I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.
So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?
Here's the output from ksetup /dumpstate:
Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.CM:
kdc = <kdc1 server>
kdc = <kdc2 server>
kpasswd = <kpasswd server>
Realm Flags = 0x0 none
No user mappings defined.
Second, here's what I have in LDAP so far:
dn: ou=Samba,dc=example,dc=com
objectClass: organizationalUnit
ou: Samba
dn: sambaDomainName=EXAMPLE.CM,ou=Samba,dc=example,dc= com
objectClass: top
objectClass: sambaDomain
sambaSID:
sambaDomainName: EXAMPLE.CM
dn: uid=samba_server,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass:
sn: samba_server
cn: samba_server
userPassword: <hidden>
uid: samba_server
dn: cn=Domain Admins,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 1011
memberUid: leggett
sambaGroupType: 2
description: Windows Domain Administrators
sambaSIDList:
sambaSID:
dn: cn=Domain Users,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Users
gidNumber: 1012
sambaGroupType: 2
description: Windows Domain Users
sambaSID:
dn: cn=Domain Guests,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Guests
gidNumber: 1013
sambaGroupType: 2
description: Windows Domain Guests
sambaSID:
dn: uid=leggett,ou=People,dc=example,dc=com
objectClass: Person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: Ti Leggett
givenName: Ti
sn: Leggett
mail: leggett (AT) example (DOT) com
uid: leggett
uidNumber: 1001
homeDirectory: /home/leggett
loginShell: /bin/bash
gidNumber: 1000
sambaSID:
sambaLMPassword: <hidden>
sambaNTPassword: <hidden>
sambaAcctFlags: [U ]
sambaPrimaryGroupSID:
I've done a smbpasswd -w <hidden samba_server password>
I can do a net getlocalsid and it will get the correct SID out of LDAP.
However, when I try to join my Windows client to the EXAMPLE.CM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.
Not sure if these are related questions or not, but what are the
sambaAcctFlags values and meanings? And, is it necessary to have an ldap
entry of uid=WINDWSCLIENT$,ou=people,dc=example,dc=com?
And lastly, here's relevant sections from my smb.conf:
[global]
workgroup = EXAMPLE.CM
realm = EXAMPLE.CM
password server = <kpasswd server>
netbios name = CI-PDC
server string = Example Primary Domain Controller
passdb backend = ldapsam:ldap://<ldap server>
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
ldap admin dn = uid=samba_server,ou=people,dc=example,dc=com
ldap group suffix = ou=group
ldap machine suffix = ou=hosts
ldap suffix = dc=example,dc=com
ldap ssl = start tls
ldap user suffix = ou=people
admin users = leggett
I can send logs from LDAP server if they might be helpful. Thanks a head
of time!

Ti Leggett wrote:
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

Hehehe, it's been a year trying to do that but no way! I'm sorry to
tell you, but what you want is a replacement of AD in no way windows
will know about ldap and mit, without an AD domain.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.CM:
kdc = <kdc1 server>
kdc = <kdc2 server>
kpasswd = <kpasswd server>
Realm Flags = 0x0 none
No user mappings defined.

Users must be somewhere to get HKEY_LCAL* work and they should be
local users (the MIT-KDC authentication works this way).

Second, here's what I have in LDAP so far:
[]
I've done a smbpasswd -w <hidden samba_server password>

I can do a net getlocalsid and it will get the correct SID out of LDAP.

Correct.

However, when I try to join my Windows client to the EXAMPLE.CM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Yes. Active Directory is not there and it wants AD. In no way you can
fake AD, even though it's kerberos, ldap and smb + natural-flavours

, so I'm just trying to figure out my options here. I can:
- Use local accounts and local passwords
- Use Kerberos for authentication, but only with local user accounts
- Use a Samba PDC with and LDAP backend for accounts and password if and
only if the windows clients are not bound to a Kerberos realm

Is this correct? In the third case, let's say I have a way to sync
Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?

what am I missing? I know I can't create an AD domain, but I'm not
trying to. AD is combination of a lot more than just Kerberos and LDAP.

