[Pkg-openldap-devel] Trying to build a summary on LDAP/Samba/PAM/... strangeness...

Tue May 15 09:43:18 UTC 2007

Sorry for this mail, but i've experienced a bit with
samba/smabldap-tools/ldap/pam... with sarge, and now, migrating to
edgy, i'm triying to do some cleanup.

Setting up a stable and efficient system i've found some minor drawback
that i don't feel comfident to log as bug.
Or at least i don't know exactly the package was responsible of the
bug. ;)

This message are sent to slapd, smbldap-tools, libpam-ldap/libnss-ldap
mantainers. I think that the debian wiki need some minor tweak, but
first i need to track down some problem before trying to edit it.

Some words on me: i'm a sysadmin from north-est italy that work for a
non profit organization aimed to take care of disabled children.
We manage directly 4 samba/smbldap/openldap installation and i'm
consultant for another dozen of it, all debian based, all are migrating
to edgy.

All start from this:

	http://wiki.debian.org/PAMLDAPSetup

[WOW! libpam_ldap are not needed, cool!!!].
This setup work flawlessy, and i've tested on an environment (my home
server machine, that have no samba stuff but only posix).
In a perfectly-windows environment this is really cool, tipically in
these environment you use windows to change the pass, so it is
possible to simply uninstall libpam-ldap and forgot about it.

Trying to do the same things with work setup (samba and smbldap-tools),
lead to impossibility to login.
Password in windows work with no problem at all, but there's no way to
login (console, ssh, ...).

After fiddling a bit with all this stuff i've found the culprit: if in
smbldap-tools i put hash_encrypt to something different from "CRYPT"
(and i think CLEARTEXT, but clearly it is not the case ;) login are
impossible.
I've done this tests:
 + tried all combination of (S)MD5, (S)SHA
 + as above, but using slappasswd insted of internal perl logic

Only CRYPT work; note that if i setup libpam-ldap to change password, i
can put on /etc/pam_ldap.conf whatever algorithm i choose an all work.
So my first sentence/question:

1) seems that smbldap-tools (but also slappasswd) generate a
 userPassword field that it is incompatible with the default auth
schema (eg, pam_unix/nss).

Note that if i load and configure libpam_ldap, password start to work
(clearly i opted for this setup), so seems that is the default pam_unix
'nss fallback' (really, i don't know how to name this ;) that does not
work with ldap password, not all the stuff that does not work.
Summarizing:

		used by:	pam_unix/nss	libpam_ldap
 pass generated by:

 libpam_ldap			ALL(*)		ALL
 smbldap-tools/ldappasswd	CRYPT		ALL

 (*) really, i've tested only crypt and MD5.

I've found also a minor drawback of the proposed configuration in
/usr/share/doc/libpam-ldap/README.Debian , and the drawbacks are
exactly caused by this 'bug'. Second question.

2) In this setup every login are tried first with pam_unix and then, if and
only if fail, passed to pam_ldap.
But the first try are a 'full try', eg pam_unix use nss to check
password against 'system database', and fail because password are
incompatible (as stated in 1).
You can see your auth.log full of:

	May 15 09:44:43 sdinny sshd[5171]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harry.sv.lnf.it user=massimo

and this is really annoying, expecially if you have to track down (eg,
with logcheck) really failed logins.

I'm thinking about swapping pam_unix and pam_ldap in this setup (eg,
every login are tried first with ldap and then, only if failed, with
pam_unix, but clearly this could lead to some minor trouble (timeout)
if ldap server are down and i need to login as root to fix it. ;)

Last question are really minor, or at least can be safely logged to
debian BTS, but i'm here...

3) In /usr/share/doc/smbldap-tools/README.Debian.gz it is missed to say
that a 'sub' indices have (it is required!) to be setup for samba on
sambaSID filed. So:

	index         sambaSID                                eq,sub
and not simply:
	index         sambaSID                                eq

as stated. See samba changelog (for release 3.0.23) for more info.

I hope i was sufficiently clear. Many thanks to all.

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797