[ale] Samba - external LDAP
Hendry, Chris
Chris.Hendry at turner.com
Thu Jul 3 09:27:47 EDT 2014
This is what I got from lists.samba.org when asking the same question:
"There seems to be two ways linux servers can do authentication.
The first one is that the LDAP client config uses a proxy account. The
proxy account has sufficient access to read the password hashes from
from LDAP. when a linux user logins in, the linux server takes the
password that has been entered , hashes it and compares it to the
hash in ldap. In this case if you run "getent shadow" as root you
will see hashed entries of ldap users. This means potentially any
user with local root access can dump the hashes and run password cracker.
The 2nd approach is where the linux machine does relay the
authentication request to the ldap server. I think (but not 100% sure)
that specifically what is happening is that the user's credentials are
to ask the ldap server if the password provided matches the one in
LDAP. This is a compare request not an actual read data.
In Fedora, if you are using SSSD for authentication the 2nd approach is
used. Older versions of fedora make have needed a proxy account
approach instead.
In LDAP you can create access control entries that allow specific users
or groups or members of containers to have very controlled access rights
to specific fields. (e.g. the ability for a user to write to his own
password and telephone fields. ) An LDAP account used by samba
DC's would need read/write access in a container in LDAP but not in the
entire LDAP tree."
Another comment from the same list, was saying to configure LDAP as a domain controller, but that would require knowing an admin password.
I think the conclusion is to ask the admins of the ldap server for a "proxy" account, can't hurt to ask.
Thanks
Chris
> Message: 2
> Date: Tue, 01 Jul 2014 19:24:01 -0500
> From: John Heim <john at johnheim.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] Samba - external LDAP
> Message-ID: <53B35121.6010006 at johnheim.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> You can bind to the ldap server as a regular user. That's how you use an ldap
> server for authentication. For example, if your domain is example.com and
> you wish to bind as user "nemo"
>
> ldapsearch -x -ZZ -H ldap://ldap.example.com -D
> "uid=nemo,ou=people,dc=example,dc=com" -W "uid=nemo"
>
> It will ask for the password for user nemo. So theoretically, I think what you
> are asking should be possible. I have only a vague recollection of configuring
> samba to authenticate vs ldap. I think if you do not give it the ldap manager
> password with smbpass, it doesn't work. But I don't know why.
>
> On 6/30/2014 3:40 PM, Hendry, Chris wrote:
> > Thanks for responding.....
> >
> > As I was alluding, it is an external LDAP server and I do not know the
> password.
> > Isn't there a way to set this up with READ-ONLY?
> > Examples on the internet only talk about where you have admin rights.
> >
> > Chris
> >
> >
> >
> > > Message: 3
> >> Date: Sun, 29 Jun 2014 20:36:23 +0000
> >> From: Shawn <taaj.shawn at gmail.com>
> >> To: Atlanta Linux Enthusiasts <ale at ale.org>
> >> Subject: Re: [ale] Samba - external LDAP
> >> Message-ID:
> >> <CADSjncRXA+eymaki-29TMkRjbckFuGCOyWfJ5-
> >> SW3jJLkfphow at mail.gmail.com>
> >> Content-Type: text/plain; charset="utf-8"
> >>
> >> ldapsearch -x -H ldap://fqdn -D cn=Manager,dc=xxx,dc=xxx,dc=com -W
> >>
> >> sorry forgot the password prompt thingy
> >>
> >>
> >> On Sun, Jun 29, 2014 at 8:35 PM, Shawn <taaj.shawn at gmail.com> wrote:
> >>
> >>> Looks like your bind dn creds are wrong
> >>>
> >>> ldapsearch -x -H ldap://fqdn -D cn=Manager,dc=xxx,dc=xxx,dc=com
> >>>
> >>> is that successful?
> >>>
> >>>
> >>> On Sat, Jun 28, 2014 at 8:48 PM, Hendry, Chris
> >>> <Chris.Hendry at turner.com>
> >>> wrote:
> >>>
> >>>>
> >>>>
> >>>> I'm trying to set up a SAMBA share using an external LDAP server
> >>>> for authentication that I have no control over.
> >>>>
> >>>> I do not have any admin abilities on the LDAP server, only need
> >>>> read ability.
> >>>>
> >>>>
> >>>>
> >>>> Cannot set smbpasswd -w <admin password>, thus get in log:
> >>>>
> >>>> failed to bind to server ldap://xxx-xxx.xxx.com/ with
> >>>> dn="cn=Manager,dc=xxx,dc=xxx,dc=com" Error: Invalid credentials
> >>>>
> >>>> (unknown)
> >>>>
> >>>>
> >>>>
> >>>> Isn't there a way to set this up with READ-ONLY?
