On Sat, Jul 6, 2019 at 3:04 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 05/07/2019 20:00, Ryan via samba wrote:
> > On Fri, Jul 5, 2019 at 2:32 PM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On 05/07/2019 18:50, Ryan via samba wrote:
> >>> On Thu, Jul 4, 2019 at 4:49 PM Rowland penny via samba <
> >>> samba at lists.samba.org> wrote:
> >>>
> >>>> On 04/07/2019 21:25, Ryan via samba wrote:
> >>>>> I am still trying to configure Samba to authenticate
users against
> >>>>> ActiveDirectory, but lookup uid and gids against a
stand-alone
> OpenLDAP
> >>>>> server. Related to a previous recommendation, I found
the
> idmap_rfc2307
> >>>>> capability, which seems likely exactly what I what.
> >>>>>
> >>>>> Unfortunately, it does not seem to work. Users are not
permitted to
> >>>> access
> >>>>> shares for which they are in the group.
> >>>>>
> >>>>> Tests I found online of the idmapping using wbinfo,
fail as follows.
> >>>>>
> >>>>> $>wbinfo -n user1
> >>>>> THE_SID SID_USER (1)
> >>>>>
> >>>>> $>net cache flush
> >>>>>
> >>>>> $>wbinfo -S THE_SID
> >>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> >>>>> Could not convert sid THE_SID to uid
> >>>>>
> >>>>> I do not see any indication in the log files that the
LDAP server is
> >>>> being
> >>>>> contacted, though winbind startup shows that it is
processing the
> idmap
> >>>>> directives.
> >>>>>
> >>>>> And I have done the following:
> >>>>>
> >>>>> net idmap set secret 'MYDOMAIN'
'password'
> >>>>>
> >>>>> Here is the smb.conf file:
> >>>>>
> >>>>> [global]
> >>>>> strict locking = no
> >>>>> workgroup = MYDOMAIN
> >>>>> server string = Samba Server Version %v
> >>>>> disable netbios = yes
> >>>>> interfaces = lo eth0
> >>>>> log file = /var/log/samba/log.%m
> >>>>> log level = 5
> >>>>> max log size = 64
> >>>>> security = ads
> >>>>> realm = MYDOMAIN.FULL
> >>>>> kerberos method = secrets and keytab
> >>>>> load printers = no
> >>>>> printcap name = /dev/null
> >>>>> printing = bsd
> >>>>> disable spoolss = yes
> >>>>> ldap ssl = off
> >>>>>
> >>>>> idmap config * : backend = tdb
> >>>>> idmap config * : range = 65536-4294967296
> >>>>>
> >>>>> idmap config MYDOMAIN : backend = rfc2307
> >>>>> idmap config MYDOMAIN : range = 1000-65535
> >>>>> idmap config MYDOMAIN : ldap_server = stand-alone
> >>>>> idmap config MYDOMAIN : bind_path_user =
ou=users,dc=myldap,dc=org
> >>>>> idmap config MYDOMAIN : bind_path_group =
ou=groups,dc=myldap,dc=org
> >>>>> idmap config MYDOMAIN : user_cn = no
> >>>>> idmap config MYDOMAIN : ldap_url =
ldaps://ldap.myldap.org:636
> >>>>> idmap config MYDOMAIN : ldap_user_dn >
>>>> cn=samba,ou=agents,dc=myldap,dc=org
> >>>>> [home]
> >>>>> comment = Home Directories
> >>>>> path = /home/%U
> >>>>> browseable = no
> >>>>> writable = yes
> >>>>> create mask = 0600
> >>>>> directory mask = 0700
> >>>>> valid users = MYDOMAIN\%U
> >>>>> preexec = ls /home/%U
> >>>>>
> >>>>> [share]
> >>>>> path = /home/share
> >>>>> writable = yes
> >>>>> valid users = @share
> >>>>> force group = share
> >>>>> create mask = 0660
> >>>>> directory mask = 0770
> >>>>> preexec = ls /home/share
> >>>> Try changing 'security = ADS' to 'security =
domain'
> >>>>
> >>> When I do this, I receive the following error both for
'net ads
> testjoin'
> >>> (maybe this only works with ads, though) and on the Windows
clients
> that
> >>> try to connect to shares (the real problem).
