Projekt SSO: Difference between revisions

From JoBaPedia
Jump to navigation Jump to search
m (Joachim moved page Projekt Samba 4 to Projekt SSO without leaving a redirect: samba 4 not necessarily used)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Samba 4 =
= SSO =


Goal is to have single signon (SSO) with open source software for as much services as possible.
Goal is to have single signon (SSO) with open source software for as much services as possible.
Since SSO for windows services needs a windows domain controller and Samba 4 provides one, this seems to be the only way to go.
Since SSO for windows services needs a windows domain controller and Samba provides one, this seems to be the only way to go.


In the end, I want all services to be run on the low power QNAP NAS. This is not possible yet, because samba 4 will only be available on the next QNAP OS 4.1.
In the end, I want all services to be run on the low power QNAP NAS.  
In the meantime I'll implement it on the opensuse server.
This is not possible yet, because QNAP as PDC will only be available on the next QNAP OS 4.1.
In the meantime I'll implement this part on the opensuse server.


== SSO Services ==
== SSO Services ==
Line 28: Line 29:
For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.
For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.


OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. But as a first step it is running on job4 now.
OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. Suse usermanagement did not work with that. I had to copy the schemas from opensuse ldap to qnap and configure ldap to use them.


Configuration with yast ldap client was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users
Configuration with yast ldap client then was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users. The uri domain name needs to be the cn or an alternate subject of the openldap certificate on the qnap device.
 
Being able to change passwords and honor disabled users some changes were needed. For background see here:
 
http://forum.qnap.com/viewtopic.php?f=50&t=70028


==== /etc/sssd/sssd.conf ====
==== /etc/sssd/sssd.conf ====
Line 41: Line 46:
  [nss]
  [nss]
  filter_groups = root
  filter_groups = root
  filter_users = root
  filter_users = root  
   
   
  [pam]
  [pam]  
   
   
# Section created by YaST
  [domain/default]
  [domain/default]
  ldap_uri = ldap://ldap.banzhaf.chickenkiller.com
  ldap_uri = ldap://qnap.job.de
  ldap_search_base = dc=job2
  ldap_search_base = dc=job,dc=de
  ldap_schema = rfc2307bis
  ldap_schema = rfc2307bis
  id_provider = ldap
  id_provider = ldap
Line 55: Line 61:
  enumerate = True
  enumerate = True
  cache_credentials = True
  cache_credentials = True
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job2
ldap_group_search_base = ou=group,dc=job2
  chpass_provider = ldap
  chpass_provider = ldap
  auth_provider = ldap
  auth_provider = ldap
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job,dc=de
ldap_group_search_base = ou=group,dc=job,dc=de
# following lines added for using user disabled flag
ldap_pwd_policy = none
access_provider = ldap
ldap_account_expire_policy = shadow
ldap_access_order = expire
ldap_chpass_update_last_change = true
ldap_default_bind_dn = cn=admin,dc=job,dc=de
ldap_default_authtok = {pwd of bind dn}


==== /etc/nsswitch.conf ====
==== /etc/nsswitch.conf ====
Line 66: Line 84:
  group:  compat sss
  group:  compat sss
  ...
  ...
==== phpLdapAdmin ====
Config in
/share/MD0_DATA/.qpkg/OpenLDAP/phpldapadmin/config/config.php
Can create samba user with samba3 schema.
The user needs to change pwd before use:
job4:~ # smbpasswd -r qnap -U ldaptest
It may be required to add the user to share sections in /etc/smb.conf. @"everyone" only includes local users, not ldap
read list = @"everyone"
write list = "admin","joachim","julian","caro"
valid users = "root",@"everyone","admin","joachim","julian","caro","ldaptest"
Then this works
smbclient -c ls -W job -U ldaptest //qnap/Download
The homedirectory is not created this way. Try yast?
==== Useful commands ====
show publicly accessible ldap database content without using ssl
* configure /etc/openldap/ldap.conf
uri    ldap://qnap.job.de
base    dc=job,dc=de
TLS_CACERT      /etc/ssl/certs/jba-pki-v2-ca.crt
* execute search
ldapsearch -x
show ldap content with ssl (needs password of root cn and valid cert on qnap slapd.conf)
ldapsearch -ZZ -D "cn=admin,dc=job,dc=de" -W
if this does not work, try debug switch -d1 (<-- digit one)
show base dn of ldap database
ldapsearch -x -b ' ' -s base '(objectclass=*)' namingContexts
add a key value pair to an ldap object (here homeDirectory)
* create file test.ldap
dn: cn=jo,dc=job,dc=de
changetype: modify
add: homeDirectory
homeDirectory: /home/jo
* execute modify
ldapmodify -ZZ -D "cn=admin,dc=job,dc=de" -W -f test.ldap


=== Certificate Management (PKI) ===
=== Certificate Management (PKI) ===
Line 73: Line 137:
=== DNS ===
=== DNS ===


Samba needs a domain name service. I have no idea why, but it has an internal dns activated by default, so I'll use that.
Samba 4 needs a domain name service. I have no idea why, but it has an internal dns activated by default, so I'll use that.
Implication: change used dns at least on the windows pc's from my router to the samba server. The samba server then forwards to the router, if necessary.
Implication: change used dns at least on the windows pc's from my router to the samba server. The samba server then forwards to the router, if necessary.


How will the dhcp/dns handshake work?
How will the dhcp/dns handshake work?
Since I currently not use samba 4 AD but samba 3 PDC/BDC I wont ned a dns for now.
=== Samba ===
Qnap 4.1 will include samba 4 with AD. But although it is already overdue, time to release could be long.
Since domain config on qnap never quite worked for me, I'll try to setup a domain PDC manually now.
This PDC of course must use the ldap backend for user management.
==== Make Domain JOB ====
Not sure, but I think that makes the server a DC
/etc/smb.conf
[global]
workgroup = job
security = domain
preferred master = yes
domain master = yes
local master = yes
wins support = yes
And this is for the ldap integration
ldap admin dn = cn=admin,dc=job,dc=de
ldap suffix = dc=job,dc=de
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap ssl = off
passdb backend = ldapsam:ldap://127.0.0.1
==== Join a Machine ====
This has never worked so far, but what I tried is this:
Create a machine account with yast. Important is, it is created as ldap user with $ at the end. I.e. for vm job8 I tried job8$ and JOB8$. Shell can be /bin/false and home an empty directory
Once this user existed, I could do this on the DC (it fails if the ldap user is not present).
/mnt/ext/opt/samba/bin/net smbpasswd -a -m job8
or uppercased
/mnt/ext/opt/samba/bin/net smbpasswd -a -m JOB8
After that, I tried to add the VM to the domain, but it tried to connect to an AD.
Then I set the WINS server in the VM network card settings. Now it failed with "could not reach the domain".
This worked, but what is the effect?
job2 $ sudo net -I 192.168.1.9 rpc join bdc -U root%thepassword
Joined domain JOB.

Latest revision as of 15:57, 15 April 2014

SSO

Goal is to have single signon (SSO) with open source software for as much services as possible. Since SSO for windows services needs a windows domain controller and Samba provides one, this seems to be the only way to go.

In the end, I want all services to be run on the low power QNAP NAS. This is not possible yet, because QNAP as PDC will only be available on the next QNAP OS 4.1. In the meantime I'll implement this part on the opensuse server.

SSO Services

  • login on all linux and windows devices, including servers, NAS and notebooks
  • windows shares
  • samba shares on linux servers and qnap NAS
  • wiki
  • bugtracker (trac)
  • databases (mysql, db2)
  • more webservices

Subprojects

Samba needs some backend technology to work. Right now, I know of user management and domain name service. User management could be handled by samba internally, but not all sso services support samba users as identity provider. A common user id management that is supported by many services directly or indirectly is LDAP. Samba, openSUSE linux and e.g. DB2 support it natively, others via PAM or other services.

Open LDAP

Open ldap provides user management, but can also be used for many other things, like certificate store or address management. For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.

OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. Suse usermanagement did not work with that. I had to copy the schemas from opensuse ldap to qnap and configure ldap to use them.

Configuration with yast ldap client then was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users. The uri domain name needs to be the cn or an alternate subject of the openldap certificate on the qnap device.