I'm curios how Apple does what seems to be just this with their
Directory, which is only MIT Kerberos, LDAP, Cyrus SASL, and
Samba 3.0 (at least they claim it's only this).

Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
Ti Leggett wrote:
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

Hehehe, it's been a year trying to do that but no way! I'm sorry to
tell you, but what you want is a replacement of AD in no way windows
will know about ldap and mit, without an AD domain.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.CM:
kdc = <kdc1 server>
kdc = <kdc2 server>
kpasswd = <kpasswd server>
Realm Flags = 0x0 none
No user mappings defined.

Users must be somewhere to get HKEY_LCAL* work and they should be
local users (the MIT-KDC authentication works this way).

Second, here's what I have in LDAP so far:
[]
I've done a smbpasswd -w <hidden samba_server password>

I can do a net getlocalsid and it will get the correct SID out of LDAP.

Correct.

However, when I try to join my Windows client to the EXAMPLE.CM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Yes. Active Directory is not there and it wants AD. In no way you can
fake AD, even though it's kerberos, ldap and smb + natural-flavours

Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
backend and use pam_smbpass to keep the passwords sync'd between the
Kerberos side and the Samba side? That way the Windows clients join the
domain using only the LDAP information not knowing about the Kerberos
side of things?

I just removed the Kerberos information from my Windows client and tried
only using, as far as I can tell, the LDAP information and the client
still comes back saying the user name is unknown.

Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
, so I'm just trying to figure out my options here. I can:
- Use local accounts and local passwords
- Use Kerberos for authentication, but only with local user accounts
- Use a Samba PDC with and LDAP backend for accounts and password if and
only if the windows clients are not bound to a Kerberos realm

Is this correct? In the third case, let's say I have a way to sync
Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?

what am I missing? I know I can't create an AD domain, but I'm not
trying to. AD is combination of a lot more than just Kerberos and LDAP.

I'm curios how Apple does what seems to be just this with their
Directory, which is only MIT Kerberos, LDAP, Cyrus SASL, and
Samba 3.0 (at least they claim it's only this).

Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
Ti Leggett wrote:
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

Hehehe, it's been a year trying to do that but no way! I'm sorry to
tell you, but what you want is a replacement of AD in no way windows
will know about ldap and mit, without an AD domain.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.CM:
kdc = <kdc1 server>
kdc = <kdc2 server>
kpasswd = <kpasswd server>
Realm Flags = 0x0 none
No user mappings defined.

Users must be somewhere to get HKEY_LCAL* work and they should be
local users (the MIT-KDC authentication works this way).

Second, here's what I have in LDAP so far:
[]
I've done a smbpasswd -w <hidden samba_server password>

I can do a net getlocalsid and it will get the correct SID out of LDAP.

Correct.

However, when I try to join my Windows client to the EXAMPLE.CM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Yes. Active Directory is not there and it wants AD. In no way you can
fake AD, even though it's kerberos, ldap and smb + natural-flavours

Hello,
My setup :
Windows stations
SAMBA3+PENLDAP 2.2.x +KERBERS (MIT)

All users (posix and ldap) are in
All my ldap password are : {SASL}USER@REALM
I use saslauthd so I can connect to ldap using simplebind with password
in KERBERS
this password CANNT be changed (denied by the slapd.access.conf file)

Samba cannot use MIt kerberos for the password so my little trick :
I create a perl scrip using Authen::Krb5::Admin that use un keytab for
authentifiaction :krb5_update_pwd.pl

in the smb.conf :
ldap passwd sync = No
unix password sync = Yes
passwd program = / -u %u
%n\n *passwd:*all*authentication*tokens*updated*success fully*
passwd chat = *Password:* %n\n *Again:* %n\n *Changed*

So when Windows users change their password(from the change password
option in Windows), SAMBA called /krb5_update_pwd.pl that also update
the KERBERS password.

