Discussion:
[Freeipa-users] authenticate samba 3 or 4 with freeipa
Sandor Juhasz
2014-03-27 13:36:22 UTC
Permalink
Hello,

what is the best practice to authenticate samba file sharing with freeipa as auth service.
Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not
domain service.
Our ipa service is hosted on CentOS 6.5.
The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS.

Found 3 methods, but all seem to have their issues.


1. LDAP, ldapsam passdb backend. -> needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin
2. IPA, ipasam passdb backend -> did not find a working version from ipasam.so for ubuntu, mostly i did not find any
3. KRB, keytab -> seemed a bit messy, also needs ldap schema modification


Sándor Juhász
System Administrator
ChemAxon Ltd .
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Petr Spacek
2014-03-27 16:51:23 UTC
Permalink
Post by Sandor Juhasz
Hello,
what is the best practice to authenticate samba file sharing with freeipa as auth service.
Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not
domain service.
Our ipa service is hosted on CentOS 6.5.
The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS.
Found 3 methods, but all seem to have their issues.
1. LDAP, ldapsam passdb backend. -> needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin
2. IPA, ipasam passdb backend -> did not find a working version from ipasam.so for ubuntu, mostly i did not find any
The only how-to I'm aware of is:
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

If you insist on Ubuntu you need to get ipasam somewhere, most likely to
compile it yourself.

Let us know if you are going to compile it, we can provide you some guidance.

See the thread 'IPA - Samba / Redmine / Disable Kerberos?'.
--
Petr^2 Spacek
Sandor Juhasz
2014-03-28 08:56:53 UTC
Permalink
Hello,

i am ok to compile it myself, looking for source code. I hope that way i will be able to avoid messing
around with the ldap tree. Any help/documentation is appreciated.


Thanks.

s

----- Original Message -----

From: "Petr Spacek" <***@redhat.com>
To: freeipa-***@redhat.com
Sent: Thursday, March 27, 2014 5:51:23 PM
Subject: Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa
Post by Sandor Juhasz
Hello,
what is the best practice to authenticate samba file sharing with freeipa as auth service.
Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not
domain service.
Our ipa service is hosted on CentOS 6.5.
The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS.
Found 3 methods, but all seem to have their issues.
1. LDAP, ldapsam passdb backend. -> needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin
2. IPA, ipasam passdb backend -> did not find a working version from ipasam.so for ubuntu, mostly i did not find any
The only how-to I'm aware of is:
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

If you insist on Ubuntu you need to get ipasam somewhere, most likely to
compile it yourself.

Let us know if you are going to compile it, we can provide you some guidance.

See the thread 'IPA - Samba / Redmine / Disable Kerberos?'.
--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-***@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Petr Spacek
2014-03-28 11:32:25 UTC
Permalink
Post by Sandor Juhasz
Hello,
i am ok to compile it myself, looking for source code. I hope that way i will be able to avoid messing
around with the ldap tree. Any help/documentation is appreciated.
Basically, documentation on
http://www.freeipa.org/page/Contribute/Code and linked pages apply to your
situation.

You will face dependency problems because you are going to build it on Ubuntu.
Don't give up and persist :-)

I would recommend you a non-standard procedure:
- clone the git repo: $ git clone git://git.fedorahosted.org/git/freeipa.git
- enter the cloned tree: $ cd freeipa.git
- $ make version-update
-- This command will fail (for sure) because of dependency problems. However,
it could be enough to proceed with ipasam build. You just need to generate
version.h and similar "useless" files.

- Enter "daemons" sub-directory in the cloned tree: $ cd daemons
- $ autoreconf -fiv
- $ ./configure
- $ make

This should build freeipa.git/daemons/ipa-sam/.libs/ipasam.so library without
building rest of FreeIPA so dependency problems should be limited only to this
sub-tree.

Note that this procedure is completely untested.