> >>>
> >>> ads_connect: No logon servers are currently available to
service the
> >> logon
> >>> request.
> >>> Join to domain is not valid: No logon servers are currently
available
> to
> >>> service the logon request.
> >>>
> >>> When I restore 'security = ads' then 'net ads
testjoin' works and
> clients
> >>> can again connect to shares (only without the right group
information
> for
> >>> access, as is the subject of this thread).
> >>>
> >>>
> >>>> Read 'man idmap_ldap', your 'idmap config'
lines don't seeem to be
> >> correct.
> >>> I read 'idmap_ldap' and 'idmap_rfc2307'. The
RFC2307 backend can just
> >> use a
> >>> stand-alone LDAP for read-only lookups of UID and GIDs,
correct? It
> looks
> >>> like the 'idmap_ldap' backend is mainly for also
allowing Samba to
> store
> >>> mappings, though I do see in the man page a provision for
read-only
> >> lookups
> >>> with storage in tdb. Why prefer idmap_ldap to idmap_rfc2307?
Also,
> >> perhaps
> >>> importantly, my OpenLDAP server does use the RFC2307 schema
rather than
> >>> RFC2307bis, so I need that functionality.
> >>>
> >>> Some other information, in case it's helpful:
> >>>
> >>> Samba version 4.8.3
> >>> net ads testjoin returns "Join is OK"
> >>> testparm shows no errors or warnings
> >>>
> >>> What part of the configuration file might not be correct,
here? I
> >>> double-checked all the info (e.g. URI, base DN, user DN) for
the LDAP
> >>> server and gave it the appropriate credentials with the
'net idmap set
> >>> secret' command.
> >>>
> >>> In 'log.winbindd-idmap', I do see the following:
> >>>
> >>> [2019/07/05 10:51:26.448651, 1]
> >>> ../source3/winbindd/idmap.c:435(idmap_init_domain)
> >>> Error: invalid idmap range detected: 65536 - 0
> >>>
> >>> I realized the idmap range line for my TDB included 2^32, and
this
> >>> apparently gets wrapped around to 0. Changing this to 2^32-1
fixed that
> >>> problem and left me with:
> >>>
> >>> [2019/07/05 10:56:41.047022, 3]
> >>> ../source3/winbindd/idmap.c:397(idmap_init_domain)
> >>> idmap backend rfc2307 not found
> >>> [2019/07/05 10:56:41.049427, 3]
> >>> ../lib/util/modules.c:167(load_module_absolute_path)
> >>> load_module_absolute_path: Module
> '/usr/lib64/samba/idmap/rfc2307.so'
> >>> loaded
> >>> [2019/07/05 10:56:41.049512, 1]
> >>> ../source3/winbindd/idmap.c:447(idmap_init_domain)
> >>> idmap initialization returned NT_STATUS_ACCESS_DENIED
> >>> [2019/07/05 10:56:41.049541, 3]
> >>> ../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
> >>> idmap_found_domain_backend: Could not init idmap domain
campus
> >>>
> >>> But idmap_rfc2307 should be a valid module, and it gets
loaded.
> >>>
> >>>
https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html
> >>>
> >>> What does this NT_STATUS_ACCESS_DENIED indicate in the above
log? I
> >> double
> >>> checked all the LDAP parameters in the smb.conf.
> >>>
> >>> Finally, at debug level 10, I get:
> >>>
> >>> [2019/07/05 13:47:00.092653, 5, pid=26399, effective(0, 0),
real(0,
> 0),
> >>> class=winbind]
> >> ../source3/winbindd/winbindd_cm.c:173(msg_try_to_go_online)
> >>> msg_try_to_go_online: domain MYDOMAIN already online.
> >>>
> >>> in the log.winbindd-idmap, as if it has come up correctly?
> >>>
> >> Sorry, I should have been a bit more precise, change the
'security'
> >> parameter after the join.
> >>
> > I'm sorry. I may still be misunderstanding. Even after I
successfully
> > execute the join, setting 'security = domain' breaks file
sharing
> > functionality. Clients cannot connect and 'net ads testjoin'
report the
> > error. As soon as I again set it back to 'security = ads',
clients can
> > connect again without any further actions or commands.
