Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - bufke

Pages: [1]
1
Installation and Upgrades / Re: Samba and managing ACL
« on: October 04, 2013, 09:49:27 pm »

2
Installation and Upgrades / Samba and managing ACL
« on: October 04, 2013, 05:18:41 pm »
Hello,

I see on Zentyal 3.2 this change:
Ignore system ACLs for samba shares, use libsamba-perl library instead.

Are system level ACLs not supported at all now? Is there some new method to micromanage permissions? The Zentyal gui does not appear capable of micromanaging sub directory permissions.

I see there is still in /etc/zentyal/samba.conf
unmanaged_acls = yes
To me, this implies it's OK to set the ACLs manually and in 3.0 this worked fine.

I might suggest adding this ACL change to the release notes. This could really cause disruption for someone upgrading from 3.0 and unaware.

3
Is it possible to test upgrades from 3.0?

4
Quote
I really don't understand what "emulating Windows on both server and client" could mean. If you can elaborate on this, it would be very interesting.
Tell me too why you feel PAM to be painful. If you compare to Kerberos, PAM is very very easy 

The "Windows" way is Active Directory. Samba4 provides an Active Directory service.

PAM = Pluggable Authentication Module. Whether you use winbind (samba) or local authentication you are using PAM. pam_ldap I found to be painful to set up. You can read about my experiences in on my blog if you are interested. http://davidmburke.com/2012/04/26/ubuntu-12-04-deployment-with-active-directory/

Hopefully I'll be getting some government funding (I work for a school in America) to purchase Zentyal Support. My main interest in Zentyal is it's free as in freedom. Unlike Active Directory I could very easily replicate one client's set up without thinking about license fees. For just one client, I've found the cost of Zentyal vastly higher than Active Directory.

Here is my WIP migration script. It's unfinished and you should assume it will break everything and kill your dog. https://gist.github.com/bufke/4490120 The idea is to get the hashes out of Zentyal 2.2 and insert them in 3.0 in Samba LDAP and OpenLDAP. It supports only simple authentication not kerberos. It also will ensure ID's match which is very important.

5
Quote
One question however: as 2.2 fits your needs, why would you need to migrate toward 3.0 ?

Because I hope my client will still exist after Ubuntu 10.04 support ends.

A windows like landscape is fine with me if it works. Emulate Windows on both server and client. Why not? pam_ldap is a pain to set up. Kerberos is useful. Playing around with it myself I'm sure it is a pain for the Zentyal team. I think more could have been done though.

6
I work at a school and will wait till summer break as I think this process is dangerous.

In a proof of concept I was able to get a hacky solution together. I don't have it all documented well and it's a temporary solution. My plan is to migrate what I can including passwords for simple samba and ldap authentication (but not kerberos). Then give people a deadline to reset their password to make kerberos work too. After that deadline I'll remove my hacks which include changes to zentyal ldap settings which are probably not upgrade safe.

If you want to work on it you could email me at david at burkesoftware dot com. I do have python scripts that do migrate passwords and other user data. Might be good to have you test them out yourself in a non production environment of course.

I don't have decent enough notes to publish a guide right now. What exactly are you looking to migrate? Passwords? How do your clients connect? A big issue with me is I use pam_ldap to authenticate and they changed a lot of stuff about ldap in 3.0. Even the port is different. If you are using Windows clients I suspect it would be much easier but I haven't tested this.

7
Yea I'm still trying to plan my migration. Their old desktop debian package would set up pam_ldap for you but in 3.0 it's not compatible because they changed the ldap port, restricted anon searching, and do groups in a very different schema. So even if I redid the entire zentyal server I would have to change each and every client too. I'm no longer recommending Zentyal as a reasonable alternative to AD though. Hope to have a real migration guide for you all soon. I don't use Zarafa though so you are on your own with that. Good to know I should never consider it.

8
Installation and Upgrades / Re: Samba4 idmap
« on: January 11, 2013, 04:34:12 am »
I'm exploring this topic myself. In my case I need to get my zentyal 2.2 ID's into 3.0. I have yet to come to a full conclusion.

There is another place to look. use ldapsearch with the settings in User and Groups, LDAP settings. Use port 390 instead of the standard 389. There are two ldap schema's one for Samba4 and another for OpenLDAP. I would suspect the uidNumber's you are after in are openldap. uidNumber of the user and gidNumber of the groups are most likely the only ones that matter. Try changing them.

9
Ok samba guide. This does not include kerberos just basic samba authentication. Please note this is a proof of concept, I haven't tried this in production and neither should you without sufficient testing.

Get a list of uid and SambaNTPassword from Zentyal 2.2 as described in the above ldap guide.

I used python since we need to manipulate the hash a bit. Execute this on the 3.0 server. Fill in the username, password, and domain of course

Code: [Select]
import base64
import binascii
import subprocess

sam_file = "/var/lib/samba/private/sam.ldb.d/DC\=DOMAIN.ldb"
user_dn = "CN=<username goes here>,CN=Users,DC=domain"
ldap_samba_nt_password = "<SambaNTPassword goes here>"
b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))

cmd = """ldbmodify -H %s --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<EOF
dn: %s
changetype: modify
replace: unicodePwd
unicodePwd:: %s
EOF""" % (sam_file, user_dn, b64_hash)
subprocess.call(cmd, shell=True)

You can test with smbclient.

I'll probably improve the script to handle a big list of users and passwords. Is there any reason this isn't a good migration strategy? If users weren't using kerberos before, why would they miss it with 3.0? And if they want it they can just change their password at their leisure.

A Linux client with pam_ldap who is mounting samba shares should never notice the change (in theory). I'm less sure about Windows clients, will they attempt to use kerberos and then fail?

10
Ok so LDAP password migration is not so bad. This doesn't include Samba!

1. In your 2.2 ldap server you need to get the userPassword attributes for all users. You can find gui tools or do cli like:
ldapsearch -D 'cn=ebox,dc=domain,dc=org' -w 'password_from_ldap_settings' -b 'dc=domain,dc=org'
That dumps out everything but what you want is the uid and userPassword. Keep in mind userPassword is a base64 of the hash.

2. Import your users as the guide suggests. Now they have bad passwords.

3. Decode passwords like this

echo crazy_base64_thing_you_got_from_ldapsearch | base64 -d

This decodes it but it's still a hash. It should start with something like {SHA} but could be some other type of hash depending on your setup.

4. Use ldapmodify on the 3.0 server to set the userPassword. By default the userPassword is just a base64 of {K5KEY} which isn't the password at all. I'm guessing it just saying use kerberos?
To do this make a ldif file like

dn: uid=username_here,ou=Users,dc=domain
changetype: modify
replace: userPassword
userPassword: {SHA}fdslfjdsffljsdfljsdfll

where userPassword is what you did base64 -d to. Run it like

ldapmodify -D 'cn=zentyal,dc=domain' -w 'password_from_ldap_settings' -p 390 -h yourhostname -f your_file.ldif

Verify it worked by running the ldapsearch command like you did in 2.2.

Now users can log into User's Corner, use pam_ldap, any other systems that depend on the ldap auth backend. In User's Corner people could change their own passwords and it updates everything! But this still sucks and forcing all employees to reset passwords is a great way to make people hate you.

I'll play with Samba and report back. Maybe I'll even make a script.

11
Nice, but can't migrate passwords? Unless your deployment is trivial that's a pretty big deal. I would think one could copy over the hashes manually.

http://lists.samba.org/archive/samba-technical/2012-June/084758.html

Quote
The unicodePwd appears to be same hash as for sambaNTPassword in
samba3 ldap just using base 64 encoding rather than direct hex
printing of the value previously.

So copy the Samba NT password to the samba 4 ldap schema then copy userPassword for plain old ldap. Has anyone tried this? Am I missing something? I'll see if I can do this next week.

Of course if LM passwords are enabled (which is default) you can just use rainbow tables, yay security. Sadly I don't have LM passwords for all my users.

12
Installation and Upgrades / Re: Authentication against Zentyal
« on: November 05, 2012, 02:25:03 am »
To clarify - Zentyal 3.0 uses Samba 4 which should be compatible as a Active Directory server. So any product that authenticates against AD should (in theory) work with Zentyal. It sounds very silly simulating Windows in both the server and client, but you are already doing this with samba file shares.

You have many options for Linux authentication and they are all (IMO) very hard to set up and incomplete. I think the easiest would be to use likewise open. Even though it's suggested for MS Active Directory it should still work with Zentyal.

Alternatives would include
pam_ldap https://help.ubuntu.com/community/LDAPClientAuthentication
winbind https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
Centrify

The hard part comes with deciding how to do stuff like offline files and cached credentials. Likewise open will take care of cached credentials for you which is one reason I suggest it over other options.

Hope that helps you.

13
Installation and Upgrades / Re: Zentyal + Google app sync
« on: November 05, 2012, 02:17:34 am »
I do Zentyal with google apps sync. It does work. hardcoreuk have you checked the "LDAP settings" in Zentyal under user and groups? You need to use that, not just a user you made.

Password are very hard. I wasn't able to get them to work out of box even though Zentyal can store whatever type of hash you want in ldap. I ended up using the Google Apps provisioning api. Sorry there is no easy answer for password sync.

14
Installation and Upgrades / Re: Authentication against Zentyal
« on: October 26, 2012, 05:43:59 pm »
I wrote a how to for Ubuntu with Active Directory. Should apply here or at least be a starting point. I've also done the pam_ldap way too. It's very time consuming getting all the details down (cached credentials, proper share drives mounting, etc.

http://davidmburke.com/2012/04/26/ubuntu-12-04-deployment-with-active-directory/

As you can read I've had many issues and found it a time consuming task. But I'm a cynical person. Good luck!

Pages: [1]