What I've done so far
- Installed DHCP server and bind9 for the local network of clients (the server should act as a gateway)
- built Samba4 from source with bind9_dlz as dns backend
- installed OpenLDAP using
apt-get install slapd ldap-utils
- changed slapd ports to
390,637
because of samba blocking389,636
- imported the samba ldap scheme, initially set up the ldap directory and provisioned the domain
- installed
libnss-ldapd
for ldap authentication (getent passwd
outputs LDAP users correctly) - gave samba the admin password to my ldap directory (
smbpasswd -w xxx
)
The Problem
I joined a Windows 7 client to the domain and tried to log into a user created with smbldap-useradd
. I recieve a wrong password message from windows but absolutley no errors/warnings from samba. My test user is really existent in LDAP (checked with phpldapadmin
), so I assume samba is not correctly talking to ldap. I'm stuck at this point and need some help!
What I've noticed
I've set passdb backend = ldapsam:ldap://testsrv.alfr.local:390/
which is not appearing in the output of testparm
(see underneath).
Software I'm using
- Ubuntu Server 12.04 up-to-date
- Samba 4.1.6 compiled from source (official git repository)
- Bind 9.8.1
- slapd 2.4.28
- isc-dhcp-server 4.1
Configs and Outputs
- Server host name:
testsrv
- Domain name:
alfr.local
- 2 network interfaces, eth0 = DHCP, externally WAN, eth1 =
192.168.25.1
(Server acts as DHCP for this network ranging from 25.50 till 25.254)
Output of testparm
root@testsrv:~# testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[profiles]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
[global]
workgroup = ALFR
realm = alfr.local
server role = active directory domain controller
passdb backend = samba_dsdb
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
domain logons = Yes
os level = 10
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=alfr,dc=local
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=alfr,dc=local
ldap ssl = no
ldap user suffix = ou=Users
server services = rpc, nbt, wrepl, cldap, ldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
[profiles]
path = /srv/samba/profiles
read only = No
create mask = 0611
directory mask = 0700
profile acls = Yes
map hidden = Yes
map system = Yes
browseable = No
csc policy = disable
[netlogon]
path = /usr/local/samba/var/locks/sysvol/alfr.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[homes]
comment = Eigener Ordner
path = /srv/samba/homes/%S
read only = No
create mask = 0611
directory mask = 0711
browseable = No
vfs objects = acl_xattr, full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
Output of ps aux
(cut unimportant stuff out)
root@testsrv:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 699 0.0 0.0 7272 608 ? Ss 08:08 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth
bind 827 0.0 2.8 502280 58392 ? Ssl 08:08 0:01 /usr/sbin/named -u bind
dhcpd 833 0.0 0.2 14552 4476 ? Ss 08:08 0:00 /usr/sbin/dhcpd -f -q -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/ltsp/dhcpd.conf
openldap 1024 0.0 0.3 722000 6524 ? Ssl 08:08 0:00 /usr/sbin/slapd -h ldap://127.0.0.1:390/ ldaps://127.0.0.1:637/ ldapi://%2fvar%2frun%2fslapd%2fldapi/??
root 1051 0.0 0.0 693092 1172 ? Ssl 08:08 0:00 /usr/sbin/nscd
nslcd 1075 0.0 0.0 443600 1376 ? Ssl 08:08 0:00 /usr/sbin/nslcd
ntp 1279 0.0 0.0 25960 1836 ? Ss 08:08 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:114
root 1595 0.0 2.2 534364 46152 ? Ss 09:52 0:00 samba start
root 1597 0.0 1.8 538976 38532 ? S 09:52 0:00 samba start
root 1598 0.0 1.7 539772 35624 ? S 09:52 0:00 samba start
root 1599 0.0 1.6 536876 33716 ? S 09:52 0:00 samba start
root 1600 0.0 1.6 534364 34568 ? S 09:52 0:00 samba start
root 1601 0.0 1.8 534804 37568 ? S 09:52 0:00 samba start
root 1602 0.0 1.8 538516 37212 ? S 09:52 0:00 samba start
root 1603 0.0 1.6 534364 34328 ? S 09:52 0:00 samba start
root 1604 0.0 1.6 537192 33928 ? S 09:52 0:00 samba start
root 1605 0.0 1.5 534364 32716 ? S 09:52 0:00 samba start
root 1606 0.0 2.0 534364 41264 ? S 09:52 0:00 samba start
root 1607 0.0 1.6 534364 33884 ? S 09:52 0:00 samba start
root 1608 0.0 1.6 534364 33360 ? S 09:52 0:00 samba start
/etc/nsswitch.conf
root@testsrv:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat
passwd: files ldap
# pre_auth-client-config # group: compat
group: files ldap
# pre_auth-client-config # shadow: compat
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis
Best Answer
I do not see any security directive in your config file. I assume that you want security=ad. I've spent last month trying to do exactly same thing - use OpenLDAP as main database of user login information.
I've tested few approaches:
Samba 4 AD can't trust at the moment (Samba Team will publish soon Samba 4.2 in the time of writing), so u can't use trust mechanisms.
Samba 4 in AD as far as I know can't be based on OpenLDAP because lack of schemas needed by Active Directory.
I've tired to use software called LSC, which basically allow you to sync user and groups between AD an OpenLDAP. No luck here either. LSC documentation and examples are outdated and not compatible with current release. I've finally managed to get user sync working, but there are few bugs (at least in LSC v2.0 I've tired), when you update password in OpenLDAP, LSC won't catch it. You have to store passwords in plain text to make it work.
For now no Samba AD controller with OpenLDAP as backend. I am planing to stick classic NT domain controller as soon as Samba will support trusts, then I wanna delegate one direction trusts (from samba4 NT DC to Samba4 AD) and use it on AD domain controller with user information located at OpenLDAP.
If someone can find any mistake here, I'll be more than glad to hear it. ;-)
UPDATE: According to Francesco Malvezzi information in Samba 4.3, trust are now supported:
https://www.samba.org/samba/history/samba-4.3.0.html
Configuration example: https://www.samba.org/samba/history/samba-4.3.0.html
I am still waiting until it become available in official channel in my distro (debian 8-9) though.