> it could be anything, but whatever it is, you probably can use kerberos
> and if Dovecot is in the mix, you definitely can use kerberos.
Thanks for the reassuring. The mail server/SSH server are using pam_ldap 
and nss_ldap to authenticate and get attributes from LDAP (via 
nss_pam_ldapd CentOS package).

Basically, I have configured nslcd to get info from Samba4, according to

https://wiki.samba.org/index.php/Nslcd

The further questions are:

1. I have to add uidNumber/gidNumber manually per user/group, as said in

https://wiki.samba.org/index.php/Adding_users_with_samba_tool

Is it possible to do that in batch mode, as well (i.e. create kind of 
.ldif and update the sam.ldb with it)?

2. I have no luck setting up pam_ldap.conf to allow  authentication 
against Samba4. There are no visible hints in Samba Wiki. I could only 
guess I have to try Kerberos, perhaps, instead of pam_ldap.

Thanks.

Sincerely,
Konstantin

On Thu, 06 Sep 2018 16:12:43 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Rowland Penny via samba wrote 2018-09-06 14:50:
> > On Thu, 06 Sep 2018 12:47:02 +0700
> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> > 
> >> Rowland Penny via samba писал 2018-09-05 16:10:
> >> > However, are you sure you cannot use kerberos ?
> >> > What are your existing services ?
> >> 
> >> to name most important ones:
> >> 
> >> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
> >> - Shell (SSH) server (same, using nslcd)
> >> - Apache 2.* LDAP authentication module
> >> - Atlassian Confluence
> >> - GitLab
> >> 
> > 
> > I am positive that most of the above will work with kerberos
> > authentication, the only exception is 'Mail server'. This is
only
> > because saying 'Mail server' is a bit like saying 'I have
a
> > computer', it could be anything, but whatever it is, you probably
> > can use kerberos and if Dovecot is in the mix, you definitely can
> > use kerberos.
> 
> Thanks for the reassuring. The mail server/SSH server are using
> pam_ldap and nss_ldap to authenticate and get attributes from LDAP
> (via nss_pam_ldapd CentOS package).
You keep saying 'mail server', but what mail server ? What are its
components ? are you using postfix ?, exim4 ? or something else. Does
it use saslauthd, dovecot or something else
> 
> Basically, I have configured nslcd to get info from Samba4, according
> to
> 
> https://wiki.samba.org/index.php/Nslcd
> 
> The further questions are:
> 
> 1. I have to add uidNumber/gidNumber manually per user/group, as said
> in
> 
> https://wiki.samba.org/index.php/Adding_users_with_samba_tool
> 
> Is it possible to do that in batch mode, as well (i.e. create kind of 
> .ldif and update the sam.ldb with it)?
Write a script around 'samba-tool user create'. You could extract the
required data from a file (csv ?) and use this to create the users one
by one.
> 
> 2. I have no luck setting up pam_ldap.conf to allow  authentication 
> against Samba4. There are no visible hints in Samba Wiki. I could
> only guess I have to try Kerberos, perhaps, instead of pam_ldap.
> 
Are you using a DC as a fileserver ?
This should work, but you will need to use nslcd or winbind or sssd
You can, as you have found, use nslcd to extract rfc2307 attributes
from AD, sssd works in a similar way, winbind only extracts the
username & uidNumber.
A Unix domain member only needs winbind, here it can do virtually what
the others do and for what it cannot do, there are workarounds.

Rowland

Rowland Penny via samba писал 2018-09-06 16:59:
> On Thu, 06 Sep 2018 16:12:43 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Rowland Penny via samba wrote 2018-09-06 14:50:
>> > On Thu, 06 Sep 2018 12:47:02 +0700
>> > Konstantin Boyandin via samba <samba at lists.samba.org>
wrote:
>> >
>> >> Rowland Penny via samba писал 2018-09-05 16:10:
>> >> > However, are you sure you cannot use kerberos ?
>> >> > What are your existing services ?
>> >>
>> >> to name most important ones:
>> >>
>> >> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> >> - Shell (SSH) server (same, using nslcd)
>> >> - Apache 2.* LDAP authentication module
>> >> - Atlassian Confluence
>> >> - GitLab
>> >>
>> >
>> > I am positive that most of the above will work with kerberos
>> > authentication, the only exception is 'Mail server'. This
is only
>> > because saying 'Mail server' is a bit like saying 'I
have a
>> > computer', it could be anything, but whatever it is, you
probably
>> > can use kerberos and if Dovecot is in the mix, you definitely can
>> > use kerberos.
>> 
>> Thanks for the reassuring. The mail server/SSH server are using
>> pam_ldap and nss_ldap to authenticate and get attributes from LDAP
>> (via nss_pam_ldapd CentOS package).
> 
> You keep saying 'mail server', but what mail server ? What are its
> components ? are you using postfix ?, exim4 ? or something else. Does
> it use saslauthd, dovecot or something else
I thought I answered by mentioning PAM authentication.

Exim 4, using saslauthd (which still uses PAM to auth against 
username/password).
Dovecot, using PAM.
>> Basically, I have configured nslcd to get info from Samba4, according
>> to
>> 
>> https://wiki.samba.org/index.php/Nslcd
>> 
>> The further questions are:
>> 
>> 1. I have to add uidNumber/gidNumber manually per user/group, as said
>> in
>> 
>> https://wiki.samba.org/index.php/Adding_users_with_samba_tool
>> 
>> Is it possible to do that in batch mode, as well (i.e. create kind of
>> .ldif and update the sam.ldb with it)?
> 
> Write a script around 'samba-tool user create'. You could extract
the
> required data from a file (csv ?) and use this to create the users one
> by one.
Users and groups *has been* created (imported) by 'classic upgrade'. 
What is missing is group memberships and uidNumber/gidNumber fields 
(requried by nslcd).

So question is, is it possible to add attributes on per-item (user, 
group) basis in batch mode (without doing that manually with ldbedit)?

Namely, mass add uidNumber/gidNumber attributes.

There can be cases when all the attributes must be changes/added/deleted 
en masse, so I assume I am not the only one in need of batch altering 
users/groups attributes.
>> 2. I have no luck setting up pam_ldap.conf to allow  authentication
>> against Samba4. There are no visible hints in Samba Wiki. I could
>> only guess I have to try Kerberos, perhaps, instead of pam_ldap.
> 
> Are you using a DC as a fileserver ?
Yes. It's relatively small domain, so no performance penalty is 
expected.
> This should work, but you will need to use nslcd or winbind or sssd
> You can, as you have found, use nslcd to extract rfc2307 attributes
> from AD, sssd works in a similar way, winbind only extracts the
> username & uidNumber.
Question is how to authenticate. Currently, PAM part authenticates 
against Samba 3 domain, while NSS gets required attributes. That 
satisfies all the Linux services.

On Samba 4, I wasted much time trying to make PAM authentication to 
work. I will try using Kerberos for now (if it works along with nslcd, I 
won't touch sssd, which, in my experience, is more a problem than a 
solution)

Thanks.

Sincerely,
Konstantin