Andrew Bartlett
2020-Aug-21 22:59 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote:> Hi Rowland, > > First of all, thank you for taking the time to help me. > I tried your suggestion and all results came up empty. > > Then I did a few lapdsearch(es) and found this: > > 1) This query returns two users: > ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D > "raistlin at ad.lasthome.solace.krynn" -b > "dc=ad,dc=lasthome,dc=solace,dc=krynn" > 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain > Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' > > 2) This query returns no users ("Domain Users" instead of "Domain > Admins"): > ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D > "raistlin at ad.lasthome.solace.krynn" -b > "dc=ad,dc=lasthome,dc=solace,dc=krynn" > 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain > Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' > > -but- the list of users is correctly reported if I run this on a DC: > root at dc01 ~]# samba-tool group listmembers 'Domain Users' > [....] > raistlin > [...] > krbtgt > dns-dc00 > dns-dc01 > > Am I doing something wrong?The system that you ary trying to use for OpenShift does not know about primary group memberships, as these are not recorded as DN links. Inside that samba-tool group listmembers command we work around that by using this filter: search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" % (rid, group_sid_dn)) You may need to contribute logic upstream to OpenShift to learn about how groups work in AD, or (if secure) forgo primary group memberships. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
vincent at cojot.name
2020-Aug-22 20:31 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Hi Andrew, Hi Rowland, I just spent close to one hour debugging this with one OpenShift specialist from RedHat. What we figured was: 1) both of my configs work (auth and group-sync) and are in fact correct. 2) OCP group sync does not sync the groups that have no explicit 'member' Attribute or groups that are 'default' groups (E.g: 'Domain Users') where membership is through the primaryGroupID. So things are in fact working and they'll be reaching out to me because I'm one of the few guys with a working 'Active Directory' in his home/lab and they'd like to support ActiveDirectory in the Group Sync Operator they're writing upstream. :) Thank you for your help debugging this yesterday. I keep trying to evangelize Samba AD/DC internally to my peers and the level of help I received on that issue really makes the case for this type of setup. I will most likely write a post about this. Much appreciated, Regards, Vincent ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-, Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~ Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,. Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~' http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name They cannot scare me with their empty spaces Between stars - on stars where no human race is I have it in me so much nearer home To scare myself with my own desert places. - Robert Frost On Sat, 22 Aug 2020, Andrew Bartlett via samba wrote:> On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote: >> Hi Rowland, >> >> First of all, thank you for taking the time to help me. >> I tried your suggestion and all results came up empty. >> >> Then I did a few lapdsearch(es) and found this: >> >> 1) This query returns two users: >> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D >> "raistlin at ad.lasthome.solace.krynn" -b >> "dc=ad,dc=lasthome,dc=solace,dc=krynn" >> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain >> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' >> >> 2) This query returns no users ("Domain Users" instead of "Domain >> Admins"): >> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D >> "raistlin at ad.lasthome.solace.krynn" -b >> "dc=ad,dc=lasthome,dc=solace,dc=krynn" >> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain >> Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn' >> >> -but- the list of users is correctly reported if I run this on a DC: >> root at dc01 ~]# samba-tool group listmembers 'Domain Users' >> [....] >> raistlin >> [...] >> krbtgt >> dns-dc00 >> dns-dc01 >> >> Am I doing something wrong? > > The system that you ary trying to use for OpenShift does not know about > primary group memberships, as these are not recorded as DN links. > > Inside that samba-tool group listmembers command we work around that by > using this filter: > search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" % > (rid, group_sid_dn)) > > You may need to contribute logic upstream to OpenShift to learn about > how groups work in AD, or (if secure) forgo primary group memberships. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2020-Aug-23 03:09 UTC
[Samba] Documenting 'works great with Samba AD' (was: Re: Using Samba AD/DC as an Active Directory OAuth provider for OpenShift)
On Sat, 2020-08-22 at 16:31 -0400, Vincent S. Cojot via samba wrote:> Hi Andrew, Hi Rowland, > > I just spent close to one hour debugging this with one OpenShift > specialist from RedHat. What we figured was: > > 1) both of my configs work (auth and group-sync) and are in fact correct. > > 2) OCP group sync does not sync the groups that have no explicit 'member' > Attribute or groups that are 'default' groups (E.g: 'Domain Users') where membership > is through the primaryGroupID. > > So things are in fact working and they'll be reaching out to me because > I'm one of the few guys with a working 'Active Directory' in his home/lab > and they'd like to support ActiveDirectory in the Group Sync Operator > they're writing upstream. :) > > Thank you for your help debugging this yesterday. I keep trying to > evangelize Samba AD/DC internally to my peers and the level of help I > received on that issue really makes the case for this type of setup. > I will most likely write a post about this.Thanks for the feedback. I thank you for your work, the more software that is clearly documented as 'works great with Samba' the better for Samba. I also think it is awesome for the software we work with: one thing that makes Samba really handy as an AD DC is that it can fit into manual and CI testing of Linux-centric products like OpenShift, standing in for Microsoft's AD reliably yet automating on par with the rest of the system. I look forward to your post, hopefully you can find a place to those instructions. More broadly, I would love to have curated 'works great with Samba AD' page. With (links to) instructions about how to configure sssd (yes, really), mod_auth_ntlm_winbind, mod_auth_kerb, Packetfence, Django, Azure AD (stating known limitations) etc. While for many tools it is 'just use like Windows AD', having a page that confidently explains that it really works with Samba should help our adoption, if only to show to higher-up management who are yet to be convinced. I don't have the time to write all this, but hit me up if you need pages created in the wiki or the permission to do so! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Possibly Parallel Threads
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift