Rowland penny
2020-Aug-21 21:08 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On 21/08/2020 21:40, vincent at cojot.name wrote:> On Fri, 21 Aug 2020, Rowland penny via samba wrote: > >> This works for me: >> >> rowland at devstation:~$ sudo ldapsearch -H >> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w >> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' >> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain >> Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:' >> [sudo] password for rowland: >> dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com >> >> Rowland > > You're right, this works here too: > ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D > "raistlin at ad.lasthome.solace.krynn" -b > "dc=ad,dc=lasthome,dc=solace,dc=krynn" > 'memberof:1.2.840.113556.1.4.1941:=cn=Domain > Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:' > Enter LDAP Password: > dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn > dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn > > So that must not be the problem, then.. Do you see anything else that > stands out in the lines below? > > augmentedActiveDirectory: > ??? groupsQuery: > ??????? baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" > ??????? scope: sub > ??????? derefAliases: never > ??????? pageSize: 0 > ??????? filter: (objectclass=group) > ??? groupUIDAttribute: primaryGroupID > ??? groupNameAttributes: [ cn ] > ??? groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] > ??? usersQuery: > ??????? baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" > ??????? scope: sub > ??????? derefAliases: never > ??????? filter: (objectclass=person) > ??????? pageSize: 0 > ??? userNameAttributes: [ "sAMAccountName" ]As far as I can see (and I could be missing something obvious), whilst it defines the search base, etc, it doesn't define what DN to search for. Should [ "memberof:1.2.840.113556.1.4.1941:" ]? be something like: [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain Users,CN=Users,dc=samdom,dc=example,dc=com" ] Rowland
Rowland penny
2020-Aug-21 21:29 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On 21/08/2020 22:08, Rowland penny via samba wrote:> On 21/08/2020 21:40, vincent at cojot.name wrote: >> On Fri, 21 Aug 2020, Rowland penny via samba wrote: >> >>> This works for me: >>> >>> rowland at devstation:~$ sudo ldapsearch -H >>> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w >>> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' >>> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain >>> Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:' >>> [sudo] password for rowland: >>> dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >>> dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com >>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >>> dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com >>> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com >>> >>> Rowland >> >> You're right, this works here too: >> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D >> "raistlin at ad.lasthome.solace.krynn" -b >> "dc=ad,dc=lasthome,dc=solace,dc=krynn" >> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain >> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:' >> Enter LDAP Password: >> dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn >> dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn >> >> So that must not be the problem, then.. Do you see anything else that >> stands out in the lines below? >> >> augmentedActiveDirectory: >> ??? groupsQuery: >> ??????? baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" >> ??????? scope: sub >> ??????? derefAliases: never >> ??????? pageSize: 0 >> ??????? filter: (objectclass=group) >> ??? groupUIDAttribute: primaryGroupID >> ??? groupNameAttributes: [ cn ] >> ??? groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] >> ??? usersQuery: >> ??????? baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" >> ??????? scope: sub >> ??????? derefAliases: never >> ??????? filter: (objectclass=person) >> ??????? pageSize: 0 >> ??? userNameAttributes: [ "sAMAccountName" ] > > As far as I can see (and I could be missing something obvious), whilst > it defines the search base, etc, it doesn't define what DN to search > for. Should [ "memberof:1.2.840.113556.1.4.1941:" ]? be something like: > > [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain > Users,CN=Users,dc=samdom,dc=example,dc=com" ] > > Rowlandlooking at 'krynn-ad-sync-config.yaml' , you have 'groupUIDAttribute' set to 'primaryGroupID' and that is set to '513' for every AD user (unless you have changed it), so could the UID actually refer to something that identifies the group ? 'dn' for instance ? Rowland
vincent at cojot.name
