Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 3rd May 2009, 13:32
awe awe is offline
Junior Member
 
Join Date: May 2009
Location: Tossa de Mar (Girona) Spain
Posts: 17
Thanks: 0
Thanked 3 Times in 3 Posts
Default Would like to change some stuff from the OpenLDAP+Samba+Ubuntu. Would it be OK?

I have used http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10-p2 tutorial to configure some servers with 8.04 and it all has worked well. However, what would happen if the server itself was not configured to use LDAP for authentication?

Well, I'll put the question in other terms. If the server was not configured to use LDAP for its own authentication, would samba users (Ubuntu,Gnome) connect correctly to all shared resources? I do not like the idea that just any user can go to the server and log in with their LDAP account, I would like the server to use local authentication only when it comes to logging into the box, but still keep the ability for samba to authorise access to shared resources based on LDAP info.

Thanks.

Last edited by awe; 3rd May 2009 at 13:34.
Reply With Quote
Sponsored Links
  #2  
Old 5th May 2009, 00:07
awe awe is offline
Junior Member
 
Join Date: May 2009
Location: Tossa de Mar (Girona) Spain
Posts: 17
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Well, looks like I can self-reply on this one too.

Just did another server install following that tutorial. I followed all the steps, but I omitted the step "Configuring the server to use LDAP authentication" (or something like that). It seems to work the way I wanted it to. The server authenticates the workstations correctly, against the LDAP tree, but when it comes to logging into the server itself then you need a PAM account for it.

I think the tutorial causes a security weakness. Personally, I think that the step that aims to configure the server to use LDAP for authentication should be ommited. If carried out, it causes any user within the LDAP tree to be able to log into the server, and this is BAD!

However, this bit of the tutorial is valid and very useful for setting up Ubuntu workstations to authenticate logins against the LDAP tree on the server, in addition to local PAM information. I have to say, though, that on Intrepid you have to take a additional step. It is necessary to add the following line to /etc/pam.d/common-account:
Code:
# This is required to create the HomeDir at first login
# automatically and without asking for confirmation
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
like I explained on this post.

This can probably be automated by adding such line into the open_ldap profile that auth-client-config inserts into PAM, but I am too lazy to check how that must be done exactly and thus I add the line manually. It's no hard work after all.

Last edited by awe; 5th May 2009 at 00:10.
Reply With Quote
  #3  
Old 5th May 2009, 16:00
awe awe is offline
Junior Member
 
Join Date: May 2009
Location: Tossa de Mar (Girona) Spain
Posts: 17
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Here I am again in my monologue.

Well seems like I have some problems. I have not set my last server to enable log-in from users in the LDAP tree, but yet I have told Samba to look into the tree to authenticate users. It does not work well. Samba clients are denied write access. This is one example:

a) The samba share is:
Code:
[documents]
        comment = Documents
        path = /home/public/documents
        read only = no
        guest ok = yes
        admin users = root, direccio
        create mask = 0644
        directory mask = 0755
Username "direccio" is listed in the LDAP tree and it can log in successfully and start a session on any workstation on the LAN.

b) This is what the samba log file is telling:
Code:
[2009/05/05 14:13:00, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  pdb_get_group_sid: Failed to find Unix account for direccio
[2009/05/05 14:13:09, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  pdb_get_group_sid: Failed to find Unix account for direccio
[2009/05/05 14:13:09, 1] auth/auth_util.c:make_server_info_sam(566)
  User direccio in passdb, but getpwnam() fails!
[2009/05/05 14:13:09, 0] auth/auth_sam.c:check_sam_security(353)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2009/05/05 14:13:09, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  pdb_get_group_sid: Failed to find Unix account for direccio
[2009/05/05 14:13:09, 1] smbd/service.c:make_connection_snum(1033)
  recepcio-1 (192.168.10.5) connect to service documents initially as user nobody (uid=65534, gid=65534) (pid 12568)
All users from the LDAP tree end up connecting to the samba share as nobody. Hence the read-only access.

Any clues about how to make Samba authentication work well whilst preventing users from the LDAP tree from going to the server box and being able to log into it?

My question may be confusing, so I shed some light on it.

1) I want users in the LDAP tree to be able to connect to the shared resources on the server, with the privileges I may grant in "smb.conf" definitions. They should continue to be able to start sessions on all and any workstations, just like they do now.

2) I do not want users in the LDAP tree to be able to to log into the server box itself, be it via SSH or by actually going to the box and logging into it using its keyboard.

This is the default behaviour for Windows servers, and it really makes a lot of sense to have it done this way. There is a big security hole otherwise.

Ideas?

Thanks, regards.

REMARK: This is no hobby. This install is a real-life production environment, and I must make it all work in the way I've said. Any help is extremely appreciated. Thank you!

Last edited by awe; 5th May 2009 at 16:12.
Reply With Quote
  #4  
Old 5th October 2009, 19:40
Hdave Hdave is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by awe View Post
1) I want users in the LDAP tree to be able to connect to the shared resources on the server, with the privileges I may grant in "smb.conf" definitions. They should continue to be able to start sessions on all and any workstations, just like they do now.

2) I do not want users in the LDAP tree to be able to to log into the server box itself, be it via SSH or by actually going to the box and logging into it using its keyboard.
Did you ever get this working? I have EXACTLY the same issue with this how-to. I have already configured SAMBA to use LDAP for authentication and now it is complaining that the users have no local Unix account. I don't see why that should be necessary? The file permissions are put into the share definitions...
Reply With Quote
  #5  
Old 6th October 2009, 10:10
awe awe is offline
Junior Member
 
Join Date: May 2009
Location: Tossa de Mar (Girona) Spain
Posts: 17
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Hello HDave,

Yes I have solved this problem although I am not 100% how I did it. Here is what I did:

1) I had a fully working server, all set up and configured following the instructions of the "how-to". Obviously, it did have security hole.

2) I remembered that, during the configuration, the original PAM files were backed up, so I restored the backup:

a) I became superuser and I went to the PAM directory:
Code:
cd /etc/pam.d
b) Backed up the LDAP-enabled PAM files:
Code:
mkdir PAM-LDAP
cp * PAM-LDAP/
c) Then restored those original config files:
Code:
cp bkup/* .
Et voilą! All working the way it should. What I had done previously did not work well. Previously, I would set up the server but ommit the part about the PAM config files. This time, on the contrary, I first had a fully working server, and then I restored the original PAM files.

I said in the beginning that I was not 100% sure about how I did it, because I am not 100% sure that this is really the fix for the problem. I do not have access to other environments in order to try this out on more servers. It did work on the latest one that I configured.

Last edited by awe; 7th October 2009 at 06:54.
Reply With Quote
The Following User Says Thank You to awe For This Useful Post:
falko (6th October 2009)
  #6  
Old 7th October 2009, 02:48
Hdave Hdave is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Thanks for the info. I ended in the same place, but through a different route. I completely blew-off the installation of smbldap-tools and any kind of synchronization between pam/nss and samba. If you do this, and leave Samba in securty=user mode, you will eventually get the same "samba account does not have a unix account" error message in the samba log that you reported.

For a while, I was really bothered by the strict requirement that Samba user mode security require local accounts, but then I realized that without local accounts or a domain controller, how were file system permissions to be dealt with?

In any event, I didn't have very many users so I manually used addgroup and adduser to create them and then deleted their local password and disabled the accounts, making a login in any manner an impossibility. Incredibly, even though the uid and gid didn't match Samba's, and the accounts were disabled with null passwords, Samba didn't care and everything works great!!

I know its an ugly hack, but like yourself, I don't have time for a research project, I only needed to get this one server running and I didn't feel like creating a Samba domain controller or properly wiring Samba and PAM together only to figured out how to properly configure my server in LDAP so Samba wouldn't allow logins... (felt like another 2-5 days to sort that out).

I just wish it was easier....someday, I'll put together a killer how-to on user mode security for a file server in samba without a domain controller and without allow local machine logins.

Last edited by Hdave; 7th October 2009 at 02:51.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
freebsd 7, samba 3, domain controller alexdimarco Suggest HOWTO 6 5th November 2010 16:54
Unbale to login to Postfix from webmail wasimriz HOWTO-Related Questions 5 6th April 2009 13:49
OpenLDAP + Samba Domain Controller On Ubuntu 7.10 darrylworley HOWTO-Related Questions 0 15th December 2008 18:31
OpenLDAP + Samba Domain Controller On Ubuntu 7.10 mperreault HOWTO-Related Questions 6 23rd August 2008 08:44
OpenLDAP + Samba Domain Controller On Ubuntu 7.10 E1sbaer HOWTO-Related Questions 3 7th May 2008 18:41


All times are GMT +2. The time now is 21:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.