I have a OpenLDAP server (v2.4) running on CentOS 6.4. It works great! I'm using this OpenLdap server as authenticate backend for several service like Gitlab, Redmine, etc.
Now I want to setup another Samba standalone server and use the OpenLDAP server as auth backend for existed users in OpenLDAP. I tried with samba v3.6.9 but after configure auth backend as ldapsam in smb.conf I can't login using LDAP account.
When I run
smbclient -L localhost -U%
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6_4.1]
Sharename Type Comment
--------- ---- -------
allusers Disk All Users
IPC$ IPC IPC Service (Samba Server Version 3.6.9-151.el6_4.1)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6_4.1]
Server Comment
--------- -------
VAGRANT-CENTOS64 Samba Server Version 3.6.9-151.el6_4.1
Workgroup Master
--------- -------
WORKGROUP MY_MACHINE
But when I login with my test acc
smbclient -L localhost -U test
Enter test's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Here is my /etc/samba/smb.conf (print out from testparm)
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
passdb backend = ldapsam:ldap://192.168.1.201/
log file = /var/log/samba/log.%m
max log size = 50
ldap admin dn = cn=Manager,dc=mycompany,dc=com
ldap passwd sync = yes
ldap suffix = dc=mycompany,dc=com
ldap ssl = no
ldap debug level = 1
idmap config * : backend = tdb
cups options = raw
In the Samba server. I use sssd to authenticate with OpenLDAP. From this Samba machine I can query user by ldapsearch command. I can get the user info by id LDAP_USER and ssh to this machine by any LDAP_USER/password. Here is my /etc/sssd/sssd.conf
[domain/mycompany.com]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=mycompany,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.1.201:636
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = never
[sssd]
services = nss, pam
config_file_version = 2
domains = mycompany.com
On OpenLDAP server, I use LDAP Account Manager to manage user/group. I import samba schema and check everything ok in LAM. I also enable samba3 extension for some users in LDAP to test. I also open ports 137, 138, 139, 445 (tcp) in Samba server.
So what should I do next?
I just want to reuse the user from OpenLDAP server. I don't want to create any user from samba. Please give me suggestions about this case.
Thank you!
You need to make sure samba knows the password of the admin DN to bind to LDAP server. This is done with
smbpasswd -w <secret>
before starting Samba.
Now, if that is done, do you have NTLM passwords created for your users? Samba checks sambaNTPassword and sambaLMPassword attributes when performing authentication for the user. For changing these attributes at the time user changes own password through LDAP, you need to use smbk5pwd OpenLDAP overlay and set ldap passwd sync = only in smb.conf instead of ldap passwd sync = yes as you did.
I don't know if you solved the problem. In any case if you install a samba 4 standalone server using a ldap remote server you have to establish the same SID that domain server (it's not necessary to join it to the domain). Obviously, the command net setlocalid <sid domain> won't work on a local machine. You have to modify the value in the LDAP tree, searching the name of the netbios machine... I recommend you use a LDAP browser for this purpose...
Good Luck
Related
I am trying to run a community.windows.win_domain_user on ansible. My current playbook I am running is as followed.
---
- name: connect to windows server
hosts: win
connection: ssh
gather_facts: no
vars:
ansible_connection: ssh
ansible_shell_type: cmd
tasks:
- name: Ensure user bob is present with address information
community.windows.win_domain_user:
name: Bob.c
firstname: Bob
lastname: Carrender
groups:
- Users
domain_username: testing.com\bob.c
domain_password: SomePas2w0rd
domain_server: testing.com
The CSV file containing the updated AD server information is located on the Ubuntu machine.
The host files on the Windows servers in the mesh need to be updated with the information from the CSV.
The Ubuntu machine has access to all of the Windows servers in the mesh via SSH.
The SSH connection between the Ubuntu machine and the Windows servers is authenticated using password fingerprints.
The Ubuntu machine is able to run other Windows playbooks successfully.
The Local Network Policy on the Windows servers has been updated to allow various encryption sessions to be enabled.
the output
I am trying to automate the process of updating the Active Directory (AD) servers on the host files of multiple servers within my mesh. I have a CSV file that contains the updated AD server information, and I want to use this information to update the host files on all of the servers in my mesh.
The module being used is only capable of verifying existing username information and does not have the ability to create new accounts.
