[Samba] Should I forget sssd ?

Mon, 30 Sep 2013 21:49:53 -0700 

Hi again,
Thanks again, Denis, Steve and Rowland for your previous answers about RFC2307 and winbind. 

Maybe I'm an dreamer but here is that I wanted to achieve :
Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS
Use a windows VM (on this server) to control AD through WRAT

AD offers me the 'wishdom' of software deployment and GPO, users are 
can't install anything
All standard Linux services (apache, postfix, dovecot, pptp, mysql, 
webmail, ...) can query AD


What is done :

I have setup 'folder redirection' in WRAT, so users 'documents' and 
'desktop' are avalaible offline and mapped to home/%U on server

AD Administrator has a roaming profile

Searched a lot and succeed to deploy Office, Acrobat reader, Skype, 
7-zip, Firefox to users (windows is another world...)

Shares are mounted (depending on AD 'ou' rights) on user's pc
Administrator can login via UltraVNC to all workstation

What needs to be done:
Linux services to auth to AD


From what I've read, sssd is the more secure solution to achieve this, 
but ...

Using sssd 1.11.1 : files configuration:
1)

sudo cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = radiodjiido.nc
[nss]
[pam]
[domain/radiodjiido.nc]
dyndns_update = false
ad_hostname = serveur.radiodjiido.nc
ad_server = serveur.radiodjiido.nc
ad_domain = radiodjiido.nc
ldap_schema = ad
id_provider = ad
access_provider = simple
enumerate = true
cache_credentials = true
auth_provider = krb5
chpass_provider = krb5
krb5_realm = RADIODJIIDO.NC
krb5_server = serveur.radiodjiido.nc
krb5_kpasswd = serveur.radiodjiido.nc
#next line only lists users with uidNumber/gidNumber entered via ldbedit
ldap_id_mapping = false
ldap_referrals = false
ldap_uri = ldap://serveur.radiodjiido.nc
ldap_search_base = dc=radiodjiido,dc=nc
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=radiodjiido,dc=nc
ldap_group_name = cn
ldap_group_member = member
ldap_sasl_mech = gssapi
#ldap_sasl_authid = serveur$
ldap_sasl_authid = serveur$@RADIODJIIDO.NC
krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true



cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
    workgroup = RADIODJIIDO
    realm = RADIODJIIDO.NC
    netbios name = SERVEUR
    server role = active directory domain controller
    dns forwarder = 192.168.1.1
    # for sssd
    idmap_ldb:use rfc2307 = yes

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/radiodjiido.nc/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

[Profiles]
     path = /media/data/Profiles/
     read only = No

[partage]
    comment = partage general
    path = /media/data/global
    read only = No

[home]
    comment = dossiers utilisateurs
    path = /media/data/homes
    read only = No

[journal]
        comment = journal
        path = /media/data/journal
        read only = No

[musique]
        comment = musique
        path = /media/data/musique
        read only = No



cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, 
try:

# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss

Result with:
getent passwd

mysql:x:113:124:MySQL Server,,,:/nonexistent:/bin/false
nut:x:114:125::/var/lib/nut:/bin/false
nico:*:3000025:100:nico:/:

-> the user I entered uidNumber/gidNumber is listed, home dir seems / 
and no shell


Result with:
getent group

rtkit:x:123:
mysql:x:124:
nut:x:125:

-> no AD group listed at all


2) If sssd.conf is modified:

#ldap_id_mapping = false
ldap_schema = rfc2307bis

getent passwd and getent group are listing (nearly all) users and groups 
in AD with the infamous random IDs like :

nico-virtual-7$:*:166801125:166800515:NICO-VIRTUAL-7:/:
administrator:*:166800500:166800513:Administrator:/:



So I'm a bit desesperate with the sssd use...
Is an OpenLDAP proxy the best way to make all this working together ?
Thanks in advance for your time.
Nicolas


In case that could help some, here are the steps I've done to install 
sssd 1.11.1:


cd ~
wget https://fedorahosted.org/released/sssd/sssd-1.11.1.tar.gz

sudo apt-get install  debhelper  quilt dh-autoreconf autopoint 
lsb-release dpkg-dev  dnsutils  libpopt-dev  libdbus-1-dev 
libkeyutils-dev libkeyutils-dev  libldap2-dev  libpam-dev libnl-dev  
libnss3-dev  libnspr4-dev  libpcre3-dev  libselinux1-dev libsasl2-dev  
libtevent-dev  libldb-dev libtalloc-dev  libtdb-dev xml-core  
docbook-xsl  docbook-xml  libxml2-utils  xsltproc krb5-config  
libkrb5-dev  libc-ares-dev  python-dev  libdhash-dev libcollection-dev  
libini-config-dev  check  dh-apparmor libglib2.0-dev  libndr-dev 
libndr-standard-dev libsamba-util-dev samba4-dev libdcerpc-dev 
build-essential libsemanage1-dev samba4-dev libpam-sss 
cyrus-sasl2-heimdal-dbg

-> this installed sssd 1.8.6 with this /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = radiodjiido.nc

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/radiodjiido.nc]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://serveur.radiodjiido.nc
ldap_search_base = DC=radiodjiido,DC=nc
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

krb5_kdcip = serveur.radiodjiido.nc
krb5_realm = RADIODJIIDO.NC
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

sudo service sssd stop
tar -xzvf sssd-1.11.1.tar.gz
cd sssd-1.11.1
./configure && make
sudo make install
sudo cp /usr/local/lib/* /lib/x86_64-linux-gnu
sudo rm /lib/x86_64-linux-gnu/*.la
sudo cp /usr/local/lib/security/pam_sss.so /lib/x86_64-linux-gnu/security
sudo rm /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba
sudo rm /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/memberof.la
sudo pam-auth-update

sudo /usr/local/samba/bin/samba-tool domain exportkeytab 
/etc/krb5.sssd.keytab --principal=serveur$

sudo chown root:root /etc/krb5.sssd.keytab
sudo chmod 600 /etc/krb5.sssd.keytab
sudo nano /usr/local/etc/sssd/sssd.conf
-> see beginning of message for configuration
sudo chmod 600 /usr/local/etc/sssd/sssd.conf
sudo rm /usr/local/var/lib/sss/db/*
sudo cp /usr/local/lib/security/pam_sss.so /lib/x86_64-linux-gnu/security
sudo nano /root/.bashrc
    add at end:
    PATH="/usr/local/sbin:/usr/local/lib:/usr/local/etc:$PATH"
sudo mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf_dist
sudo ln -s /usr/local/etc/sssd/sssd.conf /etc/sssd/
sudo sssd -i -d3



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to