Linux users just have to use :
smbpasswd -r PDC_SERVER
That command update SAMBA password and again it called
/krb5_update_pwd.pl to sync the kerberos password

I know there are some short comings (password policies for example). But
it's the closer i get :-)

Hope this can help :-)

Ti Leggett wrote:
Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
backend and use pam_smbpass to keep the passwords sync'd between the
Kerberos side and the Samba side? That way the Windows clients join the
domain using only the LDAP information not knowing about the Kerberos
side of things?

I just removed the Kerberos information from my Windows client and tried
only using, as far as I can tell, the LDAP information and the client
still comes back saying the user name is unknown.

Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:

>>, so I'm just trying to figure out my options here. I can:
>>
Use local accounts and local passwords
Use Kerberos for authentication, but only with local user accounts
Use a Samba PDC with and LDAP backend for accounts and password if and
>>only if the windows clients are not bound to a Kerberos realm
>>
>>Is this correct? In the third case, let's say I have a way to sync
>>Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>>
>what am I missing? I know I can't create an AD domain, but I'm not
>>trying to. AD is combination of a lot more than just Kerberos and LDAP.
>>
>>I'm curios how Apple does what seems to be just this with their
>>Directory, which is only MIT Kerberos, LDAP, Cyrus SASL, and
>>Samba 3.0 (at least they claim it's only this).
>>
>>
>Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
>>
Ti Leggett wrote:

I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

Hehehe, it's been a year trying to do that but no way! I'm sorry to
tell you, but what you want is a replacement of AD in no way windows
will know about ldap and mit, without an AD domain.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.CM:
kdc = <kdc1 server>
kdc = <kdc2 server>
kpasswd = <kpasswd server>
Realm Flags = 0x0 none
No user mappings defined.

Users must be somewhere to get HKEY_LCAL* work and they should be
local users (the MIT-KDC authentication works this way).

Second, here's what I have in LDAP so far:
[]
I've done a smbpasswd -w <hidden samba_server password>

I can do a net getlocalsid and it will get the correct SID out of LDAP.

Correct.

However, when I try to join my Windows client to the EXAMPLE.CM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Yes. Active Directory is not there and it wants AD. In no way you can
fake AD, even though it's kerberos, ldap and smb + natural-flavours

>>
>>

So I think I have the steps needed to get this all working, but I think I
have a chicken/egg problem now.

In order to join a machine to the Samba PDC Domain, you need to either use
a uid 0 user or one that has the SeMachineAccountPrivilege (3.0.11+)
privilege . This user must also be able to read and write to many pieces
of the LDAP directory. Now, I really would rather not have uid 0 users in
LDAP, so that leaves me with the privileges. However, in order to assign
privileges to a user or group, you must login as a Domain Admins user.
Now, by default the Domain Admins group doesn't have these privileges by
default so you must use a uid 0 user to get these privileges assigned.
However, since I don't have a uid 0 user in LDAP, Samba doesn't recognize
root as a valid user (passdb backend = ldapsam). And from what I can tell,
the updated schema with 3.0.11 got rid of the sambaPrivilegesList has been
removed so that privileges can only be assigned using net rpc rights.

So, is there a way to get it to a point where a normal user in the Domain
Admins group can join machine and add Samba Accounts, etc without
requiring a uid 0 user to be in LDAP.

Also, what pieces are really needed to join a machine to the Samba Domain.
And what and who needs to be able to read/write LDAP for this to happen?

Pieces I've identified so far. Things starting with '?' I'm not sure about.
- Domain Users, Domain Admins, and Domain Guests groups exist with valid
sambaSIDs (posixGroup and sambaGroupMapping)
- Domain Admins group has the SeMachineAccountPrivilege privilege
- a sambaDomainName object with a valid sambaSID
- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
whose SID is in the the Domain Admins sambaSIDList
? A machine user (posixAccount sambaSamAccount) with a valid uid and
sambaSID and whose parent LDAP tree is listed as a passwd search path for
NSS

My last question is this. Does the above user listed above have to have
write access to the LDAP directory or does only the samba user whose
password is stored in private/secrets.tdb need write access to the
directory?