> >
> >
> >> Yes, you are correct 'idmap_rfc2307' does exist, but it
isn't used very
> >> much, if at all. It was introduced back in 2012.
> >>
> > Hmm. The reason I hesitated to use idmap_ldap is that is sounds like
> > idmap_ldap looks for existing SID-to-UID/GIDs mappings in the LDAP
> > database, whereas idmap_rfc2307 consults an LDAP database (with RFC
2307
> > schema) based only on the username , which is *exactly* what I want .
In
> > fact, I was even using idmap_ldap previously, and it didn't seem
to work,
> > but likely I made some error.
> >
> > From the man page for idmap_ldap:
> >
> >>>> Defines the directory base suffix to use for
***SID/uid/gid mapping
> > entries.***
> >
> > And from the man page for idmap_rfc2307:
> >
> >>>> An AD server is always required to provide the mapping
between name
> and
> > SID, and ***the LDAP server is queried for the mapping between name
and
> > uid/gid.***
> >
> > Is there a way to make idmap_ldap work the same way, ignoring the SID
> that
> > comes back from the AD server and querying the independent LDAP
database
> > for uid and gids based on username? Can idmap_ldap query groups from
> > OpenLDAP in RFC 2307?
> >
> >
> >> I have tried it and I cannot make it work, either with
'security = ADS'
> >> or 'security = domain'
> >>
> >> Rowland
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
> 'idmap_rfc2307' got me thinking about the other rarely used
backends and
> I wonder if you could use 'idmap_script', see 'man
idmap_script' for
> (limited) info
>
> Rowland
>
> Hi Rowland,
Indeed, I switched to using the idmap_script back end. For posterity (in
case it could ever help you or others), I have included the simple script
below. It correctly returns the UID and primary GID, which in our LDAP
system is the same, so it gets returned as XID per the man page. Then, and
this part I don't understand but I verified it in the idmap logs, somehow
Samba/winbind becomes aware of the many other GIDs. It subsequently tries
to map them back to SIDs (which fails, because there is no mapping, but
it's cheap, so whatever).
So a few follow-ups, and then I'll be out of your hair:
1. By what mechanism does Samba/winbind go from seeing the UID/GID of the
user from the lookup to becoming aware of the other GIDs of the user? I am
uncomfortable not knowing this, because it seems like it could break.
2. This mechanism *works*. Users can mount shares based on their UNIX group
membership in the OpenLDAP server. *Thank you!* Now...is there any better
way to do this? I love that such a hacky back-end exists, but is this what
RFC 2307 is supposed to do, but it's truly broken code right now? It seems
like looking people up by username in a separate LDAP directory after
authenticating them with their Kerberos credentials against an AD server is
quite a common use case (I know many people who do it with older versions
of Samba that use the fallback mechanism; I wonder if you are going to get
lots of questions about this as people transition to EL 7 or 8 with 6 going
EOL).
Regards,
Ryan
#! /bin/bash
printf "%s: %s\n" "$(date '+%Y-%m-%d %H:%M:%S')"
"$*" >>
/var/log/samba/idmap_script.bash.log
if [ "$1" == "SIDTOID" ] ; then
unset _NO_WINBINDD
username="$(<<< "$(wbinfo -s "$2")" cut -d
' ' -f 1 | cut -d "$(wbinfo
--separator)" -f 2)"
_NO_WINBINDD=1
printf "\t'%s' => '%s'\n" "$2"
"$username" >>
/var/log/samba/idmap_script.bash.log
ldap_info="$(ldapsearch -LLL -H ldaps://ldap.ldapdomain.org:636/ -b
"ou=users,dc=ldapdomain,dc=org" -D
"cn=samba,ou=agents,dc=ldapdomain,dc=org" -w 'BIND_PASSWORD'
"(uid=$username)")"
xid="$(<<< "$ldap_info" grep '^uidNumber: ' |
cut -d ' ' -f 2)"
printf "\t'%s' => '%s'\n" "$username"
"$xid" >>
/var/log/samba/idmap_script.bash.log
if [ ! -z "$xid" ] ; then
printf "XID:%s\n" "$xid"
exit 0
else
printf "ERR: Unmapped SID\n"
exit 1
fi
else
printf "ERR: No idea what to do\n"
exit 1
fi
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>