Invoking kinit with the principal name to get kerberos ticket asks for password, even though I want it to authenticate with client certs which I have configured in /etc/krb5.conf. What is the way to force it skip password and only use the client cert in the AS REQ and do the pki authentication to get the kerberos ticket? I have the principal in the UPN of the kclientcert2.pem whose priv key is kclientkey2.pem and is issued by kclientca.pem. I have all of them in my /root folder. I then invoke kinit with principal name as parameter. Then I am prompted for password.
My /etc/krb5.conf realm config looks like below.
[realms]
myrealm = {
kdc = <ldap server IP>:88
kdc_tcp_ports = 88
pkinit_eku_checking = kpServerAuth
pkinit_anchors = FILE:/root/kclientca.pem
pkinit_identities = FILE:/root/kclientcert2.pem,/root/kclientkey2.pem
}
Now I installed krb5-pkinit package in one ubuntu client. After this it did not prompt for password here. But it gave the message "kinit: KDC name mismatch while getting initial credentials". the tcpdump shows a 2nd AS-REQ with AS-REP with code 11.
On an embedded client running linux, I couldn't install the package like in ubuntu, so I copied krb5 shared libs like preauth/pkinit.so and other s0 to /usr/lib path which is the standard path of the embedded client, but it still prompts for password. ###https://stackoverflow.com/users/696632/michael-o, we got disconnected on the other thread, can you please help to understand why the kdc name mismatch occurs on ubuntu and which library I am missing on the embedded client.
We have a RHEL7 Mongo server configured for kerberos authentication for Mongo connections. The Mongo instance start successfully which tells us the server principal keytab is defined correctly in AD and the KRB5_KTNAME value is correct. A kinit is successful for the id that we want to authenticate with, telling us the user keytab is valid. However when attempting to authenticate "Kerberos server not found" is returned. Looking at the kerberos trace it's reporting "localhost" instead of the fqdn.
Mongo Support reviewed the DNS definitions and they are correct so referred us to Redhat support. The relevant message in the trace is:
Getting credentials userid#DOMAIN -> mongodb/localhost# using ccache FILE: filename (values changed to protect me)
Dpes anyone have an idea why localhost is in this message instead of the fqdn as it should be? Again DNS entries look to be correct. The "server not found" message is issued because localhost isn't defined to AD of course.
Help is appreciated.
Problem solved. When executing the shell on the same host as the Mongo server, you must include the --hostname parameter and not let it default. Kerberos uses the hostname value when sending requests to the KDC.
I want to change the password to an specific user of a james server.
Thanks
You can connect to James Remote Administration Tool via Telnet
telnet <ip> 4555
The default credentials are login: root password: root
Once connected, simply run this command:
setpassword [username] [password]
Better : using the commandline client provided by the project.
It use JMX under the hood. The CLI is packages with every distribution of the server. (you can even execute it via maven from here : https://github.com/apache/james-project/tree/master/server/container/cli)
Then, fnkrm is right, you should go for setpassword.
Alternatively, on 3.0-betax we provide optional admin REST APIs. https://github.com/apache/james-project/tree/master/server/protocols/webadmin . Have a look to the corresponding docker images if interested.
Cheers,
Benoit.
I have Perl script which is doing ssh and sftp on remote server,i am getting error while running the script. Error says You are trying to access a restricted zone. Only Authorized users allowed.
How is it possible to ignore these messages while doing ssh or sftp from Perl program?
my $ssh = Net::SSH::Perl ->new($remote_host,options ==> ["BatchMode yes"], protocol ==>2);
$ssh->login($remote_user, $remote_password)
$sftp = Net::SFTP::Foreign->new($remote_host, user=>$remote_user,password =>$remote_password)
./HcSGSN.pl You are trying to access a restricted zone. Only Authorized Users allowed.
Manually ssh and sftp
$ ssh pocsoc#<ip> You are trying to access a restricted zone. Only Authorized Users allowed. pocsoc#<ip> password:
sftp pocsoc#<ip> Connecting to 10.210.9.17... You are trying to access a restricted zone. Only Authorized Users allowed. pocsoc#<ip> password
You cannot just ignore these messages. These messages means that you need to provide username and password while doing ssh or sftp and also those username and password which are authorized to access the server. When you start providing them you will get access otherwise no access.