Because I'm using Kerberos as my authentication scheme, in order to write
to the directory you must have an admin principal (userfoo/admin).
However, these principals should not be in LDAP with UIDs because they're
never used in that aspect.

Does any of this make sense, or am I just thoroughly confused?

Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
backend and use pam_smbpass to keep the passwords sync'd between the
Kerberos side and the Samba side? That way the Windows clients join the
domain using only the LDAP information not knowing about the Kerberos
side of things?

I just removed the Kerberos information from my Windows client and tried
only using, as far as I can tell, the LDAP information and the client
still comes back saying the user name is unknown.

Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
>, so I'm just trying to figure out my options here. I can:
>>
>- Use local accounts and local passwords
>- Use Kerberos for authentication, but only with local user accounts
>- Use a Samba PDC with and LDAP backend for accounts and password if and
>only if the windows clients are not bound to a Kerberos realm
>>
>Is this correct? In the third case, let's say I have a way to sync
>Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
>>
>what am I missing? I know I can't create an AD domain, but I'm not
>trying to. AD is combination of a lot more than just Kerberos and LDAP.
>>
>I'm curios how Apple does what seems to be just this with their
>Directory, which is only MIT Kerberos, LDAP, Cyrus SASL, and
>Samba 3.0 (at least they claim it's only this).
>>
>>
>Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
>Ti Leggett wrote:
>I've been searching and researching this and I can't seem to find
>the
>answers I'm looking for. I'd like to setup a Samba PDC that Windows
>clients will join. The PDC will use an LDAP backend to get
>authorization
>information (username, home directory, etc). The authentication
>portion
>is handled by an MIT Kerberos KDC. I think I'm real close to having
>it
>all together but I'm not sure. I have the Windows client setup to
>point
>at my KDC so authentication *should* be coming from there once the
>authorization portion is going.
>>
>Hehehe, it's been a year trying to do that but no way! I'm sorry to
>tell you, but what you want is a replacement of AD in no way
>windows
>will know about ldap and mit, without an AD domain.
>>
>So first question is, are sambaLMPassword and sambaNTPassword still
>needed in LDAP for each user?
>>
>Here's the output from ksetup /dumpstate:
>>
>Machine is not configured to log on to an external KDC. Probably a
>workgroup member
>EXAMPLE.CM:
>kdc = <kdc1 server>
>kdc = <kdc2 server>
>kpasswd = <kpasswd server>
>Realm Flags = 0x0 none
>No user mappings defined.
>>
>Users must be somewhere to get HKEY_LCAL* work and they should be
>local users (the MIT-KDC authentication works this way).
>>
>Second, here's what I have in LDAP so far:
>[]
>I've done a smbpasswd -w <hidden samba_server password>
>>
>I can do a net getlocalsid and it will get the correct SID out of
>LDAP.
>>
>Correct.
>>
>However, when I try to join my Windows client to the EXAMPLE.CM
>domain,
>I can see the ldap queries happening, but the Windows client reports
>an
>invalid username.
>>
>Yes. Active Directory is not there and it wants AD. In no way you
>can
>fake AD, even though it's kerberos, ldap and smb + natural-flavours
>>
>>
>>
>
>
>

leggett (AT) ci (DOT) uchicago.edu wrote:

>So I think I have the steps needed to get this all working, but I think I
>have a chicken/egg problem now.

<snip>

>So, is there a way to get it to a point where a normal user in the Domain
>Admins group can join machine and add Samba Accounts, etc without
>requiring a uid 0 user to be in LDAP.

The sambaSamAccount entry for root needs to be in the LDAP directory,
but the rest of the account doesn't. We have an entry for the root
account in our LDAP directory that only has the following non-Samba
attributes defined:

dn: uid=root,dc=jbc,dc=edu
objectClass: account
objectClass: sambaSamAccount
uid: root
displayName: root
cn: root

Although this technically means that there is a uid 0 user in LDAP, it's
only a uid 0 user as far as Samba is concerned; Linux/Unix won't
recognize the LDAP portion of the root account as being a valid user.

