[FUG-BR] Problema na integração FreeBSD x LDAP x Windows
William David FUG-BR
fugbr em biosystems.ath.cx
Quinta Maio 29 10:35:30 BRT 2008
isso pode ajudar também
http://www.e-tinet.com/linux/servidor-samba-com-troca-de-senha-obrigatorio/
2008/5/29 William David FUG-BR <fugbr em biosystems.ath.cx>:
> sim
>
> tranquilo logo normalmente
>
> no PAM_LDAP
>
> use Password_pam SSHA ao invés de password_pam Md5 ou crypt
>
> só lembre de recadastrar todoas as senhas como SSHA
>
>
>
>
> 2008/5/29 Israel Lehnen Silva <israsilva em gmail.com>:
>> Mas dessa forma se consegue logar no freebsd via ssh logando na base LDAP???
>>
>>
>> 2008/5/29 William David FUG-BR <fugbr em biosystems.ath.cx>:
>>
>>> pq vc nao converte toda base de criptografia do LDAP pra SSHA
>>>
>>> utilizei isso desde o principio e nao tive problemas com meu smb LDAP
>>>
>>> nao use md5 selecione direto SSHA
>>>
>>> da uma olhada
>>> http://biosystems.ath.cx:8080/wiki/
>>>
>>> 2008/5/28 Israel Lehnen Silva <israsilva em gmail.com>:
>>> > O objetivo não é usar o kerberos e sim a autenticação padrão na base LDAP
>>> >
>>> > Ninguém sabe como fazer isto?
>>> > Estou passando pelo mesmo problema...
>>> >
>>> > att.
>>> >
>>> > 2008/5/27 Klaus Schneider <klausps em gmail.com>:
>>> >
>>> >> Já tentou kerberos?
>>> >>
>>> >> 2008/5/27 Thiago Dias Torres <thiagodt em gmail.com>:
>>> >>
>>> >> > Parâmetros do smbldap.conf:
>>> >> >
>>> >> > hash_encrypt="CRYPT"
>>> >> > crypt_salt_format="$1$%.8s"
>>> >> >
>>> >> > Se executar o smbldap-passwd <usuario>, a senha fica correta, com o
>>> >> > hash especificado no smbldap.conf e consigo logar normalmente no
>>> >> > Windows e FreeBSD. O problema ocorre somente quando altero a senha
>>> >> > através do Windows XP.
>>> >> >
>>> >> > O problema me parece ser no modo que o FreeBSD interpreta essa senha,
>>> >> > pois fiz um teste com Linux (Fedora 6) e não ocorre este problema,
>>> >> > consigo autenticar no Linux independente do hash que foi utilizado.
>>> >> >
>>> >> > # Saída do comando getent passwd alterando a senha com o comando
>>> >> > smbldap-passwd:
>>> >> >
>>> >> > newarq# getent passwd | grep thiago
>>> >> > thiago:$1$AC3MRqUK$7EgfcjZwReXydnt/aZhab0:100222:30006:Thiago Dias
>>> >> > Torres:/home/thiago:/bin/csh
>>> >> >
>>> >> > # Saída do comando getent passwd alterando a senha pelo Windows XP:
>>> >> >
>>> >> > newarq# getent passwd | grep thiago
>>> >> > thiago:*:100222:30006:Thiago Dias Torres:/home/thiago:/bin/csh
>>> >> >
>>> >> >
>>> >> > 2008/5/27 Jorge Petry <jorge em jspnet.com.br>:
>>> >> > > Olá.
>>> >> > > Veja dentro do arquivo do smbtools, o smbldap.conf se esta opção
>>> está
>>> >> > > assim:
>>> >> > > hash_encrypt="MD5" ou hash_encrypt="SSHA"
>>> >> > > Reporta depois ai.
>>> >> > > Abraço.
>>> >> > >
>>> >> > > _________________________________________
>>> >> > > Jorge Petry Neto
>>> >> > > Administrador de Redes e Servidores
>>> >> > > (48) 8401-4436
>>> >> > > [1]jorge em jspnet.com.br
>>> >> > > [2]www.jspnet.com.br
>>> >> > > Thiago Dias Torres escreveu:
>>> >> > >
>>> >> > > Caros,
>>> >> > >
>>> >> > > Tenho o seguinte cenário:
>>> >> > >
>>> >> > > Servidor FreeBSD 7.0 Stable autenticando em uma base LDAP através do
>>> >> > > PAM (pam_ldap e nss_ldap)
>>> >> > > No mesmo servidor, está rodando o SAMBA 3.0.28 autenticando também
>>> na
>>> >> > > base LDAP e utilizando os scripts smbldap-tools.
>>> >> > > Ferramenta LDAPAdmin para administração da base.
>>> >> > >
>>> >> > > O problema:
>>> >> > >
>>> >> > > Quando altero a senha do usuário na base LDAP pelo LDAPAdmin,
>>> >> > > seleciono a criptografia MD5 Crypt para o atributo userPassword
>>> >> > > Desta maneira consigo logar no Windows e no FreeBSD via terminal,
>>> ssh,
>>> >> > > etc... porém quando altero a senha do usuário através do Windows, a
>>> >> > > criptografia da senha do atributo userPassword é alterada para SSHA
>>> e
>>> >> > > assim não consigo mais logar no FreeBSD, somente no Windows.
>>> >> > >
>>> >> > > Alguém já implementou este método? FreeBSD e SAMBA autenticando no
>>> >> > > LDAP, possibilitando o próprio usuário alterar sua senha pelo
>>> Windows
>>> >> > > sem interferir na autenticação via terminal ou ssh do FreeBSD?