2020-Aug-21 21:51 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Hi Rowland, First of all, thank you for taking the time to help me. I tried your suggestion and all results came up empty. Then I did a few lapdsearch(es) and found this: 1) This query returns two users: ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D "raistlin at ad.lasthome.solace.krynn" -b "dc=ad,dc=lasthome,dc=solace,dc=krynn" 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' 2) This query returns no users ("Domain Users" instead of "Domain Admins"): ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D "raistlin at ad.lasthome.solace.krynn" -b "dc=ad,dc=lasthome,dc=solace,dc=krynn" 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' -but- the list of users is correctly reported if I run this on a DC: root at dc01 ~]# samba-tool group listmembers 'Domain Users' [....] raistlin [...] krbtgt dns-dc00 dns-dc01 Am I doing something wrong? Regards, Vincent
vincent at cojot.name
2020-Aug-21 22:07 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Hi Rowland, Here's an updated config of the yaml file. With that config (it is only using 'memberOf', I only get a few groups and not all of them): $ oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm group/Administrators group/Denied RODC Password Replication Group group/Domain Admins group/Enterprise Admins group/Group Policy Creator Owners group/Guests group/Schema Admins $ I have about 27 groups (all default groups) on this setup. The missing groups appear to be 'nested groups', which OCP doesn't handle and this is why I started experimenting with memberOf:1.2.840.113556.1.4.1941 (it was described in the documentation as a way to un-flatten nested groups for AD). Vincent>>> ??????? pageSize: 0 >>> ??? userNameAttributes: [ "sAMAccountName" ] >> >> As far as I can see (and I could be missing something obvious), whilst it >> defines the search base, etc, it doesn't define what DN to search for. >> Should [ "memberof:1.2.840.113556.1.4.1941:" ]? be something like: >> >> [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain >> Users,CN=Users,dc=samdom,dc=example,dc=com" ] >> >> Rowland > > looking at 'krynn-ad-sync-config.yaml' , you have 'groupUIDAttribute' set to > 'primaryGroupID' and that is set to '513' for every AD user (unless you have > changed it), so could the UID actually refer to something that identifies the > group ? 'dn' for instance ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-------------- next part -------------- # oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm --whitelist=krynn_group_list.txt kind: LDAPSyncConfig apiVersion: v1 url: ldap://dc00.ad.lasthome.solace.krynn:389 insecure: false ca: "KrynnAD.pem" bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn" bindPassword: "OBFUSCATED" augmentedActiveDirectory: groupsQuery: baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" scope: sub derefAliases: never pageSize: 0 groupUIDAttribute: dn groupNameAttributes: [ cn ] groupMembershipAttributes: [ "memberOf" ] #groupMembershipAttributes: [ "memberOf:1.2.840.113556.1.4.1941:=cn=Domain Users,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn" ] usersQuery: baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" scope: sub derefAliases: always filter: (objectclass=person) pageSize: 0 userNameAttributes: [ "sAMAccountName" ]
Andrew Bartlett
2020-Aug-21 22:59 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote:> Hi Rowland, > > First of all, thank you for taking the time to help me. > I tried your suggestion and all results came up empty. > > Then I did a few lapdsearch(es) and found this: > > 1) This query returns two users: > ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D > "raistlin at ad.lasthome.solace.krynn" -b > "dc=ad,dc=lasthome,dc=solace,dc=krynn" > 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain > Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' > > 2) This query returns no users ("Domain Users" instead of "Domain > Admins"): > ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D > "raistlin at ad.lasthome.solace.krynn" -b > "dc=ad,dc=lasthome,dc=solace,dc=krynn" > 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain > Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' > > -but- the list of users is correctly reported if I run this on a DC: > root at dc01 ~]# samba-tool group listmembers 'Domain Users' > [....] > raistlin > [...] > krbtgt > dns-dc00 > dns-dc01 > > Am I doing something wrong?The system that you ary trying to use for OpenShift does not know about primary group memberships, as these are not recorded as DN links. Inside that samba-tool group listmembers command we work around that by using this filter: search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" % (rid, group_sid_dn)) You may need to contribute logic upstream to OpenShift to learn about how groups work in AD, or (if secure) forgo primary group memberships. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba