Samba 4 OpenLDAP authentication issue
I do not see any security directive in your config file. I assume that you want security=ad. I've spent last month trying to do exactly same thing - use OpenLDAP as main database of user login information.
I've tested few approaches:
Samba 4 AD can't trust at the moment (Samba Team will publish soon Samba 4.2 in the time of writing), so u can't use trust mechanisms.
Samba 4 in AD as far as I know can't be based on OpenLDAP because lack of schemas needed by Active Directory.
I've tired to use software called LSC, which basically allow you to sync user and groups between AD an OpenLDAP. No luck here either. LSC documentation and examples are outdated and not compatible with current release. I've finally managed to get user sync working, but there are few bugs (at least in LSC v2.0 I've tired), when you update password in OpenLDAP, LSC won't catch it. You have to store passwords in plain text to make it work.
For now no Samba AD controller with OpenLDAP as backend. I am planing to stick classic NT domain controller as soon as Samba will support trusts, then I wanna delegate one direction trusts (from samba4 NT DC to Samba4 AD) and use it on AD domain controller with user information located at OpenLDAP.
If someone can find any mistake here, I'll be more than glad to hear it. ;-)
UPDATE: According to Francesco Malvezzi information in Samba 4.3, trust are now supported:
https://www.samba.org/samba/history/samba-4.3.0.html
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has improved a lot.
samba-tool
got "domain trust" subcommands to manage trusts:
create
- Create a domain or forest trust.
delete
- Delete a domain trust.
list
- List domain trusts.
namespaces
- Manage forest trust namespaces.
show
- Show trusted domain details.
validate
- Validate a domain trust.External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust. The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP.
While a lot of things are working fine, there are currently a few limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights in domain B.
- It's not possible to add users/groups of a trusted domain into domain groups.
Configuration example: https://www.samba.org/samba/history/samba-4.3.0.html
Trust relationship is created and can be check using winbind:
wbinfo -u
-> get local users list
wbinfo -u --domain=trusted.domain.tld
-> get trusted domain users list (short domain can be used too)It can also be validated using
--local-dc-username
and--local-dc-password
switches:
samba-tool domain trust validate trusted.domain.tld \ --local-dc-password=trustedAdminPass \ --local-dc-username=administrator \ -U administrator at trusted.domain.tld
Using Samba's internal DNS make DNS queries forwarding transparent (with the few tools I think about to check).
To be able to connect on machine.A.domain.tld using a user from B.domain.tld you'll have to "Authenticated users" special group to RDP authorized peoples.
I am still waiting until it become available in official channel in my distro (debian 8-9) though.
Related videos on Youtube
peipst9lker
Updated on September 18, 2022Comments
-
peipst9lker over 1 year
What I've done so far
- Installed DHCP server and bind9 for the local network of clients (the server should act as a gateway)
- built Samba4 from source with bind9_dlz as dns backend
- installed OpenLDAP using
apt-get install slapd ldap-utils
- changed slapd ports to
390,637
because of samba blocking389,636
- imported the samba ldap scheme, initially set up the ldap directory and provisioned the domain
- installed
libnss-ldapd
for ldap authentication (getent passwd
outputs LDAP users correctly) - gave samba the admin password to my ldap directory (
smbpasswd -w xxx
)
The Problem
I joined a Windows 7 client to the domain and tried to log into a user created with
smbldap-useradd
. I recieve a wrong password message from windows but absolutley no errors/warnings from samba. My test user is really existent in LDAP (checked withphpldapadmin
), so I assume samba is not correctly talking to ldap. I'm stuck at this point and need some help!What I've noticed
I've set
passdb backend = ldapsam:ldap://testsrv.alfr.local:390/
which is not appearing in the output oftestparm
(see underneath).Software I'm using
- Ubuntu Server 12.04 up-to-date
- Samba 4.1.6 compiled from source (official git repository)
- Bind 9.8.1
- slapd 2.4.28
- isc-dhcp-server 4.1
Configs and Outputs
- Server host name:
testsrv
- Domain name:
alfr.local
- 2 network interfaces, eth0 = DHCP, externally WAN, eth1 =
192.168.25.1
(Server acts as DHCP for this network ranging from 25.50 till 25.254)
Output of
testparm
root@testsrv:~# testparm Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[profiles]" Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[homes]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions [global] workgroup = ALFR realm = alfr.local server role = active directory domain controller passdb backend = samba_dsdb add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1 rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1 domain logons = Yes os level = 10 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=alfr,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=alfr,dc=local ldap ssl = no ldap user suffix = ou=Users server services = rpc, nbt, wrepl, cldap, ldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4, acl_xattr [profiles] path = /srv/samba/profiles read only = No create mask = 0611 directory mask = 0700 profile acls = Yes map hidden = Yes map system = Yes browseable = No csc policy = disable [netlogon] path = /usr/local/samba/var/locks/sysvol/alfr.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [homes] comment = Eigener Ordner path = /srv/samba/homes/%S read only = No create mask = 0611 directory mask = 0711 browseable = No vfs objects = acl_xattr, full_audit full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
Output of
ps aux
(cut unimportant stuff out)root@testsrv:~# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 699 0.0 0.0 7272 608 ? Ss 08:08 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth bind 827 0.0 2.8 502280 58392 ? Ssl 08:08 0:01 /usr/sbin/named -u bind dhcpd 833 0.0 0.2 14552 4476 ? Ss 08:08 0:00 /usr/sbin/dhcpd -f -q -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/ltsp/dhcpd.conf openldap 1024 0.0 0.3 722000 6524 ? Ssl 08:08 0:00 /usr/sbin/slapd -h ldap://127.0.0.1:390/ ldaps://127.0.0.1:637/ ldapi://%2fvar%2frun%2fslapd%2fldapi/?? root 1051 0.0 0.0 693092 1172 ? Ssl 08:08 0:00 /usr/sbin/nscd nslcd 1075 0.0 0.0 443600 1376 ? Ssl 08:08 0:00 /usr/sbin/nslcd ntp 1279 0.0 0.0 25960 1836 ? Ss 08:08 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:114 root 1595 0.0 2.2 534364 46152 ? Ss 09:52 0:00 samba start root 1597 0.0 1.8 538976 38532 ? S 09:52 0:00 samba start root 1598 0.0 1.7 539772 35624 ? S 09:52 0:00 samba start root 1599 0.0 1.6 536876 33716 ? S 09:52 0:00 samba start root 1600 0.0 1.6 534364 34568 ? S 09:52 0:00 samba start root 1601 0.0 1.8 534804 37568 ? S 09:52 0:00 samba start root 1602 0.0 1.8 538516 37212 ? S 09:52 0:00 samba start root 1603 0.0 1.6 534364 34328 ? S 09:52 0:00 samba start root 1604 0.0 1.6 537192 33928 ? S 09:52 0:00 samba start root 1605 0.0 1.5 534364 32716 ? S 09:52 0:00 samba start root 1606 0.0 2.0 534364 41264 ? S 09:52 0:00 samba start root 1607 0.0 1.6 534364 33884 ? S 09:52 0:00 samba start root 1608 0.0 1.6 534364 33360 ? S 09:52 0:00 samba start
/etc/nsswitch.conf
root@testsrv:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files # pre_auth-client-config # netgroup: nis netgroup: nis
-
Francesco Malvezzi over 8 yearsupdate: domain trust has been introduced in samba-4.3.0