You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Brian Burch <br...@PingToo.com> on 2011/05/01 16:04:39 UTC
Re: Apache DS to Authenticate Samba
On 04/02/11 22:16, Stefan Seelmann wrote:
> Hi Jeffrey,
> On Thu, Feb 3, 2011 at 4:31 AM, Jeffre Reynolds wrote:
> <snip>
>> Any information on the subject would be very helpful, or even a good place to go to try to find out more about how to integrate ApacheDS with Samba.
>
> I'm no Samba expert (and I think most readers of this list are
> neither). But I doubt your problem is ApacheDS specific. As far as I
> know Samba can just use any LDAP server as backend. So I think you
> could try to adapt other documentation on how to integrate Samba+LDAP
> to ApacheDS ([1][2] are just two examples). In any case the Samba
> mailing lists [3] should be a good resource.
>
> Kind Regards,
> Stefan
I've been meaning to convert my samba authentication to ldap for quite a
while. The recent activity on this topic encouraged me to get on with it.
It was a long and painful task, made worse by the fact that a lot of
information is out of date, confusing or doesn't apply to apacheds. I do
not propose to go over everything here!
However, after enabling the samba schema, converting my users, defining
a samba domain entry and a server authenticator, I hit problems when
trying to do anything as a samba user. The apacheds/bin/wrapper.log was
quite informative.
To cut a long story short, there are LOTS of schema changes required for
samba 3, which are missing from apacheds. Sample openldap schema changes
were committed to the samba source repository in February 2006. I have
converted them to match the apacheds schema and applied them to my
directory.
Here are my new attribute and objectclass definitions:
# samba 3 attributes Schema
#
# see: http://lists.samba.org/archive/samba-cvs/2006-February/064786.html
#
# svn commit: samba r13290 - branches/SAMBA_3_0/examples/LDAP
trunk/examples/LDAP
#
dn: m-oid=1.3.6.1.4.1.7165.2.1.58,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.58
m-collective: FALSE
m-description: Minimal password length (default: 5)
m-equality: integerMatch
m-name: sambaMinPwdLength
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.59,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.59
m-collective: FALSE
m-description: Length of Password History Entries (default: 0 => off)
m-equality: integerMatch
m-name: sambaPwdHistoryLength
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.60,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.60
m-collective: FALSE
m-description: Force Users to logon for password change (default: 0 =>
off, 2 => on)
m-equality: integerMatch
m-name: sambaLogonToChgPwd
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.61,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.61
m-collective: FALSE
m-description: Maximum password age, in seconds (default: -1 => never
expire passwords)
m-equality: integerMatch
m-name: sambaMaxPwdAge
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.62,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.62
m-collective: FALSE
m-description: Minimum password age, in seconds (default: 0 => allow
immediate password change)
m-equality: integerMatch
m-name: sambaMinPwdAge
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.63,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.63
m-collective: FALSE
m-description: Lockout duration in minutes (default: 30, -1 => forever)
m-equality: integerMatch
m-name: sambaLockoutDuration
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.64,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.64
m-collective: FALSE
m-description: Reset time after lockout in minutes (default: 30)
m-equality: integerMatch
m-name: sambaLockoutObservationWindow
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.65,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.65
m-collective: FALSE
m-description: Lockout users after bad logon attempts (default: 0 => off)
m-equality: integerMatch
m-name: sambaLockoutThreshold
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.66,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.66
m-collective: FALSE
m-description: Disconnect Users outside logon hours (default: -1 => off,
0 => on)
m-equality: integerMatch
m-name: sambaForceLogoff
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
dn: m-oid=1.3.6.1.4.1.7165.2.1.67,ou=attributeTypes,cn=samba,ou=schema
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-oid: 1.3.6.1.4.1.7165.2.1.67
m-collective: FALSE
m-description: Allow Machine Password changes (default: 0 => off)
m-equality: integerMatch
m-name: sambaRefuseMachinePwdChange
m-noUserModification: FALSE
m-obsolete: FALSE
m-singleValue: TRUE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
m-usage: USER_APPLICATIONS
# samba domain Object Schema
# allow all samba 3 attributes
#
dn: m-oid=1.3.6.1.4.1.7165.2.2.5,ou=objectClasses,cn=samba,ou=schema
changetype: modify
add: m-may
m-may: sambaMinPwdLength
-
add: m-may
m-may: sambaPwdHistoryLength
-
add: m-may
m-may: sambaLogonToChgPwd
-
add: m-may
m-may: sambaMaxPwdAge
-
add: m-may
m-may: sambaMinPwdAge
-
add: m-may
m-may: sambaLockoutDuration
-
add: m-may
m-may: sambaLockoutObservationWindow
-
add: m-may
m-may: sambaLockoutThreshold
-
add: m-may
m-may: sambaForceLogoff
-
add: m-may
m-may: sambaRefuseMachinePwdChange
My ubuntu samba 3 (version 2:3.4.7) server is now working perfectly with
apacheds 1.5.4. Perhaps someone would like to update the source to
include these schema changes?
Regards,
Brian
Re: Apache DS to Authenticate Samba
Posted by Kiran Ayyagari <ka...@apache.org>.
thanks Brian for sharing this with us, will take a look at this and
hopefully include them into the trunk soon.
On Sun, May 1, 2011 at 7:34 PM, Brian Burch <br...@pingtoo.com> wrote:
> On 04/02/11 22:16, Stefan Seelmann wrote:
>>
>> Hi Jeffrey,
>> On Thu, Feb 3, 2011 at 4:31 AM, Jeffre Reynolds wrote:
>> <snip>
>>>
>>> Any information on the subject would be very helpful, or even a good
>>> place to go to try to find out more about how to integrate ApacheDS with
>>> Samba.
>>
>> I'm no Samba expert (and I think most readers of this list are
>> neither). But I doubt your problem is ApacheDS specific. As far as I
>> know Samba can just use any LDAP server as backend. So I think you
>> could try to adapt other documentation on how to integrate Samba+LDAP
>> to ApacheDS ([1][2] are just two examples). In any case the Samba
>> mailing lists [3] should be a good resource.
>>
>> Kind Regards,
>> Stefan
>
> I've been meaning to convert my samba authentication to ldap for quite a
> while. The recent activity on this topic encouraged me to get on with it.
>
> It was a long and painful task, made worse by the fact that a lot of
> information is out of date, confusing or doesn't apply to apacheds. I do not
> propose to go over everything here!
>
> However, after enabling the samba schema, converting my users, defining a
> samba domain entry and a server authenticator, I hit problems when trying to
> do anything as a samba user. The apacheds/bin/wrapper.log was quite
> informative.
>
> To cut a long story short, there are LOTS of schema changes required for
> samba 3, which are missing from apacheds. Sample openldap schema changes
> were committed to the samba source repository in February 2006. I have
> converted them to match the apacheds schema and applied them to my
> directory.
>
> Here are my new attribute and objectclass definitions:
>
> # samba 3 attributes Schema
> #
> # see: http://lists.samba.org/archive/samba-cvs/2006-February/064786.html
> #
> # svn commit: samba r13290 - branches/SAMBA_3_0/examples/LDAP
> trunk/examples/LDAP
> #
> dn: m-oid=1.3.6.1.4.1.7165.2.1.58,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.58
> m-collective: FALSE
> m-description: Minimal password length (default: 5)
> m-equality: integerMatch
> m-name: sambaMinPwdLength
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.59,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.59
> m-collective: FALSE
> m-description: Length of Password History Entries (default: 0 => off)
> m-equality: integerMatch
> m-name: sambaPwdHistoryLength
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.60,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.60
> m-collective: FALSE
> m-description: Force Users to logon for password change (default: 0 => off,
> 2 => on)
> m-equality: integerMatch
> m-name: sambaLogonToChgPwd
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.61,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.61
> m-collective: FALSE
> m-description: Maximum password age, in seconds (default: -1 => never expire
> passwords)
> m-equality: integerMatch
> m-name: sambaMaxPwdAge
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.62,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.62
> m-collective: FALSE
> m-description: Minimum password age, in seconds (default: 0 => allow
> immediate password change)
> m-equality: integerMatch
> m-name: sambaMinPwdAge
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.63,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.63
> m-collective: FALSE
> m-description: Lockout duration in minutes (default: 30, -1 => forever)
> m-equality: integerMatch
> m-name: sambaLockoutDuration
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.64,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.64
> m-collective: FALSE
> m-description: Reset time after lockout in minutes (default: 30)
> m-equality: integerMatch
> m-name: sambaLockoutObservationWindow
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.65,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.65
> m-collective: FALSE
> m-description: Lockout users after bad logon attempts (default: 0 => off)
> m-equality: integerMatch
> m-name: sambaLockoutThreshold
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.66,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.66
> m-collective: FALSE
> m-description: Disconnect Users outside logon hours (default: -1 => off, 0
> => on)
> m-equality: integerMatch
> m-name: sambaForceLogoff
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
> dn: m-oid=1.3.6.1.4.1.7165.2.1.67,ou=attributeTypes,cn=samba,ou=schema
> objectClass: metaAttributeType
> objectClass: metaTop
> objectClass: top
> m-oid: 1.3.6.1.4.1.7165.2.1.67
> m-collective: FALSE
> m-description: Allow Machine Password changes (default: 0 => off)
> m-equality: integerMatch
> m-name: sambaRefuseMachinePwdChange
> m-noUserModification: FALSE
> m-obsolete: FALSE
> m-singleValue: TRUE
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
> m-usage: USER_APPLICATIONS
>
>
> # samba domain Object Schema
> # allow all samba 3 attributes
> #
> dn: m-oid=1.3.6.1.4.1.7165.2.2.5,ou=objectClasses,cn=samba,ou=schema
> changetype: modify
> add: m-may
> m-may: sambaMinPwdLength
> -
> add: m-may
> m-may: sambaPwdHistoryLength
> -
> add: m-may
> m-may: sambaLogonToChgPwd
> -
> add: m-may
> m-may: sambaMaxPwdAge
> -
> add: m-may
> m-may: sambaMinPwdAge
> -
> add: m-may
> m-may: sambaLockoutDuration
> -
> add: m-may
> m-may: sambaLockoutObservationWindow
> -
> add: m-may
> m-may: sambaLockoutThreshold
> -
> add: m-may
> m-may: sambaForceLogoff
> -
> add: m-may
> m-may: sambaRefuseMachinePwdChange
>
>
> My ubuntu samba 3 (version 2:3.4.7) server is now working perfectly with
> apacheds 1.5.4. Perhaps someone would like to update the source to include
> these schema changes?
>
> Regards,
>
> Brian
>
>
>
>
--
Kiran Ayyagari