NexentaStor Project - CIFS + OpenLDAP Authentication - NexentaStor Project

CIFS + OpenLDAP Authentication

Hello -

I'm trying to setup a Nexenta 3.1 instance to authentication CIFS users via LDAP (OpenLDAP). I realize that there was a bug in 3.0.X, but that it should have been fixed with 3.1.

I have what I believe to be a working OpenLDAP instance already - I say it's working because I'm able to configure other linux servers to authenticate users. I'm having some issues getting this to work on Nexenta - and I'm not sure if it is due to an issue with the CIFS implementation, or a lack of understanding on my part.

I have run through the process of configuring LDAP several times - both from the web UI and from 'ldapclient.' I am able to see users/groups from Nexenta, provision ACLs, etc. However, when I try to login from Windows I can't seem to authenticate successfully.

My question - is there any additional configuration that needs to be done that I may be missing? nssswitch.conf looks fine, and I've tried with and without idmapping (winuser:==unixuser:). Nothing seems to work. I don't know enough about Solaris basics to debug if this is a CIFS problem or a ldap client configuration problem.

Is there something additional that needs to be configured for LDAP authentication to work with CIFS?

Thanks

Replies

RE: CIFS + OpenLDAP Authentication - Added by Mike Fisher about 1 year ago

Also, here's the latest ldapclient command:

ldapclient -v manual \ -a adminPassword=<pw>\ -a adminDN=cn=admin,dc=local\ -a defaultSearchBase=dc=local\ -a authenticationMethod=simple \ -a serviceAuthenticationMethod=pam_ldap:local\ -a serviceSearchDescriptor=passwd:ou=People,dc=local\ -a serviceSearchDescriptor=group:ou=Groups,dc=local\ <ldap-server>

I've tried other variations as well...

RE: CIFS + OpenLDAP Authentication - Added by Mike Fisher about 1 year ago

Quick update - this seems to be a ldapclient/openldap issue, as I am unable to 'su' from a local account to an ldap account:

localuser@vault:/$ su ldapuser
Password:
su: incorrect password

I'm really stuck at this point. Willing to offer up some free CrashPlan remote storage space to whoever can help me get over this hurdle :)

RE: CIFS + OpenLDAP Authentication - Added by Mike Fisher about 1 year ago

Configuration Details below. Also, it seems I'm able to authenticate with FTP now, but not 'su' or CIFS...

/etc/nsswitch.conf

passwd: files ldap
group: files ldap
ipnodes:   files dns mdns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files

/etc/pam.conf

# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_ldap.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_unix_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth sufficient         pam_ldap.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
#
# Kerberized telnet service
#
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth sufficient         pam_ldap.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth required           pam_unix_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_ldap.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_ldap.so.1
passwd  auth required           pam_unix_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
cups    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_ldap.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
other   password required       pam_smb_passwd.so.1     nowarn

/var/ldap/ldapclientfile

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= <IP>
NS_LDAP_SEARCH_BASEDN= dc=<DOMAIN>
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=<DOMAIN>
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=<DOMAIN>

RE: CIFS + OpenLDAP Authentication - Added by Chris Parsons about 1 year ago

Nexenta uses Kernel Based CIFS which as of version 3.0, didnt support auth via LDAP. It was (at the time) a feature being quietly hinted at for 3.1. With the release of 3.1 there was no mention of this feature, so Im assuming that it didnt make it in.

RE: CIFS + OpenLDAP Authentication - Added by Mike Fisher about 1 year ago

Yep I had posted in that thread way back - but the 3.1 release notes hint that this was addressed:

http://www.nexenta.com/corp/images/stories/pdfs/releasenotes3%201_v4.pdf

Can somebody on the dev team please comment?

Thanks!

RE: CIFS + OpenLDAP Authentication - Added by Mike Fisher about 1 year ago

Could somebody confirm/deny the LDAP+CIFS feature in 3.1?

RE: CIFS + OpenLDAP Authentication - Added by Chris Parsons about 1 year ago

Im definitely interested in this - mainly for our paid for and supported Nexenta box, so I may ask Nexenta Support.