The Swede in the middle of Silicon Valley

Wednesday, September 16, 2009

Creds to Microsoft

Throughout the last few weeks I've somewhat raped my soul and went against most things I believe in. Why? I've done a Windows AD implementation to solve a somewhat interesting problem.

I've been working with an organization to help them create a centralized way of having authentication across the border, this include Windows, Linux and OS X servers and clients. Looking at the problem initially I gave it a try to run Samba as a PDC, unfortunately the development hasn't come as far as I hoped so I gave up that idea.

The solution I ended up choosing (which I haven't completely finished yet) is to utilize Windows AD and all that comes with it. As many know AD + Linux has never been a fun thing to deal with until recently as Microsoft decided to implement rfc2307 for Unix attributes. Doing this makes life a lot easier and I managed to put together a working solution in just a few hours, including group definitions!

For now I'm still working on having Samba authenticate with ADS so that shares can be maintained on a Linux-box rather than a Windows server (who wants to run NTFS anyway?) there's still some issues with it but I hope to have it ironed out pretty soon.

Didn't think I would say this but thank you Microsoft for opening up for us Unix-hackers!

Saturday, September 5, 2009

Making smbldap-tools rfc2307bis

Just stumbled upon a setup where I had to make smbldap-tools rfc2307bis compliant, figured I should post the patch here.

This adds ou and uniqueMember to smbldap-populate.

*** /usr/sbin/smbldap-populate.orig 2009-09-05 09:58:29.000000000 -0700
--- /usr/sbin/smbldap-populate 2009-09-05 10:04:10.000000000 -0700
***************
*** 285,293 ****
--- 285,295 ----
loginShell: /bin/false

dn: cn=Domain Admins,$config{groupsdn}
+ ou: Domain Admins
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 512
cn: Domain Admins
memberUid: $adminName
***************
*** 295,344 ****
--- 297,359 ----
sambaSID: $config{SID}-512
sambaGroupType: 2
displayName: Domain Admins
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Domain Users,$config{groupsdn}
+ ou: Domain Users
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: $config{SID}-513
sambaGroupType: 2
displayName: Domain Users
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Domain Guests,$config{groupsdn}
+ ou: Domain Guests
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: $config{SID}-514
sambaGroupType: 2
displayName: Domain Guests
+ uniqueMember: uid=$guestName,$config{usersdn}

dn: cn=Domain Computers,$config{groupsdn}
+ ou: Domain Computers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: $config{SID}-515
sambaGroupType: 2
displayName: Domain Computers
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Administrators,$config{groupsdn}
+ ou: Administrator
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
+ uniqueMember: uid=$adminName,$config{usersdn}

#dn: cn=Users,$config{groupsdn}
#objectClass: top
***************
*** 375,389 ****
--- 390,407 ----
#displayName: Power Users

dn: cn=Account Operators,$config{groupsdn}
+ ou: Account Operators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
+ uniqueMember: uid=$adminName,$config{usersdn}

#dn: cn=System Operators,$config{groupsdn}
#objectClass: top
***************
*** 397,433 ****
--- 415,460 ----
#displayName: System Operators

dn: cn=Print Operators,$config{groupsdn}
+ ou: Print Operators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Backup Operators,$config{groupsdn}
+ ou: Backup Operators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
+ uniqueMember: uid=$adminName,$config{usersdn}

dn: cn=Replicators,$config{groupsdn}
+ ou: Replicators
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
+ objectClass: groupOfUniqueNames
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
+ uniqueMember: uid=$adminName,$config{usersdn}

";
if ("sambaDomainName=$domain,$config{suffix}" eq $config{sambaUnixIdPooldn}) {