Would like to change some stuff from the OpenLDAP+Samba+Ubuntu. Would it be OK?

Discussion in 'HOWTO-Related Questions' started by awe, May 3, 2009.

  1. awe

    awe New Member

    I have used http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10-p2 tutorial to configure some servers with 8.04 and it all has worked well. However, what would happen if the server itself was not configured to use LDAP for authentication?

    Well, I'll put the question in other terms. If the server was not configured to use LDAP for its own authentication, would samba users (Ubuntu,Gnome) connect correctly to all shared resources? I do not like the idea that just any user can go to the server and log in with their LDAP account, I would like the server to use local authentication only when it comes to logging into the box, but still keep the ability for samba to authorise access to shared resources based on LDAP info.

    Last edited: May 3, 2009
  2. awe

    awe New Member

    Well, looks like I can self-reply on this one too.

    Just did another server install following that tutorial. I followed all the steps, but I omitted the step "Configuring the server to use LDAP authentication" (or something like that). It seems to work the way I wanted it to. The server authenticates the workstations correctly, against the LDAP tree, but when it comes to logging into the server itself then you need a PAM account for it.

    I think the tutorial causes a security weakness. Personally, I think that the step that aims to configure the server to use LDAP for authentication should be ommited. If carried out, it causes any user within the LDAP tree to be able to log into the server, and this is BAD!

    However, this bit of the tutorial is valid and very useful for setting up Ubuntu workstations to authenticate logins against the LDAP tree on the server, in addition to local PAM information. I have to say, though, that on Intrepid you have to take a additional step. It is necessary to add the following line to /etc/pam.d/common-account:
    # This is required to create the HomeDir at first login
    # automatically and without asking for confirmation
    session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
    like I explained on this post.

    This can probably be automated by adding such line into the open_ldap profile that auth-client-config inserts into PAM, but I am too lazy to check how that must be done exactly and thus I add the line manually. It's no hard work after all.
    Last edited: May 5, 2009
  3. awe

    awe New Member

    Here I am again in my monologue.

    Well seems like I have some problems. I have not set my last server to enable log-in from users in the LDAP tree, but yet I have told Samba to look into the tree to authenticate users. It does not work well. Samba clients are denied write access. This is one example:

    a) The samba share is:
            comment = Documents
            path = /home/public/documents
            read only = no
            guest ok = yes
            admin users = root, direccio
            create mask = 0644
            directory mask = 0755
    Username "direccio" is listed in the LDAP tree and it can log in successfully and start a session on any workstation on the LAN.

    b) This is what the samba log file is telling:
    [2009/05/05 14:13:00, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
      pdb_get_group_sid: Failed to find Unix account for direccio
    [2009/05/05 14:13:09, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
      pdb_get_group_sid: Failed to find Unix account for direccio
    [2009/05/05 14:13:09, 1] auth/auth_util.c:make_server_info_sam(566)
      User direccio in passdb, but getpwnam() fails!
    [2009/05/05 14:13:09, 0] auth/auth_sam.c:check_sam_security(353)
      check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
    [2009/05/05 14:13:09, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
      pdb_get_group_sid: Failed to find Unix account for direccio
    [2009/05/05 14:13:09, 1] smbd/service.c:make_connection_snum(1033)
      recepcio-1 ( connect to service documents initially as user nobody (uid=65534, gid=65534) (pid 12568)
    All users from the LDAP tree end up connecting to the samba share as nobody. Hence the read-only access.

    Any clues about how to make Samba authentication work well whilst preventing users from the LDAP tree from going to the server box and being able to log into it?

    My question may be confusing, so I shed some light on it.

    1) I want users in the LDAP tree to be able to connect to the shared resources on the server, with the privileges I may grant in "smb.conf" definitions. They should continue to be able to start sessions on all and any workstations, just like they do now.

    2) I do not want users in the LDAP tree to be able to to log into the server box itself, be it via SSH or by actually going to the box and logging into it using its keyboard.

    This is the default behaviour for Windows servers, and it really makes a lot of sense to have it done this way. There is a big security hole otherwise.


    Thanks, regards.

    REMARK: This is no hobby. This install is a real-life production environment, and I must make it all work in the way I've said. Any help is extremely appreciated. Thank you!
    Last edited: May 5, 2009
  4. Hdave

    Hdave New Member

    Did you ever get this working? I have EXACTLY the same issue with this how-to. I have already configured SAMBA to use LDAP for authentication and now it is complaining that the users have no local Unix account. I don't see why that should be necessary? The file permissions are put into the share definitions...
  5. awe

    awe New Member

    Hello HDave,

    Yes I have solved this problem although I am not 100% how I did it. Here is what I did:

    1) I had a fully working server, all set up and configured following the instructions of the "how-to". Obviously, it did have security hole.

    2) I remembered that, during the configuration, the original PAM files were backed up, so I restored the backup:

    a) I became superuser and I went to the PAM directory:
    cd /etc/pam.d
    b) Backed up the LDAP-enabled PAM files:
    mkdir PAM-LDAP
    cp * PAM-LDAP/
    c) Then restored those original config files:
    cp bkup/* .
    Et voilà! All working the way it should. What I had done previously did not work well. Previously, I would set up the server but ommit the part about the PAM config files. This time, on the contrary, I first had a fully working server, and then I restored the original PAM files.

    I said in the beginning that I was not 100% sure about how I did it, because I am not 100% sure that this is really the fix for the problem. I do not have access to other environments in order to try this out on more servers. It did work on the latest one that I configured.
    Last edited: Oct 7, 2009
  6. Hdave

    Hdave New Member

    Thanks for the info. I ended in the same place, but through a different route. I completely blew-off the installation of smbldap-tools and any kind of synchronization between pam/nss and samba. If you do this, and leave Samba in securty=user mode, you will eventually get the same "samba account does not have a unix account" error message in the samba log that you reported.

    For a while, I was really bothered by the strict requirement that Samba user mode security require local accounts, but then I realized that without local accounts or a domain controller, how were file system permissions to be dealt with?

    In any event, I didn't have very many users so I manually used addgroup and adduser to create them and then deleted their local password and disabled the accounts, making a login in any manner an impossibility. Incredibly, even though the uid and gid didn't match Samba's, and the accounts were disabled with null passwords, Samba didn't care and everything works great!!

    I know its an ugly hack, but like yourself, I don't have time for a research project, I only needed to get this one server running and I didn't feel like creating a Samba domain controller or properly wiring Samba and PAM together only to figured out how to properly configure my server in LDAP so Samba wouldn't allow logins... (felt like another 2-5 days to sort that out).

    I just wish it was easier....someday, I'll put together a killer how-to on user mode security for a file server in samba without a domain controller and without allow local machine logins.
    Last edited: Oct 7, 2009

Share This Page