ROSA Linux Bugzilla – Bug 5187
Make sure Samba 4 provides full AD support
Last modified: 2016-09-28 11:57:50 MSD
> Zombie Ryushu 2015-03-17 00:54:02 MSK
It looks as if this build has AD Support compiled in, due to my existing OpenLDAP/Heimdal Kerberos/Samba Domain for now, I cannot provision a new Domain to see what the results will be. Anyone with the resources to do so should attempt to Provision a new Domain and see if the results are positive. Criteria for success:
A Fully functioning Samba 4 AD Should:
1. Provision an initial AD with samba-tool with rfc 2307 support and xattrs turned on.
2. the resulting AD should create an LDAP tree, a Kerberos KDC, and Samba server.
3. Create the Bind Flat Files for DNS SRV Detection of an AD with non-integrated look up zones.
4. kinit from either krb5-workstation should detect the Samba 4 AD as a valid Kerberos realm based on functioning DNS information and get a valid ticket.
5. LDAP search should return a Positive result when CN=Administrator at a bare minimum.
6. Samba should accept an NTLM Login from an instance of smbclient.
7. oLschema2ldif should be able to convert a Supplementary (not a core) LDAP Schema from OpenLDAP and survive a Restart of the service. (Schema extension can crash a service!)
8. Samba 4 must survive a Reboot.
Can I suggest a few extended tests? This may create uncover a few bugs of some packages.
1. You should be able to use LUMA to browse the tree and add attributes.
2.1. nslcd should be able to enumberate LDAP users and Groups from a Samba AD. pam_krb5 should be able to authenticate users. If this doesn't work, we have a problem, full stop.
2.2. libuser.conf should be able to bind to the ldap tree and use luseradd, lpasswd, and lusermod to modify the attributes of an existing Posix enabled AD account. Preferably using SASL. If this works, libuser enabled GUI Applications such as Userdrake, smf I think KDE, should enumerate LDAP accounts. There is a Pitfall listed below.
3. All Systems should be able to join the Domain with 'net ads join'
4. Samba should be able to extract local keytabs with samba-tool domain exportkeytab PATH_TO_KEYTAB or to workstations with net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights .
5. A Kerberized Application such as OpenSSH Should be able to use Kerberos authentication. (There are tests for FireFox with Apache, Cyrus IMAP, and PostFix) if OpenSSH is functioning, it should not ask for passwords or SSH Keys between Kerberized nodes.
5.1. Cyrus IMAP should be able to authenticate Thunderbird by clicking the GSSAPI Checkbox. Cyrus IMAP should be able to authorize the user using LDAP, and Authenticate the user using Kerberos.
5.2. FireFox should be able to Authenticate to a Kerberized Instance of Apache. This test is interesting because Apache uses a different keytab from the local system keytab /etc/krb5.keytab. Also a change is needed in FireFox's about:config to enable this behaviour. The Network Monitoring application Nagios is a good candidate for this. It uses HTTP Authentication.
5.3 Import of the OpenSSH LPK Schema into Samba 4's AD LDAP storage for nodes that cannot use Kerberos due to NAT. This will let you store OpenSSH Keys in LDAP.
6. Sudoer should be able to be enumerated from Samba 4. on all Domain workstations.
7. An install of OwnCloud should be able to authenticate users.
8. adtool should be able to modify extended Attributes of AD users.
9. FreeRadius should be able to authenticate a user or a Computer using LDAP, or Samba's NTLM Mechanism ntlm_auth. NTLM Auth is an integral part of the MS-CHAPv2 protocol used in PEAP, which is used by 802.1X Enabled Wireless Access Points and certain types of PPTP. This requires the FreeRadius LDAP Schema to be imported into Samba 4. As well as FreeRadius Attributes to be applied to Samba 4 Users using adtool, or luma.
10. eGroupware 14.2 should be able to Authenticate and modify LDAP accounts in Samba 4, no egroupware EPL Package exists in Rosa. So you will have to use OpenSuse RPMs or install from Source Tar. See Warnings about eGroupware 1.8 Below!
11. Bind Flat Files should be able to be modified by Samba 4.
- Samba 4.1 AD and OpenLDAP conflict and have definitions one attribute: homeDirectory. homeDirectory in OpenLDAP is for the Posix Home Directory of /home/user while AD uses it for the Windows UNC path: \\Server\user and uses unixHomeDirectory as the Posix Home Directory of /home/user. nslcd can make a mapping but libuser cannot. (Unless a Patch is applied to the Source Code.). No other attribute like this Clash.
- Do NOT under any circumstance use eGroupware 1.8 with Samba 4.x. It will begin deleting accounts due to its LDAP Management behaviour as soon as the Administrator begins editing them. You must use 14.2.
- Due to the fact that in Rosa has Bind is in a Chroot, you cannot use the Bind DLZ with Samba 4.
- Always create a user with Samba-tool first, then use luseradd, lusermod, lpasswd to modify whatever attributes are required for Posix users. To not do so will cause Samba 4 to create Object Class Violations as such an account wuld not have the inetOrgPerson Attribute or sAMAccount Attribute.
Okay so I found out that dhcpd 4.3 Supports the storage of DHCP Leases in LDAP. It has a more advanced Schema with more attributes. It also supports GSSAPI. This is something else that could be stored in Samba 4.x. in AD ISC DHCP servers are considered "rogue". The issue is that up until now, multiple DHCP servers could not coordinate their lease data and now they can. I'll be filing a bug about this. But this plays into hte Samba DLZ issue with how securely zone updates can be transferred from Samba 4 to Bind.
There should be support for users-shares too. So that user could be able to share directories through Dolphin easily and effectively. Just pointing out to keep it in mind.
*** Bug 4627 has been marked as a duplicate of this bug. ***
Should I mark this bug resolved?