> >>>> Examples on the internet only talk about where you have admin rights.
> >>>>
> >>>> Thanks for any advise
> >>>>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 1 Jul 2014 20:38:34 -0400
> From: Bob Toxen <transam at VerySecureLinux.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] [ot] Calling for Laptop Reviews
> Message-ID: <20140702003834.GB6614 at verysecurelinux.com>
> Content-Type: text/plain; charset=iso-8859-1
>
> I've had TWO terrible experiences with Acer in the past 2 years.
>
> A year ago I bought a mid-range Acer as a gift. They keyboard's "k" key failed
> in 2 weeks.
>
> 1. Because Acer changes models every month or so, I was unable to
> exchange it.
>
> 2. Unlike most manufacturers, Acer refuses to let competent retail
> outlets (like the wonderful MicroCenter I bought it at to fix it).
>
> 3. Acer refused to sell me a keyboard with instructions even if I
> accepted liability for breaking it after stating I'd have
> MicroCenter's shop fix it.
>
> 4. Acer refused to send another one, less a disk, so that I could
> put the now heavily used disk in the new one and return their junk.
>
> 5. Acer (I talked with their U.S. headquarters) refused to do anything
> except send it back and wait a month UNDER WARRANTY!
>
> 6. The giftee, a talented 15 year old, found a replacement keyboard
> and instructions on the Internet for about $20 a year later and
> fixed it himself.
>
> The other experience, about 2 years ago, I told the BIOS not to boot from the
> DVD for security reasons -- after installing Linux and adding a BIOS password,
> of course.
>
> Unfortunately, stupid BIOS design prevents undoing this to again allow
> booting from a DVD, say, to install a new OS! Acer support confirmed that I'd
> have to send it back to them and wait a month if I ever want to boot from
> DVD again.
>
>
> Since these Acer nightmares I've bought two Lenovo Thinkpads and have
> been VERY HAPPY! YMMV.
>
> Bob Toxen
> bob at verysecurelinux.com [Please use for email to me]
> http://www.verysecurelinux.com [Network&Linux security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security
> 2/e"] Quality Linux & UNIX security and SysAdmin & software consulting
> since 1990.
> Quality spam and virus filters.
>
> "One disk to rule them all, One disk to find them. One disk to bring them all
> and in the darkness grind them. In the Land of Redmond where the shadows
> lie...and the Eye is everwatching"
> -- The Silicon Valley Tarot Henrique Holschuh with ... Bob
>
> On Thu, Jun 26, 2014 at 07:57:59PM -0400, Greg Clifton wrote:
> > My preferences run towards Asus and Acer, both seem to make solid
> machines.
> > I have had USB port compatibility issues (on a 6 year old) and power
> > port issues with Toshibas as well. I have also had power port failure
> > with an old HP laptop behemoth of 7-8 years ago. Definitely agree with
> > Allen on Sony being "in a league of their own" price wise.
> >
> >
> > On Thu, Jun 26, 2014 at 6:28 PM, Preston <preston.lists at gmail.com> wrote:
> >
> > > <snipped>
> > >
> > > I ordered our sales people Dell Percision M3800 laptops. They show
> > > our video clips (16 channel in HD) so I have them with Windows 7
> > > Pro, 16GB ram, i7 processor, and an SSD.
> > >
> > > You will need to get a Mini DisplayPort to VGA adapter so they can
> > > attach to projectors. Also, I grabbed the power adapter cable so if
> > > their power brick tanks they can grab a regular Dell brick and rock on.
> > >
> > > Pricy, but I've had ZERO complaints with them although they do feel
> > > a bit flimsy IMHO.
> > >
> > > Preston
> > >
> > > --
> > > Be who you are and say what you feel, because those who mind don???t
> > > matter and those who matter don???t mind.
> > > -Dr. Seuss
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > >
>
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 02 Jul 2014 11:20:06 -0400
> From: Jim Lynch <ale_nospam at fayettedigital.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] OT: Comcast Wi-Fi
> Message-ID: <53B42326.5010202 at fayettedigital.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 06/03/2014 07:19 AM, Jim Kinney wrote:
> > Ignorance is innocently not knowing something. Stupid is ignorance by
> > choice.
> Or genetics.
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 2 Jul 2014 11:40:21 -0400
> From: Jim Kinney <jim.kinney at gmail.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] OT: Comcast Wi-Fi
> Message-ID:
> <CAEo=5PxZ5bLsyw1k+P7cLfD3z3Ht74kqxU=fwK-gMYJ-
> f6kB7Q at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Wed, Jul 2, 2014 at 11:20 AM, Jim Lynch
> <ale_nospam at fayettedigital.com>
> wrote:
>
> > On 06/03/2014 07:19 AM, Jim Kinney wrote:
> >
> >> Ignorance is innocently not knowing something. Stupid is ignorance by
> >> choice.