From what I've read, this setup won't work if you set ldapsam:trusted =
yes in smb.conf, but it will work long enough to assign privileges then
set ldapsam:trusted.

>Also, what pieces are really needed to join a machine to the Samba Domain.
>And what and who needs to be able to read/write LDAP for this to happen?
>
>Pieces I've identified so far. Things starting with '?' I'm not sure about.
>
>- Domain Users, Domain Admins, and Domain Guests groups exist with valid
>sambaSIDs (posixGroup and sambaGroupMapping)
>- Domain Admins group has the SeMachineAccountPrivilege privilege

Correct.

>- a sambaDomainName object with a valid sambaSID

It's a sambaDomain object, not a sambaDomainName object. I'm pretty
sure that Samba will create this for you if it doesn't exist.

>- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
>whose SID is in the the Domain Admins sambaSIDList

Correct.

>? A machine user (posixAccount sambaSamAccount) with a valid uid and
>sambaSID and whose parent LDAP tree is listed as a passwd search path for
>NSS

Generally unnecessary. Although you can create it yourself, it's easier
to set up an add machine script (such as that provided by the Idealx
smbldap-tools, if you're using those) and let it take care of this for
you. Chapter 6 of the Samba-HWT has more information on how machine
trust accounts are created.

>My last question is this. Does the above user listed above have to have
>write access to the LDAP directory or does only the samba user whose
>password is stored in private/secrets.tdb need write access to the
>directory?

the Samba user (whoever you specify as the ldap admin dn) needs
write access.

>Because I'm using Kerberos as my authentication scheme, in order to write
>to the directory you must have an admin principal (userfoo/admin).
>However, these principals should not be in LDAP with UIDs because they're
>never used in that aspect.

Sorry, I'm not familiar with Kerberos.

Josh Kelley

So I'm still doing something wrong. I now have a root sambaSamAccount in
my directory with the PrimaryGroupSID of the Domain Admins SID. The ldap
admin dn can write to the directory. From my PDC I can do the following
successfully:

net -S localhost rpc join (Success)
smbpasswd -a -w pdc (Success and pdc$ added to the LDAP machine group
wiht password)

However the following fails:

net -S localhost rpc rights grant "CI\Domain Admins"
SeMachineAccountPrivilege SePPrivilege SeAddUsersPrivilege
SeDPrivilege SeRemoteShutdownPrivilege

Reading through the logs, everything appears to be fine until it goes to
assign privileges. Here's a snip from the logs (log level = 10):

[2005/05/02 12:09:43, 7] (82)
000152 smb_io_unistr2 string
[2005/05/02 12:09:43, 5] (642)
0154 uni_max_len: 00000019
[2005/05/02 12:09:43, 5] (642)
0158 offset : 00000000
[2005/05/02 12:09:43, 5] (642)
015c uni_str_len: 00000019
[2005/05/02 12:09:43, 5] (814)
0160 buffer :

[2005/05/02 12:09:43, 4]
(162)
Found policy hnd[0] [000] 00 00 00 00 03 00 00 00 00 00 00 00 D7 5E
76 42 ^vB
[010] 3E 31 00 00 >1
[2005/05/02 12:09:43, 5] (82)
000000 lsa_io_r_add_acct_rights
[2005/05/02 12:09:43, 5] (672)
0000 status: NT_STATUS_ACCESS_DENIED

The LDAP logs show everything successful and there's no MDs trying to
occur.

Below is my smb.conf

[global]
security = user
log level = 10
log file = /var/log/samba/samba.log
workgroup = CI
netbios name = PDC
server string = Primary Domain Controller
private dir = /var/lib/samba/private
passdb backend =
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
enable privileges = Yes
hosts allow = none
ldap admin dn =
uid=samba_server,ou=people,o=ci,dc=example,dc=com
ldap group suffix = ou=group
ldap machine suffix = ou=hosts,ou=samba
ldap suffix = o=ci,dc=uchicago,dc=edu
ldap ssl = start tls
ldap user suffix = ou=people

[netlogon]
path = /var/lib/samba/netlogon
browseable = No

[profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700

Wed, 2005-04-27 at 15:07 -0400, Josh Kelley wrote:
leggett (AT) ci (DOT) uchicago.edu wrote:

>So I think I have the steps needed to get this all working, but I think I
>have a chicken/egg problem now.

<snip>

>So, is there a way to get it to a point where a normal user in the Domain
>Admins group can join machine and add Samba Accounts, etc without
>requiring a uid 0 user to be in LDAP.

The sambaSamAccount entry for root needs to be in the LDAP directory,
but the rest of the account doesn't. We have an entry for the root
account in our LDAP directory that only has the following non-Samba
attributes defined:

dn: uid=root,dc=jbc,dc=edu
objectClass: account
objectClass: sambaSamAccount
uid: root
displayName: root
cn: root

Although this technically means that there is a uid 0 user in LDAP, it's
only a uid 0 user as far as Samba is concerned; Linux/Unix won't
recognize the LDAP portion of the root account as being a valid user.

From what I've read, this setup won't work if you set ldapsam:trusted =
yes in smb.conf, but it will work long enough to assign privileges then
set ldapsam:trusted.

>Also, what pieces are really needed to join a machine to the Samba Domain.
>And what and who needs to be able to read/write LDAP for this to happen?
>
>Pieces I've identified so far. Things starting with '?' I'm not sure about.
>
>- Domain Users, Domain Admins, and Domain Guests groups exist with valid
>sambaSIDs (posixGroup and sambaGroupMapping)
>- Domain Admins group has the SeMachineAccountPrivilege privilege

Correct.

>- a sambaDomainName object with a valid sambaSID

It's a sambaDomain object, not a sambaDomainName object. I'm pretty
sure that Samba will create this for you if it doesn't exist.

>- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
>whose SID is in the the Domain Admins sambaSIDList

Correct.

>? A machine user (posixAccount sambaSamAccount) with a valid uid and
>sambaSID and whose parent LDAP tree is listed as a passwd search path for
>NSS

Generally unnecessary. Although you can create it yourself, it's easier
to set up an add machine script (such as that provided by the Idealx
smbldap-tools, if you're using those) and let it take care of this for
you. Chapter 6 of the Samba-HWT has more information on how machine
trust accounts are created.

>My last question is this. Does the above user listed above have to have
>write access to the LDAP directory or does only the samba user whose
>password is stored in private/secrets.tdb need write access to the
>directory?

the Samba user (whoever you specify as the ldap admin dn) needs
write access.

>Because I'm using Kerberos as my authentication scheme, in order to write
>to the directory you must have an admin principal (userfoo/admin).
>However, these principals should not be in LDAP with UIDs because they're
>never used in that aspect.

Sorry, I'm not familiar with Kerberos.

Josh Kelley

Try doing the "net rpc rights" as a

Ti Leggett wrote:

>However the following fails:
>
>net -S localhost rpc rights grant "CI\Domain Admins"
>SeMachineAccountPrivilege SePPrivilege SeAddUsersPrivilege
>SeDPrivilege SeRemoteShutdownPrivilege
>
>Reading through the logs, everything appears to be fine until it goes to
>assign privileges. Here's a snip from the logs (log level = 10):

<snip>

>[2005/05/02 12:09:43, 5] (672)
0000 status: NT_STATUS_ACCESS_DENIED
>
>The LDAP logs show everything successful and there's no MDs trying to
>occur.

Try doing the "net rpc rights grant" as a domain admin ("-U username")
instead of as root. The Samba HWT states, "You must be connected as a
member of the Domain Admins group to be able to grant or revoke
privileges assigned to an account. This capability is inherent to the
Domain Admins group and is not configurable."

Granting rights as root doesn't seem to work. (At least, it doesn't for
me.) I don't know if that's intentional or not; the HWT also states,
"Access as the root user (UID=0) bypasses all privilege checks," which
seems to contradict the previous statement and seems to imply that not
working for root is a bug.