Being able to change passwords and honor disabled users some changes were needed. For background see here:

http://forum.qnap.com/viewtopic.php?f=50&t=70028

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss,pam
domains = default

[nss]
filter_groups = root
filter_users = root 

[pam] 

# Section created by YaST
[domain/default]
ldap_uri = ldap://qnap.job.de
ldap_search_base = dc=job,dc=de
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = True
cache_credentials = True
chpass_provider = ldap
auth_provider = ldap
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job,dc=de
ldap_group_search_base = ou=group,dc=job,dc=de

# following lines added for using user disabled flag
ldap_pwd_policy = none

access_provider = ldap
ldap_account_expire_policy = shadow
ldap_access_order = expire
ldap_chpass_update_last_change = true

ldap_default_bind_dn = cn=admin,dc=job,dc=de
ldap_default_authtok = {pwd of bind dn}


/etc/nsswitch.conf

passwd:  compat sss
group:   compat sss
...

phpLdapAdmin

Config in

/share/MD0_DATA/.qpkg/OpenLDAP/phpldapadmin/config/config.php

Can create samba user with samba3 schema. The user needs to change pwd before use:

job4:~ # smbpasswd -r qnap -U ldaptest

It may be required to add the user to share sections in /etc/smb.conf. @"everyone" only includes local users, not ldap

read list = @"everyone"
write list = "admin","joachim","julian","caro"
valid users = "root",@"everyone","admin","joachim","julian","caro","ldaptest"

Then this works

smbclient -c ls -W job -U ldaptest //qnap/Download

The homedirectory is not created this way. Try yast?

Useful commands

show publicly accessible ldap database content without using ssl

  • configure /etc/openldap/ldap.conf
uri     ldap://qnap.job.de
base    dc=job,dc=de
TLS_CACERT      /etc/ssl/certs/jba-pki-v2-ca.crt
  • execute search
ldapsearch -x

show ldap content with ssl (needs password of root cn and valid cert on qnap slapd.conf)

ldapsearch -ZZ -D "cn=admin,dc=job,dc=de" -W

if this does not work, try debug switch -d1 (<-- digit one)

show base dn of ldap database

ldapsearch -x -b ' ' -s base '(objectclass=*)' namingContexts

add a key value pair to an ldap object (here homeDirectory)

  • create file test.ldap
dn: cn=jo,dc=job,dc=de
changetype: modify
add: homeDirectory
homeDirectory: /home/jo
  • execute modify
ldapmodify -ZZ -D "cn=admin,dc=job,dc=de" -W -f test.ldap

Certificate Management (PKI)

see Projekt_PKI

DNS

Samba 4 needs a domain name service. I have no idea why, but it has an internal dns activated by default, so I'll use that. Implication: change used dns at least on the windows pc's from my router to the samba server. The samba server then forwards to the router, if necessary.

How will the dhcp/dns handshake work?

Since I currently not use samba 4 AD but samba 3 PDC/BDC I wont ned a dns for now.

Samba

Qnap 4.1 will include samba 4 with AD. But although it is already overdue, time to release could be long. Since domain config on qnap never quite worked for me, I'll try to setup a domain PDC manually now. This PDC of course must use the ldap backend for user management.

Make Domain JOB

Not sure, but I think that makes the server a DC

/etc/smb.conf

[global]
workgroup = job
security = domain
preferred master = yes
domain master = yes
local master = yes
wins support = yes

And this is for the ldap integration

ldap admin dn = cn=admin,dc=job,dc=de
ldap suffix = dc=job,dc=de
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap ssl = off
passdb backend = ldapsam:ldap://127.0.0.1

Join a Machine

This has never worked so far, but what I tried is this:

Create a machine account with yast. Important is, it is created as ldap user with $ at the end. I.e. for vm job8 I tried job8$ and JOB8$. Shell can be /bin/false and home an empty directory

Once this user existed, I could do this on the DC (it fails if the ldap user is not present).

/mnt/ext/opt/samba/bin/net smbpasswd -a -m job8

or uppercased

/mnt/ext/opt/samba/bin/net smbpasswd -a -m JOB8

After that, I tried to add the VM to the domain, but it tried to connect to an AD. Then I set the WINS server in the VM network card settings. Now it failed with "could not reach the domain".

This worked, but what is the effect?

job2 $ sudo net -I 192.168.1.9 rpc join bdc -U root%thepassword
Joined domain JOB.