2012. november 2., péntek

Bind users for PAM, Samba and Kerberos on Ubuntu 12.04

At this moment the ACL of our OpenLDAP server is the following (command in bold, rest is the output):
sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=config '(olcDatabase={1}hdb)' olcAccess
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=
 admin,dc=itthon,dc=cucc" write by * none
olcAccess: {1}to attrs=shadowLastChange,shadowMax by self write by dn="cn=admi
 n,dc=itthon,dc=cucc" write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=itthon,dc=cucc" write by *
  read
The by * read does not look too nice. We changes this and others today.
(Ez a cikk magyarul is olvasható)
You might remember that at the installation of the LDAP client we've said the following:
Does the LDAP database require login? No
Well, we did not mean that:)
Edit the file /etc/ldap.conf on the client - insert two lines:
binddn cn=pamproxyuser,ou=serviceAccounts,dc=itthon,dc=cucc
bindpw bigsecret
On the LDAP server create two files. Content of serviceaccountsou.ldif :
dn: ou=serviceAccounts,dc=itthon,dc=cucc
objectClass: top
objectClass: organizationalUnit
ou: serviceAcoounts
description: unreal users
Add it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f serviceaccountsou.ldif
Content of pamproxyuser.ldif:
dn: cn=pamproxyuser,ou=serviceAccounts,dc=itthon,dc=cucc
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: pamproxyuser
userPassword: bigsecret
description: proxyuser PAM ldap bind
Add it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f pamproxyuser.ldif
When working on a production server the password should be encoded using the
slappasswd -s bigsecret
command.

So we have an account that has an aging password since on my system the password policy says so. Therefore we create a new policy with infinitely valid passwords. Create the file ppolicy_no_password_aging.ldif:
dn: cn=NoPasswordAgingPPolicy,ou=Policies,dc=itthon,dc=cucc
cn: NoPasswordAgingPPolicy
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: FALSE
pwdLockout: FALSE
Add it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f ppolicy_no_password_aging.ldif
And you should modify pamproxyuser too: add a new attribute named pwdPolicySubentry with the value of the previous policy's dn.

So far so good. The only thing left is to modify the ACL. Here we have the acl.ldif (different code formatting due to the outage of my favorite tohtml.com and using http://w-i-k-i.appspot.com instead):
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=itthon,dc=cucc" write by * none
olcAccess: {1}to attrs=shadowLastChange,shadowMax by self write by dn="cn=admin,dc=itthon,dc=cucc" write by users read
olcAccess: {2}to dn.base="" by users read
olcAccess: {3}to * by self write by dn="cn=admin,dc=itthon,dc=cucc" write by users read
Instead of * we have users which says: anyone logged in can read it.
Add it to LDAP:
sudo ldapmodify -Y EXTERNAL -f acl.ldif
And it should be okay.

Samba.
So far in smb.conf you had an entry like:
ldap admin dn = cn=admin,dc=itthon,dc=cucc
It was the user we stored the password for using the command sudo smbpasswd -W . Modify the configuration file:
ldap admin dn = cn=sambaproxyuser,ou=serviceAccounts,dc=itthon,dc=cucc
Then we add sambaproxyuser (just like the PAM user before) and of course we do not forget to add the right password policy. And then:
sudo service smbd restart

Create the file GONsambaAdmins.ldiff file which creates a groupOfNames (object)class group:
dn: cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc
objectClass: groupOfNames
objectClass: top
cn: GONsambaAdmins
description: Samba Admins
member: cn=placeholder
We need to crerate a groupOfNames class group because this way we'll be able to check if an entity is a member of a group. This I learned a long ago. The placeholder is needed as no groupOfNames can exist without members.
Add it to LDAP:
ldapadd -D cn=admin,dc=itthon,dc=cucc -w secret -f GONsambaAdmins.ldiff
When the group is ready then put in a new member, the sambaproxyuser then check out this ACL (ziesemer.ldiff):
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by group.exact="cn=GONldapAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break
olcAccess: {1}to dn.one="dc=itthon,dc=cucc" filter=(objectClass=sambaDomain) by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break
olcAccess: {2}to attrs=@sambaSamAccount,userPassword by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break
olcAccess: {3}to dn.subtree="ou=People,dc=itthon,dc=cucc" attrs=userPassword by self write by * break
olcAccess: {4}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none
olcAccess: {5}to * by users read
Make it happen:
sudo ldapmodify -Y EXTERNAL -f ziesemer.ldiff
(I konw I konw... no GONldapAdmins group. Yet.)

When trying to log on form Windows you'll stay out (bad password... of course). The syslog comes handy - if we help it. First we should modify the LDAP logging so ACL things are mentioned. Here is the file logging.ldiff:
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats acl
The command that does the modifying:
sudo ldapmodify -Y EXTERNAL -f logging.ldif
Second is to turn of the rate-limiting in rsyslog. In the file /etc/rsyslog.conf insert:
$SystemLogRateLimitInterval 0
following by the command
sudo service rsyslog restart
.
And here I found out what went wrong.
The unsuccesful queries are prepended with this:
ubuserver slapd[1061]: conn=1167 fd=47 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
ubuserver slapd[1061]: conn=1167 op=0 BIND dn="" method=128
But who the hell binds with an empty name (dn="") ? Is that Samba? First I thought so but the bind coming from ldapi gave me a clue. On the server I forgot to set up using PAM proxy user. After changing that setting everything was nice.

So now the Kerberos.
All the time you should have a root-shell open (as typos can lead to segfaults)
Create a GONkerberosAdmins group
Create a kerberosproxyuser serviceAccount
Set a non-aging password
Put the user in the group just created
Tell the password to Kerberos:
sudo kdb5_ldap_util -D cn=admin,dc=itthon,dc=cucc stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kerberosproxyuser,ou=serviceAccounts,dc=itthon,dc=cucc
Edit the file/etc/krb5.conf: change the entries ldap_kdc_dn and ldap_kadmind_dn.
Define the new ACL:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by group.exact="cn=GONldapAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break
olcAccess: {1}to dn.subtree="cn=krbcontainer,dc=itthon,dc=cucc" by group.exact="cn=GONkerberosAdmins,ou=Groups,dc=itthon,dc=cucc" write
olcAccess: {2}to dn.one="dc=itthon,dc=cucc" filter=(objectClass=sambaDomain) by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break
olcAccess: {3}to attrs=@sambaSamAccount,userPassword by group.exact="cn=GONsambaAdmins,ou=Groups,dc=itthon,dc=cucc" write by * break
olcAccess: {4}to dn.subtree="ou=People,dc=itthon,dc=cucc" attrs=userPassword by self write by * break
olcAccess: {5}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none
olcAccess: {6}to * by users read
Restart the servers:
sudo service krb5-kdc restart
sudo service krb5-admin-server restart
And ready.
May I have a drink?:)

Further reading:
http://blogger.ziesemer.com/2010/12/linux-client-authentication-ldap-pam.html
http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html
http://stackoverflow.com/questions/8121980/openldap-memberof-overlay-configuration-in-ubuntu-11-04
http://simon.kisikew.org/documentation/ldap/sampleacls/
http://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/slapdconf2_Access_Control.html

Nincsenek megjegyzések: