Security :: Setup A Kerberos + OpenLDAP Server To Manage Users For Our Samba Shares
Feb 13, 2011
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
View 3 Replies
ADVERTISEMENT
Jul 17, 2010
Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
View 1 Replies
View Related
Feb 19, 2010
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
View 2 Replies
View Related
Dec 4, 2010
Still new to Linux and especially samba. I have setup samba for 2 shares, will list below shares. 1 which requires a login and 1 temp folder which I would like guest access to. Currently I have security = user which works great for the data folder which requires a login. If I try to access temp I get asked for a user name and password as well. I tried to set security = share which then allowed access to temp with out a login but also allowed access to the data folder. From the data folder I emoved public = yes. I then get asked for a user name and password like I should but the system will not accept it. This is a Centos 5.5 server with a mail server on it.
[data]
comment = Data Folder
path = /home/data/
public = yes
writable = yes
browseable = yes
printable = no
avaliable = yes
write list = glenn,
force create mode = 0660
force directory mode = 0770
[temp]
comment = temp folder
path = /home/temp/
public = yes
writeable = yes
browseable = yes
guest ok = yes
guest only = yes
guest account = nobody
available = yes
force user = nobody
force group = nobody
View 1 Replies
View Related
Sep 24, 2010
I'm trying to setup two samba shares on ubuntu server 10.04.1 lts x64
The first is a Read-Only share for windows users that doesn't require a password. This i've managed to do so far.
The second is a Password protected Upload share. So far I am able to have both shares (which access the same directory) but am unable to log in to the pass word protected share.
I know i'm not doing things quite right, and would like a little bit of help
The smb.conf file is the default ubuntu file with these added shares:
Code:
[NAS]
Comment = Network Attached Storage
path = /media/RAID/NAS
browseable = yes
[Code].....
View 5 Replies
View Related
Sep 11, 2010
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
[code]....
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANSalberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
Grants and ownership on the '/repositories/shared/finance' folder are
root:domain users with permissions 775
View 2 Replies
View Related
May 12, 2010
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
View 12 Replies
View Related
Mar 15, 2010
I have the follow environment
PDC SAMBA + OPEN LDAP (ubuntu 9.04)
Linux (File Servers) + Windows machines all working well
I'm trying to set up a share drive on my new server using ubuntu 9.10 with samba (v 3.4) and ldapclient and the shares are not working when I defined Valid Users for share folders, that keep me ask me about my user and password, on the logs I have:
[2010/03/15 10:24:10, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
This is my smb.conf
[global]
workgroup = FLOWCONNECT
server string = OSLO SAMBA FILE SERVER [code].....
I have the same set up on my File Server (Ubuntu 9.04) which use samba 3.3 is working fine.Someone know if has some different setting between samba 3.3 (ubuntu 9.04) and samba 3.4 (ubuntu 9.10) that could cause this problem ?
View 1 Replies
View Related
May 24, 2010
Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.
Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.
View 3 Replies
View Related
Dec 17, 2010
I have setuped OpenLDAP+Samba PDC. When I create user and group -> Errors.
smbldap-group -a admin
No such object at /usr/sbin/smbldap_tools.pm line 457
smbldap-useradd -am -g admin admin
Could not find base dn, to get next uidNumber at /usr/sbin/smbldap_tools.pm line 1192
View 3 Replies
View Related
May 13, 2010
The company I work for, as usual, is Microsoft-centric. I'm attempting to integrate my Ubuntu server into the domain to allow domain users to authenticate to the server and access file shares using Samba. Here's my current configuration:
[Code].....
View 9 Replies
View Related
Jun 8, 2011
I would like to know how can I share folder with samba that samba does not show it to those users that have no access to it?
View 4 Replies
View Related
Oct 19, 2010
Is there a possibility in openldap to allow a user to only create/manage specific LDAP users?For example user "mailadmin" may only create/manage mail accounts in LDAP that are named like "m1342895"? Or a specific list of user accounts that are in a specific group?
View 1 Replies
View Related
Feb 7, 2010
We have an existing Windows 2000 network that I am trying to add an Ubuntu 8.04 server to. I have put links into the windows domain DFS to the linux machine's samba shares.
The shares work fine for local users that are physically on the same network (192.168.0.X). Remote users from other offices or dialing in with a vpn client can not access the these particular folders off the DFS. However, they can map them directly from the ubuntu server.
View 5 Replies
View Related
Oct 14, 2010
I have a samba server for company file shares but we do not use domain services or active directory service. Each workstation is its own standalone system. (And we want to keep it this way.) I would like to have some centralized authentication though, and it looks like Kerberos will provide that. After a lot of searching though, I can't find any instructions for setting up samba to authenticate users using kerberos without an ADS (active directory service) or domain. Is this possible?
View 1 Replies
View Related
Apr 30, 2011
Friends is there some way to authenticate Microsoft windows users from openldap running on CentOS. I will be very thankful if you provide me step by step procedure.
View 1 Replies
View Related
Oct 20, 2010
I'm setting up kerberos and I can't login with kadmin but I am getting tickets with kinit, my princs are valid, and my dns resolves with dig/ping, am I missing something?:
kadmin:
Code:
home-plug:/home/steven# kadmin
Authenticating as principal root/admin@SOUR-LAN.LOCAL with password.