> >>
> > Or genetics.
>
>
> I tend to use the word "stupid" in an insulting form. So for me, a genetic
> inability to learn is a cause for sadness. Refusing to learn because the content
> of the knowledge "is against tradition" is pretty (f***ing) stupid.
>
> Of course the actual definitions include the concept of "lacking common
> sense" which is a pretty ill-defined thing to be missing. And lacking it seems
> to be more common than having it. Thus we get to an etymological
> dilemma: Why is something so rare as "common sense" referred to as
> common?
> Maybe calling it "common sense" is really a cruel word-play joke on the
> terminally stupid (who wouldn't understand they are being laughed at in this
> matter anyway).
>
> This could go on for a long time :-)
> --
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you gain at
> one end you lose at the other. It's like feeding a dog on his own tail.
> It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
>
> *http://heretothereideas.blogspot.com/
> <http://heretothereideas.blogspot.com/>*
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://mail.ale.org/pipermail/ale/attachments/20140702/5e9389fd/attach
> ment.html>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 02 Jul 2014 12:13:23 -0400
> From: Paul Cartwright <pbcartwright at gmail.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] OT: Comcast Wi-Fi
> Message-ID: <53B42FA3.2030506 at gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 07/02/2014 11:40 AM, Jim Kinney wrote:
> > I tend to use the word "stupid" in an insulting form. So for me, a
> > genetic inability to learn is a cause for sadness. Refusing to learn
> > because the content of the knowledge "is against tradition" is pretty
> (f***ing) stupid.
> >
> > Of course the actual definitions include the concept of "lacking
> > common sense" which is a pretty ill-defined thing to be missing. And
> > lacking it seems to be more common than having it. Thus we get to an
> > etymological
> > dilemma: Why is something so rare as "common sense" referred to as
> common?
> > Maybe calling it "common sense" is really a cruel word-play joke on
> > the terminally stupid (who wouldn't understand they are being laughed
> > at in this matter anyway).
> and lacking common sense doesn't mean you are stupid..
> http://www.science20.com/rogue_neuron/does_superhigh_iq_superlow_c
> ommon_sense
> https://answers.yahoo.com/question/index?qid=20130421213804AArNKq5
>
> --
> Paul Cartwright
> Registered Linux User #367800 and new counter #561587
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 02 Jul 2014 12:21:40 -0400
> From: Chris Fowler <cfowler at outpostsentinel.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: [ale] SSD speeds
> Message-ID: <53B43194.60806 at outpostsentinel.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> Yesterday I received two systems we ordered and installed CentOS 6.5 on
> them. I am ignorant of SSD speeds and these systems have 2 128gb/ea I'm
> running as RAID1 via mdtools. I'm amazed at the speed compared to the
> SATA II/III drives I've been using.
>
> In the past we've used drives because we wanted space. In this project
> I would be happy with a 20GB SSD so space is not an issue. I decided to
> give it a try. I like them.
>
> Are write speeds slower that standard drives? Is there any reason I
> should not move forward with this model of using SSD in our systems vs
> real drives?
>
> I do have rant about CentOS 6.5 text install. I've googled it and I
> understand why it is like this I just hate that I could do this in 5,
> but not 6.
>
> I've installed many CentOS 5 systems around the world. In some cases I
> need to reinstall them. I may be going to an older Fedora system to
> CentOS. Or I may have corruption. I may even install new hardware.
> What I do is create a serial bootable CD. I then place a device on the
> server's serial port, connect remotely to it, and have the customer boot
> the CD. I can now install in text mode remotely. If I'm working on a
> system that has already been loaded I'll copy vmlinuz and initrd.img to
> it, modify grub meny.lst and then boot that entry.
>
> This works on CentOS 6 up until I get to partitioning disks. You can
> not do custom partitioning any more via text. I had to install the
> system in my lab last night via VNC. This complicates these remote
> installs because I have to figure out a way to gain remote IP access. I
> think the only solution is to create a kickstart file. On a new system
> that the customer purchases I will need to know about the drives before
> I can create the file to partition them. Forcing a graphical install
> just sucks and to me that is anti-server and pro-desktop.
>
> Just my rant, ignore it. :)
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://mail.ale.org/pipermail/ale/attachments/20140702/65e7d10d/attach
> ment.html>
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 2 Jul 2014 17:28:09 +0000
> From: "Lightner, Jeff" <JLightner at dsservices.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] SSD speeds
> Message-ID:
> <040B89C8B1E1D945AE2700C511A039E9E72A58 at ATMEXDB04.dsw.net>
> Content-Type: text/plain; charset="us-ascii"
>
> With appropriate budget and redundancy SSD will definitely outperform
> mechanical drives on both writes and reads.