Josh Kelley
//

Unfortunately this still doesn't work. As a note, I thought about this
and had added the root account to the Domain Admins group.

Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote:
Try doing the "net rpc rights" as a

Ti Leggett wrote:

>However the following fails:
>
>net -S localhost rpc rights grant "CI\Domain Admins"
>SeMachineAccountPrivilege SePPrivilege SeAddUsersPrivilege
>SeDPrivilege SeRemoteShutdownPrivilege
>
>Reading through the logs, everything appears to be fine until it goes to
>assign privileges. Here's a snip from the logs (log level = 10):

<snip>

>[2005/05/02 12:09:43, 5] (672)
0000 status: NT_STATUS_ACCESS_DENIED
>
>The LDAP logs show everything successful and there's no MDs trying to
>occur.

Try doing the "net rpc rights grant" as a domain admin ("-U username")
instead of as root. The Samba HWT states, "You must be connected as a
member of the Domain Admins group to be able to grant or revoke
privileges assigned to an account. This capability is inherent to the
Domain Admins group and is not configurable."

Granting rights as root doesn't seem to work. (At least, it doesn't for
me.) I don't know if that's intentional or not; the HWT also states,
"Access as the root user (UID=0) bypasses all privilege checks," which
seems to contradict the previous statement and seems to imply that not
working for root is a bug.

Josh Kelley
//

PGP SIGNED MESSAGE
Hash: SHA1

Ti Leggett wrote:

| Unfortunately this still doesn't work. As a note,
| I thought about this and had added the root account
| to the Domain Admins group.
|
|>>However the following fails:
|>>
|>>net -S localhost rpc rights grant "CI\Domain Admins"
|>>SeMachineAccountPrivilege SePPrivilege SeAddUsersPrivilege
|>>SeDPrivilege SeRemoteShutdownPrivilege
|>>
|>>Reading through the logs, everything appears to be fine until it goes to
|>>assign privileges. Here's a snip from the logs (log level = 10):
|>>
|>>
|>
|><snip>
|>
|>>[2005/05/02 12:09:43, 5] (672)
|>0000 status: NT_STATUS_ACCESS_DENIED
|>>
|>>The LDAP logs show everything successful and there's
|>>no MDs trying to occur.

Can you send me a level 10 debug log? I'll take a look.
Also include the version fo Samba you are using (since I'm
picking up on this thread late in the game).

cheers, jerry

Alleviating the pain of Windows(tm) http://www.samba.org
GnuPG Key
"I never saved anything for the swim back." Ethan Hawk in Gattaca
PGP SIGNATURE
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

loXKDcVidB/AzofwWAyMypI=
=fZLa
PGP SIGNATURE

dokee. I've gotten somewhere.

So samba 3.0.11 didn't seem to quite handle privileges all the way. I
upgraded to 3.0.14 and everything is now peachy happy with one small
exception. Before I get to the problem here's what did work:

net -S localhost -Uleggett rpc rights grant "CI\Domain Admins" \
SeMachineAccountPrivilege SePPrivilege SeAddUsersPrivilege \
SeAddUsersPrivilege SeDPrivilege SeRemoteShutdownPrivilege

I gave the user's password stored in LDAP and it succeeded. Next I went
to join the machine to the domain. Here's where the problem happened. I
was under the impression that all LDAP activity was done as the user
listed in the "ldap admin dn". However, when I went to join the machine,
let's call it WRKSTATIN, it prompted for a domain admin user and
password so I put in leggett's. It tried, but failed (with a new error).
So I looked in the LDAP server's log and, lo and behold, it was trying
to run the add machine script as user leggett (who doesn't have
permission to write to the directory). So I hand added the machine to
the directory and then tried the join again and it worked beautifully.

So, here's my new question (I'm full of em): Are LDAP actions done as
the Samab ldap admin dn or the user doing the action? It appears the
latter is the case.

Mon, 2005-05-09 at 10:29 -0500, Ti Leggett wrote:
Unfortunately this still doesn't work. As a note, I thought about this
and had added the root account to the Domain Admins group.

Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote:
Try doing the "net rpc rights" as a

Ti Leggett wrote:

>However the following fails:
>
>net -S localhost rpc rights grant "CI\Domain Admins"
>SeMachineAccountPrivilege SePPrivilege SeAddUsersPrivilege
>SeDPrivilege SeRemoteShutdownPrivilege
>
>Reading through the logs, everything appears to be fine until it goes to
>assign privileges. Here's a snip from the logs (log level = 10):

<snip>

>[2005/05/02 12:09:43, 5] (672)
0000 status: NT_STATUS_ACCESS_DENIED
>
>The LDAP logs show everything successful and there's no MDs trying to
>occur.

Try doing the "net rpc rights grant" as a domain admin ("-U username")
instead of as root. The Samba HWT states, "You must be connected as a
member of the Domain Admins group to be able to grant or revoke
privileges assigned to an account. This capability is inherent to the
Domain Admins group and is not configurable."

Granting rights as root doesn't seem to work. (At least, it doesn't for
me.) I don't know if that's intentional or not; the HWT also states,
"Access as the root user (UID=0) bypasses all privilege checks," which
seems to contradict the previous statement and seems to imply that not
working for root is a bug.

Josh Kelley
//

PGP SIGNED MESSAGE
Hash: SHA1

Ti Leggett wrote:

So, here's my new question (I'm full of em): Are LDAP actions
done as the Samab ldap admin dn or the user doing the
action? It appears the latter is the case.

All LDAP actions from smbd are done as the ldap admin dn, but
the add machine script should be called under root if the user
has the SeMachineAccountPrivilege.

cheers, jerry

Alleviating the pain of Windows(tm) http://www.samba.org
GnuPG Key
"I never saved anything for the swim back." Ethan Hawk in Gattaca
PGP SIGNATURE
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

UkvC6BXHCpwwtmcxNk=
=AFm2
PGP SIGNATURE

Why would the add machine script fail? Here's a quick overview of my
setup:

All Kerberos authenticated admin users (user/admin) have write to the
entire directory
The Samba admin user has write to the relevant samba branches
All Kerberos authenticated non-admin users have read access to
non-sensitve portions of the directory.

There are three users that could be involved in this process:

leggett : A normal user (Person, posizUser, sambaSamAccount) who
is a Domain Admin. Does not have write access to the directory. Password
stored in Kerberos, sambaNTPassword stored in LDAP.

samba_server : An LDAP user (person, ) who has write access to
the directory. Password stored in LDAP. sambaNTPassword not in LDAP as
user isn't a sambaSamAccount

root: A local unix user who has an entry in LDAP (person,
sambaSamAccount). Does not have write access to the directory. Password
is kept locally, sambaNTPassword kept in LDAP. Password and
sambaNTPassword are not the same.

So let me make sure I have all this straight on how it all works.

legget, a Domain Admin, uses the SeMachineAccountPrivilege to add the
machine to the Samba domain. In this process smbd queries LDAP as
samba_server to see if the machine account is already created. If it's
not, smbd changes to root and call the script in the "add machine
script" directive. That script should be responsible for changing to a
user or gaining Kerberos credentials to write to the directory.

Is that about right?

Mon, 2005-05-30 at 21:05 -0500, Gerald (Jerry) Carter wrote:
PGP SIGNED MESSAGE
Hash: SHA1

Ti Leggett wrote:

So, here's my new question (I'm full of em): Are LDAP actions
done as the Samab ldap admin dn or the user doing the
action? It appears the latter is the case.

All LDAP actions from smbd are done as the ldap admin dn, but
the add machine script should be called under root if the user
has the SeMachineAccountPrivilege.

cheers, jerry

Alleviating the pain of Windows(tm) http://www.samba.org
GnuPG Key
"I never saved anything for the swim back." Ethan Hawk in Gattaca
PGP SIGNATURE
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

UkvC6BXHCpwwtmcxNk=
=AFm2
PGP SIGNATURE