Password for root/admin@SOUR-LAN.LOCAL:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
auth.log
Code:
Oct 20 22:18:13 home-plug kadmind[8935]: Seeding random number generator
Oct 20 22:18:20 home-plug krb5kdc[8778]: Interrupted system call - while selecting for network input(1)
Oct 20 22:18:20 home-plug krb5kdc[8778]: shutting down
Oct 20 22:18:20 home-plug krb5kdc[8939]: setting up network .....
View 1 Replies
View Related
Apr 25, 2010
it's driving me nuts. Done a few things now, including this last: [URL]that didn't work. All the other comps in the house are windows 7, and I want this box to be my file server, with two 1 TB HDD plugged into it via USB, but I can't get the damn samba to allow access to everyone. Here's the path in the config file:
[data]
comment = Test sharing
path = /media/Shared
[code]....
View 6 Replies
View Related
Feb 13, 2010
i have configured samba as file server in fedora 11,it works fine for both windows and linux machines .but i want to configure ldap and samba as domain controller. Googled a lot on internet every thing is confusing me .
View 2 Replies
View Related
May 6, 2010
I have OpenLDAP 2.4.12 and Samba 3.5.1 installed. When I try to change the password with smbpasswd, it changes the Windows password fine. But userPassword is not updated in LDAP. The error message is: "smbldap_check_root_dse: Expected one rootDSE, got 0" when I run smbpasswd -D 10 <username>.
I added the following to slapd.conf:
access to dn.base=""
by * read
password-hash {md5}
in hopes of allowing samba to read the root DSE, even though Samba is configured with the root DN.
how to make samba find what it needs in the root DSE of my LDAP server?
View 4 Replies
View Related
Jul 25, 2010
I am trying to setup my opensue 11.3 server as a pdc using openldap and samba
I am continuously getting a network path not found error message on my windows xp box. I already verified that the network settings are good.
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2010-07-05
[global]
[Code]....
View 5 Replies
View Related
Jul 24, 2010
I finished setup Samba PDC with Openldap backend. I can joint Winxp client to domain but can not change pass by press Ctrl + Alt + Delete and choose Change password button
This is my conf.
I used
samba3x-3.3.8
openldap 2.3.43
slapd.access.conf
Code:
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=Manager,dc=microhdesk,dc=net" write
by anonymous auth
by self write
by * none
[Code]....
View 1 Replies
View Related
Nov 18, 2009
I am looking for ideas for getting windows users into an ldap server. I am currently running a Linux server for my department and need to create an LDAP server which mirrors the username/password information for all of us as they are stored in the windows server here. I have the openldap server up and running on Ubuntu 8.04 and it works great; I now need to find some way to import user info into this from windows. I've seen discussions of using ldifde.exe to export the AD users into an ldif file. Is this the simplest way to go about it?
Our Linux server is currently providing us with much needed services using apache, and apache is authenticating using LDAP to our windows server (Using our windows username / password is required functionality). This windows server has some problem which causes it to delay for inordinate amounts of time between authentication requests and responses. The situation is such that this problem will not be addressed by IT staff. However, I have control over the Linux server so I am looking to just mirror the windows server on an LDAP server of my own. I could get away with updating the passwords in the Linux server.
View 1 Replies
View Related
Feb 2, 2011
I configured OpenLdap and now I want to configure it using TLS-SSL
But I cannot get it working with the Linux clients. Environment: Centos 5.5
Openldap Server configuration:
View 12 Replies
View Related
Jan 15, 2010
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
peter@client01:~$ ssh git1
peter@git1's password:
<connection completes>
peter@nana:~$
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
View 1 Replies
View Related
Aug 28, 2010
I have currently have opensuse 11.2 installed. I am trying to setup samba shares which you can only access as certain user. Currently looks like the only way I can access these share is use root username/password!
I want to which GUI I need to use to setup this up properly. And of course what setting to exactly to use.
View 2 Replies
View Related
Jul 4, 2010
I have been trying to setup sshguard in Ubuntu 10.04 and I cannot manage the log daemon to execute the sshguard command. Has anyone managed to setup sshguard under 10.04?
View 9 Replies
View Related
Dec 10, 2009
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
LDAP
NIS
Kerberos
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
View 3 Replies
View Related
Jun 17, 2011
I want to setup a Linux File Server for a small windows network (around 50 users). I do know that I am gona need Smb service/pkg for that. I haven't used Samba for a while now and as per the best of my knowledge, entire communication (including usernames and passwords) between a samba server & windows client machines will be plain text. Is there any way to secure all this communication??
Secondly, if i remember correctly, MS windows wont let me mount more than one samba shares as network disk when all my shares can be accessed by different smb users with different passwords?? is there a solution to this problem? OR may be if there is any other package available for this purpose so that i wont have to use samba?
View 4 Replies
View Related
Jul 28, 2010
I am working as a Linux administrator in a very small data centre with 5 servers with following routine tasks.
1. Managing SAMBA shares and giving user specific access for the shares.
2. Scheduling backup of some mount points with rsycn to store data in remote hard disk
3. User and group administration, with sudo access.
4. Creating and Managing Xen Virtual machines and giving access to other project teams.
5. Automating some tasks with Shell Scripting.
6. Managing FTP server for user uploads.
I have practiced a lot in my home laptop without RHEL training, Cleared RHCE and LPIC1. I want to do some advanced system admin tasks, but do not have option in my current data centre. With Above skills is it possible to get a job ?
View 9 Replies
View Related