>
> The main issue with SSD deals with burn in where items stored in certain
> memory bits can't be written to again so over time the SSD can degrade.
> Most of the better manufacturers put in some sort of wear leveling to
> prevent this from being an issue soon. So long as you have redundant
> systems under maintenance it isn't a major concern because if the disk can't
> be written to you can get it replaced.
>
> We have a disk array with some 7 TB of SSDs (200 GB each) that we've been
> using since 2011 and have thoroughly enjoyed the performance we get for
> our main ERP database. In fact with that array our main performance
> constraint was the cache the array itself has (as opposed to individual disks)
> was impeding writes to SSD because it was shared with the mechanical drives
> in the same array. Luckily this array allowed for cache partitioning and we
> were quickly able to separate the cache used by the SSDs from that used by
> all the rest of the drives.
>
> We also have bought a few of the FusionIO SSDs on HBA cards (rather than
> disk form factors) for specific workloads and they perform well also. My only
> complaint is that we do NOT have redundant cards and when we made the
> mistake of using a single one as main data storage it overheated and fried the
> firmware chip. Fusion's ID of support doesn't include 24x7 with local depots
> in major cities like Atlanta. Just getting them to ship us a replacement on a
> Saturday via FedEx when we had that issue was like pulling teeth. The moral
> is:
> -Either be sure that what you're using the non-redundant storage for is
> ephemeral (e.g. temporary files or temporary database space) you can
> afford to lose
> -OR-
> -Be sure to have redundancy (e.g. RAID1 by getting 2 or more of the SSDs).
> After the FusionIO event most of the reading I did suggested most folks
> using them ARE buying them in pairs.
>
> We have also gotten a couple of Dell's recently with internal SSD "disks" but
> they're new enough that I can't say how good (or bad) they might be. We
> did NOT get redundancy for those and I've already complained about these
> being single points of failure.
>
>
>
>
>
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Chris
> Fowler
> Sent: Wednesday, July 02, 2014 12:23 PM
> To: Atlanta Linux Enthusiasts
> Subject: [ale] SSD speeds
>
> Yesterday I received two systems we ordered and installed CentOS 6.5 on
> them. I am ignorant of SSD speeds and these systems have 2 128gb/ea I'm
> running as RAID1 via mdtools. I'm amazed at the speed compared to the
> SATA II/III drives I've been using.
>
> In the past we've used drives because we wanted space. In this project I
> would be happy with a 20GB SSD so space is not an issue. I decided to give it
> a try. I like them.
>
> Are write speeds slower that standard drives? Is there any reason I should
> not move forward with this model of using SSD in our systems vs real drives?
>
> I do have rant about CentOS 6.5 text install. I've googled it and I understand
> why it is like this I just hate that I could do this in 5, but not 6.
>
> I've installed many CentOS 5 systems around the world. In some cases I
> need to reinstall them. I may be going to an older Fedora system to
> CentOS. Or I may have corruption. I may even install new hardware.
> What I do is create a serial bootable CD. I then place a device on the server's
> serial port, connect remotely to it, and have the customer boot the CD. I can
> now install in text mode remotely. If I'm working on a system that has
> already been loaded I'll copy vmlinuz and initrd.img to it, modify grub
> meny.lst and then boot that entry.
>
> This works on CentOS 6 up until I get to partitioning disks. You can not do
> custom partitioning any more via text. I had to install the system in my lab
> last night via VNC. This complicates these remote installs because I have to
> figure out a way to gain remote IP access. I think the only solution is to
> create a kickstart file. On a new system that the customer purchases I will
> need to know about the drives before I can create the file to partition them.
> Forcing a graphical install just sucks and to me that is anti-server and pro-
> desktop.
>
> Just my rant, ignore it. :)
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://mail.ale.org/pipermail/ale/attachments/20140702/65e7d10d/attach
> ment.html>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
> Athena(r), Created for the Cause(tm)
> Making a Difference in the Fight Against Breast Cancer
>
> __________________________________________________________
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged
>
> or confidential information and is for the sole use of the intended
>
> recipient(s). If you are not the intended recipient, any disclosure,
>
> copying, distribution, or use of the contents of this information
>
> is prohibited and may be unlawful. If you have received this electronic
>
> transmission in error, please reply immediately to the sender that
>
> you have received the message in error, and delete it. Thank you
>
>
>
> ------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
> End of Ale Digest, Vol 78, Issue 2
> **********************************
More information about the Ale
mailing list