Please let us know if it worked for you or not. I'm curious! :-)

Petr^2 Spacek
Post by Sandor Juhasz
Thanks.
s
----- Original Message -----
Sent: Thursday, March 27, 2014 5:51:23 PM
Subject: Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa
Post by Sandor Juhasz
Hello,
what is the best practice to authenticate samba file sharing with freeipa as auth service.
Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not
domain service.
Our ipa service is hosted on CentOS 6.5.
The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS.
Found 3 methods, but all seem to have their issues.
1. LDAP, ldapsam passdb backend. -> needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin
2. IPA, ipasam passdb backend -> did not find a working version from ipasam.so for ubuntu, mostly i did not find any
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
If you insist on Ubuntu you need to get ipasam somewhere, most likely to
compile it yourself.
Let us know if you are going to compile it, we can provide you some guidance.
See the thread 'IPA - Samba / Redmine / Disable Kerberos?'.
Petr Spacek
2014-03-28 12:52:37 UTC
Permalink
Post by Petr Spacek
Post by Sandor Juhasz
Hello,
i am ok to compile it myself, looking for source code. I hope that way i
will be able to avoid messing
around with the ldap tree. Any help/documentation is appreciated.
Basically, documentation on
http://www.freeipa.org/page/Contribute/Code and linked pages apply to your
situation.
You will face dependency problems because you are going to build it on Ubuntu.
Don't give up and persist :-)
- clone the git repo: $ git clone git://git.fedorahosted.org/git/freeipa.git
- enter the cloned tree: $ cd freeipa.git
- $ make version-update
-- This command will fail (for sure) because of dependency problems. However,
it could be enough to proceed with ipasam build. You just need to generate
version.h and similar "useless" files.
- Enter "daemons" sub-directory in the cloned tree: $ cd daemons
- $ autoreconf -fiv
- $ ./configure
- $ make
This should build freeipa.git/daemons/ipa-sam/.libs/ipasam.so library without
building rest of FreeIPA so dependency problems should be limited only to this
sub-tree.
Note that this procedure is completely untested.
Please let us know if it worked for you or not. I'm curious! :-)
I'm adding output from make running on my Fedora 20 so you can easily find
include paths you need to cover by packages in your distro etc.

Enjoy :-)
--
Petr^2 Spacek
Jason Woods
2014-03-28 13:50:08 UTC
Permalink
Hi
(Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.)
Post by Petr Spacek
Please let us know if it worked for you or not. I'm curious! :-)
I'm pretty curious too.

I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I needed to add two patches though to 3.0 to fix 'valid users' group resolution and also performance. They're merged into master and 3.3 and will be in RHEL 7.

Apart from the patching it was easy to do - just needed ipa-server and ipa-server-adtrust installed and setup and it did all the config for me (the adtrust part sets up samba with ipasam.so for you).

Problem is running ipasam.so without the ipa-server locally - is how to get it so the host can see ipaNTHash in the schema to check password. If ipa-server is local the host has access, otherwise it doesn't.

So be good to find out what aci or service principal stuff makes that available in an elegant and secure way.

Jason
Alexander Bokovoy
2014-03-28 14:15:29 UTC
Permalink
Post by Jason Woods
Hi
(Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.)
Post by Petr Spacek
Please let us know if it worked for you or not. I'm curious! :-)
I'm pretty curious too.
I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I
needed to add two patches though to 3.0 to fix 'valid users' group
resolution and also performance. They're merged into master and 3.3
and will be in RHEL 7.
Apart from the patching it was easy to do - just needed ipa-server and
ipa-server-adtrust installed and setup and it did all the config for me
(the adtrust part sets up samba with ipasam.so for you).
Problem is running ipasam.so without the ipa-server locally - is how to
get it so the host can see ipaNTHash in the schema to check password.
If ipa-server is local the host has access, otherwise it doesn't.
So be good to find out what aci or service principal stuff makes that
available in an elegant and secure way.
We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it
all and may be creating a simple configuration tool.

Timing is not yet defined.
--
/ Alexander Bokovoy
Raoul Becke
2015-01-14 22:34:37 UTC
Permalink
Post by Alexander Bokovoy
Post by Jason Woods
Hi
(Apologies - resending to the list - I'm so used to the Reply-To already
set but it appears not to be here my bad.)
Post by Alexander Bokovoy
Post by Jason Woods
Post by Petr Spacek
Please let us know if it worked for you or not. I'm curious!
I'm pretty curious too.
I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I
needed to add two patches though to 3.0 to fix 'valid users' group
resolution and also performance. They're merged into master and 3.3
and will be in RHEL 7.
Apart from the patching it was easy to do - just needed ipa-server and
ipa-server-adtrust installed and setup and it did all the config for me
(the adtrust part sets up samba with ipasam.so for you).
Problem is running ipasam.so without the ipa-server locally - is how to
get it so the host can see ipaNTHash in the schema to check password.
If ipa-server is local the host has access, otherwise it doesn't.
So be good to find out what aci or service principal stuff makes that
available in an elegant and secure way.
We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it
all and may be creating a simple configuration tool.
Timing is not yet defined.
Is there any news on this issue?
I tried the following work-around which unfortunately did not work.
1. On the IPA Server:
]# yum install ipa-server-trust-ad
2. On the IPA Server: Run "ipa-adtrust-install"
]# ipa-adtrust-install
3. On ipa-server: Copy "ipasam.so" to samba server:
]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/
4. On ipa-server:Create the following CIFS service:
]# ipa service-add cifs/file--s0-***@BECKE.CH
5. On ipa-server: Create keytab for samba server and copy over to samba server
]# ipa-getkeytab -s directory--s0-v1.becke.ch -p
cifs/file--s0-***@BECKE.CH -k /tmp/samba.keytab
]# scp /tmp/samba.keytab ***@file--s0-v1.becke.ch:/etc/samba/samba.keytab

6. On samba server:
vi /etc/samba/smb.conf
...
[global]
workgroup = BECKECH
server string = Samba Server Version %v
netbios name = FILES0V1

log file = /var/log/samba/%m.log
max log size = 50

realm = BECKE.CH
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no

security = user

# passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket
passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch

ldapsam:trusted=yes
ldap ssl = off
ldap suffix = dc=becke,dc=ch
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
...

But all this did not help and I always get:
]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10
...
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
...

Doing the same against the IPA Server everything works fine:
# smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10

... Maybe there is something wrong in: "cli_init_creds" ... but now after
hours of research, debugging and testing I will give up and switch to
"tdbsam" which is not optimal but should at least work ...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Alexander Bokovoy
2015-01-20 08:01:43 UTC
Permalink
Post by Jason Woods
Post by Alexander Bokovoy
Post by Jason Woods
Hi
(Apologies - resending to the list - I'm so used to the Reply-To already
set but it appears not to be here my bad.)
Post by Alexander Bokovoy
Post by Jason Woods
Post by Petr Spacek
Please let us know if it worked for you or not. I'm curious!
I'm pretty curious too.
I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I
needed to add two patches though to 3.0 to fix 'valid users' group
resolution and also performance. They're merged into master and 3.3
and will be in RHEL 7.
Apart from the patching it was easy to do - just needed ipa-server and
ipa-server-adtrust installed and setup and it did all the config for me
(the adtrust part sets up samba with ipasam.so for you).
Problem is running ipasam.so without the ipa-server locally - is how to
get it so the host can see ipaNTHash in the schema to check password.
If ipa-server is local the host has access, otherwise it doesn't.
So be good to find out what aci or service principal stuff makes that
available in an elegant and secure way.
We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it
all and may be creating a simple configuration tool.
Timing is not yet defined.
Is there any news on this issue?
Yes, the solution based on SSSD providing a winbindd-compatible
interface is available in Fedora 21 and RHEL7.1beta.
Post by Jason Woods
I tried the following work-around which unfortunately did not work.
]# yum install ipa-server-trust-ad
2. On the IPA Server: Run "ipa-adtrust-install"
]# ipa-adtrust-install
]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/
you also need to add cifs/file--s0-***@BECK.CH to an ACI that
would allow it to read ipaNTHash attribute.
Post by Jason Woods
5. On ipa-server: Create keytab for samba server and copy over to samba server
]# ipa-getkeytab -s directory--s0-v1.becke.ch -p
vi /etc/samba/smb.conf
...
[global]
workgroup = BECKECH
server string = Samba Server Version %v
netbios name = FILES0V1
log file = /var/log/samba/%m.log
max log size = 50
realm = BECKE.CH
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
# passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket
passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch
ldapsam:trusted=yes
ldap ssl = off
ldap suffix = dc=becke,dc=ch
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
...
]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10
...
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
...
# smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10
... Maybe there is something wrong in: "cli_init_creds" ... but now after
hours of research, debugging and testing I will give up and switch to
"tdbsam" which is not optimal but should at least work ...
As I said above, your cifs/file-* service is unable to read out password
values from ipaNTHash attribute of a user entry. It has to be added
to a pre-defined group first. That group is then added into a
specialized ACI granting access to the attributes required by Samba.

It could be done through role/privilege/permission process in IPA 4.0+:

0. Add service on host foo.bar:
# ipa service-add cifs/foo.bar

1. Add permission:
# ipa permission-add "CIFS server can read user passwords" \
--attrs={ipaNTHash,ipaNTSecurityIdentifier} \
--type=user --right={read,search,compare} --bindtype=permission

2. Add privilege:
# ipa privilege-add-permission 'CIFS server privilege' --permission='CIFS server can read user passwords'

3. Add role to bind privilege to specific services:
# ipa role-add 'CIFS server'
# ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege'
# ipa role-add-member 'CIFS server' --services=cifs/foo.bar

If you have keytab for the service cifs/foo.bar, you can verify that it
indeed can read ipaNTHash:
[***@master ~]# kdestroy -A
[***@master ~]# kinit -kt foobar.keytab cifs/foo.bar
[***@master ~]# ldapsearch -Y GSSAPI uid=admin ipaNTHash
SASL/GSSAPI authentication started
SASL username: cifs/***@F21.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=f21,dc=test> (default) with scope subtree
# filter: uid=admin
# requesting: ipaNTHash
#

# admin, users, compat, f21.test
dn: uid=admin,cn=users,cn=compat,dc=f21,dc=test

# admin, users, accounts, f21.test
dn: uid=admin,cn=users,cn=accounts,dc=f21,dc=test
ipaNTHash:: <some base64 value>

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

This would work more or less same in 3.0 but you would need to add
permissions differently because 3.x doesn't have as easy permission
constructing means as 4.0 has.

An approach we chose with SSSD in Fedora 21/RHEL7.1beta is totally
different -- SSSD provides needed information to perform identity
management and authentication via libwinbind replacement library. The
only issue with this approach is that NTLM authentication is not
supported, one have to use Kerberos auth all the time.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Raoul Becke
2015-01-27 17:25:14 UTC
Permalink
Thank you very much for this detailed instructions. It seems not to be too
complicated and I think giving it a 2nd try - the only thing that worries me
Post by Alexander Bokovoy
This would work more or less same in 3.0 but you would need to add
permissions differently because 3.x doesn't have as easy permission
constructing means as 4.0 has.
Is there a document that describes how to do this in:
Name : ipa-server
Arch : x86_64
Version : 3.3.3

Or a document that describes the differences then I can take it from there.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Alexander Bokovoy
2015-01-29 14:47:48 UTC
Permalink
Post by Raoul Becke
Thank you very much for this detailed instructions. It seems not to be too
complicated and I think giving it a 2nd try - the only thing that worries me
Post by Alexander Bokovoy
This would work more or less same in 3.0 but you would need to add
permissions differently because 3.x doesn't have as easy permission
constructing means as 4.0 has.
Name : ipa-server
Arch : x86_64
Version : 3.3.3
Or a document that describes the differences then I can take it from there.
I think the difference would be in unavailability of
'ipa privilege-add-permission' command. You still need to create the
privilege and the role but then create ACI manually referencing the
privilege.

# ipa privilege-add 'CIFS server privilege'
---------------------------------------
Added privilege "CIFS server privilege"
---------------------------------------
Privilege name: CIFS server privilege
# ipa role-add 'CIFS server'
------------------------
Added role "CIFS server"
------------------------
Role name: CIFS server
# ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege'
Role name: CIFS server
Privileges: CIFS server privilege
----------------------------
Number of privileges added 1
----------------------------

And add ACI based on the privilege group DN:
# cat 89-cifs-privilege-aci.update
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash || ipaNTSecurityIdentifier")(version 3.0; acl "CIFS server privilege permission"; allow (read,search,compare) groupdn="ldap:///cn=CIFS server privilege,cn=privileges,cn=pbac,$SUFFIX";)'

# ipa-ldap-updater -l ./89-cifs-privilege-aci.update
Parsing update file './89-cifs-privilege-aci.update'
Updating existing entry: dc=f21,dc=test
Done
The ipa-ldap-updater command was successful

The add:aci line in the .update file shold be that long. Note that
changing ACI as opposed to using permission CLI in FreeIPA 4.x is not
really recommended. You need to understand what are you doing and that
wrong operations may cause slowness or even total malfunctioning of the
LDAP server.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Loading...