>>> >> > >
>>> >> > > Segue arquivo de configuração do Samba:
>>> >> > >
>>> >> > > # Samba config file created using SWAT
>>> >> > > # from 0.0.0.0 (0.0.0.0)
>>> >> > > # Date: 2008/05/05 16:13:37
>>> >> > >
>>> >> > > [global]
>>> >> > > dos charset = CP850
>>> >> > > unix charset = ISO8859-1
>>> >> > > workgroup = NOVOARQ
>>> >> > > netbios name = NARQ
>>> >> > > server string = LDAP Teste
>>> >> > > # update encrypted = Yes
>>> >> > > # unix password sync = Yes
>>> >> > > passwd program = /usr/local/sbin/smbldap-passwd -u "%u"
>>> >> > > encrypt passwords = Yes
>>> >> > > # obey pam restrictions = Yes
>>> >> > > socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
>>> >> > > SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
>>> >> > > log level = 1
>>> >> > > log file = /var/log/samba/samba.log
>>> >> > > max log size = 0
>>> >> > > time server = Yes
>>> >> > > machine password timeout = 0
>>> >> > > logon script = %G.bat
>>> >> > > logon drive = H:
>>> >> > > logon home = \\NARQ\%U
>>> >> > >
>>> >> > > os level = 255
>>> >> > > preferred master = Yes
>>> >> > > domain master = yes
>>> >> > > domain logons = yes
>>> >> > > local master = yes
>>> >> > >
>>> >> > > passdb backend = ldapsam:[3]ldap://ldap.dominio.com.br
>>> >> > > ldap passwd sync = Yes
>>> >> > > ldap delete dn = Yes
>>> >> > > ldap ssl = no
>>> >> > > ldap admin dn = cn=admin,dc=unilasalle,dc=edu,dc=br
>>> >> > > ldap suffix = dc=unilasalle,dc=edu,dc=br
>>> >> > > ldap machine suffix = ou=computadores
>>> >> > > ldap user suffix = ou=usuarios
>>> >> > > ldap group suffix = ou=grupos
>>> >> > > ldap idmap suffix = sambaDomainName=NOVOARQ
>>> >> > > idmap backend = [4]ldap:ldap://ldap.dominio.com.br
>>> >> > > idmap uid = 10000-65000
>>> >> > > idmap gid = 10000-65000
>>> >> > > enable privileges = yes
>>> >> > > add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>> >> > > # delete user script = /usr/local/sbin/smbldap-userdel "%u"
>>> >> > > add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>> >> > > # delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>>> >> > > add user to group script = /usr/local/sbin/smbldap-groupmod -m
>>> >> "%u"
>>> >> > "%g"
>>> >> > > delete user from group script =
>>> >> > > /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>>> >> > > set primary group script = /usr/local/sbin/smbldap-usermod -g
>>> >> "%g"
>>> >> > "%u"
>>> >> > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>> >> > >
>>> >> > > utmp = Yes
>>> >> > > smb ports = 445 139
>>> >> > > name resolve order = wins bcast hosts
>>> >> > > time server = Yes
>>> >> > > template shell = /bin/false
>>> >> > > winbind use default domain = no
>>> >> > > map acl inherit = Yes
>>> >> > > strict locking = Yes
>>> >> > > wins support = Yes
>>> >> > > interfaces = bce0
>>> >> > > bind interfaces only = Yes
>>> >> > >
>>> >> > > dns proxy = No
>>> >> > > create mask = 0770
>>> >> > > force create mode = 0770
>>> >> > > directory mask = 0770
>>> >> > > force directory mode = 0770
>>> >> > > -------------------------
>>> >> > > Histórico: [5]http://www.fug.com.br/historico/html/freebsd/
>>> >> > > Sair da lista: [6]https://www.fug.com.br/mailman/listinfo/freebsd
>>> >> > >
>>> >> > >
>>> >> > > --
>>> >> > >
>>> >> > > References
>>> >> > >
>>> >> > > 1. mailto:jorge em jspnet.com.br
>>> >> > > 2. http://www.jspnet.com.br/
>>> >> > > 3. ldap://ldap.dominio.com.br/
>>> >> > > 4. ldap:ldap://ldap.dominio.com.br
>>> >> > > 5. http://www.fug.com.br/historico/html/freebsd/
>>> >> > > 6. https://www.fug.com.br/mailman/listinfo/freebsd
>>> >> > > -------------------------
>>> >> > > Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> >> > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>> >> > >
>>> >> > -------------------------
>>> >> > Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> >> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> /*
>>> >> * Klaus Schneider
>>> >> */
>>> >> -------------------------
>>> >> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > Att. Israel Lehnen Silva
>>> > -------------------------
>>> > Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>> >
>>>
>>>
>>>
>>> --
>>> -=-=-=-=-=-=-=-=-=-
>>> William David Armstrong <----. Of course it runs
>>> Bio Systems Security Networking <----|==========================
>>> MSN / GT biosystems em gmail.com <----' OpenBSD or FreeBSD
>>> --------------------------------------
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>
>>
>>
>> --
>>
>> Att. Israel Lehnen Silva
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
>
>
> --
> -=-=-=-=-=-=-=-=-=-
> William David Armstrong <----. Of course it runs
> Bio Systems Security Networking <----|==========================
> MSN / GT biosystems em gmail.com <----' OpenBSD or FreeBSD
> --------------------------------------
>
--
-=-=-=-=-=-=-=-=-=-
William David Armstrong <----. Of course it runs
Bio Systems Security Networking <----|==========================
MSN / GT biosystems em gmail.com <----' OpenBSD or FreeBSD
--------------------------------------
Mais detalhes sobre a lista de discussão freebsd