samba - Aug 2020 - Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba
wrote:
> Hi Rowland,
> 
> First of all, thank you for taking the time to help me.
> I tried your suggestion and all results came up empty.
> 
> Then I did a few lapdsearch(es) and found this:
> 
> 1) This query returns two users:
> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D 
> "raistlin at ad.lasthome.solace.krynn" -b 
> "dc=ad,dc=lasthome,dc=solace,dc=krynn" 
> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain 
> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
> 
> 2) This query returns no users ("Domain Users" instead of
"Domain
> Admins"):
> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D 
> "raistlin at ad.lasthome.solace.krynn" -b 
> "dc=ad,dc=lasthome,dc=solace,dc=krynn" 
> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain 
> Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
> 
> -but- the list of users is correctly reported if I run this on a DC:
> root at dc01 ~]# samba-tool group listmembers 'Domain Users'
> [....]
> raistlin
> [...]
> krbtgt
> dns-dc00
> dns-dc01
> 
> Am I doing something wrong?
The system that you ary trying to use for OpenShift does not know about
primary group memberships, as these are not recorded as DN links.

Inside that samba-tool group listmembers command we work around that by
using this filter:
            search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" %
                             (rid, group_sid_dn))

You may need to contribute logic upstream to OpenShift to learn about
how groups work in AD, or (if secure) forgo primary group memberships.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Andrew, Hi Rowland,

I just spent close to one hour debugging this with one OpenShift 
specialist from RedHat. What we figured was:

1) both of my configs work (auth and group-sync) and are in fact correct.

2) OCP group sync does not sync the groups that have no explicit
'member'
Attribute or groups that are 'default' groups (E.g: 'Domain
Users') where membership
is through the primaryGroupID.

So things are in fact working and they'll be reaching out to me because 
I'm one of the few guys with a working 'Active Directory' in his
home/lab
and they'd like to support ActiveDirectory in the Group Sync Operator 
they're writing upstream. :)

Thank you for your help debugging this yesterday. I keep trying to 
evangelize Samba AD/DC internally to my peers and the level of help I 
received on that issue really makes the case for this type of setup.
I will most likely write a post about this.

Much appreciated,

Regards,

Vincent

,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
Vincent S. Cojot, Computer Engineering. STEP project.
_.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique.
_.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page
_.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at
NOSPAM4cojot.name

They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places.       - Robert Frost



On Sat, 22 Aug 2020, Andrew Bartlett via samba wrote:
> On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote:
>> Hi Rowland,
>>
>> First of all, thank you for taking the time to help me.
>> I tried your suggestion and all results came up empty.
>>
>> Then I did a few lapdsearch(es) and found this:
>>
>> 1) This query returns two users:
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
>> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
>> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>>
>> 2) This query returns no users ("Domain Users" instead of
"Domain
>> Admins"):
>> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
>> "raistlin at ad.lasthome.solace.krynn" -b
>> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
>> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
>> Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>>
>> -but- the list of users is correctly reported if I run this on a DC:
>> root at dc01 ~]# samba-tool group listmembers 'Domain Users'
>> [....]
>> raistlin
>> [...]
>> krbtgt
>> dns-dc00
>> dns-dc01
>>
>> Am I doing something wrong?
>
> The system that you ary trying to use for OpenShift does not know about
> primary group memberships, as these are not recorded as DN links.
>
> Inside that samba-tool group listmembers command we work around that by
> using this filter:
>            search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))"
%
>                             (rid, group_sid_dn))
>
> You may need to contribute logic upstream to OpenShift to learn about
> how groups work in AD, or (if secure) forgo primary group memberships.
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sat, 2020-08-22 at 16:31 -0400, Vincent S. Cojot via samba
wrote:
> Hi Andrew, Hi Rowland,
> 
> I just spent close to one hour debugging this with one OpenShift 
> specialist from RedHat. What we figured was:
> 
> 1) both of my configs work (auth and group-sync) and are in fact correct.
> 
> 2) OCP group sync does not sync the groups that have no explicit
'member'
> Attribute or groups that are 'default' groups (E.g: 'Domain
Users') where membership
> is through the primaryGroupID.
> 
> So things are in fact working and they'll be reaching out to me because
> I'm one of the few guys with a working 'Active Directory' in
his home/lab
> and they'd like to support ActiveDirectory in the Group Sync Operator 
> they're writing upstream. :)
> 
> Thank you for your help debugging this yesterday. I keep trying to 
> evangelize Samba AD/DC internally to my peers and the level of help I 
> received on that issue really makes the case for this type of setup.
> I will most likely write a post about this.
Thanks for the feedback.  I thank you for your work, the more software
that is clearly documented as 'works great with Samba' the better for
Samba.

I also think it is awesome for the software we work with: one thing
that makes Samba really handy as an AD DC is that it can fit into
manual and CI testing of Linux-centric products like OpenShift,
standing in for Microsoft's AD reliably yet automating on par with the
rest of the system.

I look forward to your post, hopefully you can find a place to those
instructions.

More broadly, I would love to have curated 'works great with Samba AD'
page.  With (links to) instructions about how to configure sssd (yes,
really), mod_auth_ntlm_winbind, mod_auth_kerb, Packetfence, Django,
Azure AD (stating known limitations) etc.  

While for many tools it is 'just use like Windows AD', having a page
that confidently explains that it really works with Samba should help
our adoption, if only to show to higher-up management who are yet to be
convinced.

I don't have the time to write all this, but hit me up if you need
pages created in the wiki or the permission to do so!

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba