raerek's questions

I have a working Samba PDC that uses OpenLDAP as backend. I am about to set up a samba proxy user and have problems writing the correct secure ACLs.

I used this acl:

{0}to * by group.exact="cn=ldap.admins,ou=groups,dc=example,dc=com" write by * break
{1}to dn.one="dc=example,dc=com" filter=(objectClass=sambaDomain) by group.exact="cn=samba.admins,ou=groups,dc=example,dc=com" write by * break
{2}to attrs=@sambaSamAccount,userPassword by group.exact="cn=samba.admins,ou=groups,dc=example,dc=com" write by * break
{3}to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword by self write by * break
{4}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none
{5}to * by users read

(found here: http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html)

And form Windows I am unable to log on (Windows says incorrect password or username.

When I insert a new olcAccess line as rule No 0, everything is perfect:

olcAccess: {0}to * by * read

I think that this behaviour is caused by the fact that in the middle of the authentication process samba rebinds to the OpenLDAP: the connection from samba using the proxy user is dropped, and an anonymous bind is initiated.

In the log you see lines like this:

Jul  6 12:06:06 ubuserver slapd[1088]: conn=1110 fd=48 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Jul  6 12:06:06 ubuserver slapd[1088]: conn=1110 op=0 BIND dn="" method=128
Jul  6 12:06:06 ubuserver slapd[1088]: conn=1110 op=0 RESULT tag=97 err=0 text=
Jul  6 12:06:06 ubuserver slapd[1088]: conn=1110 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=suser2))"
Jul  6 12:06:06 ubuserver slapd[1088]: conn=1110 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jul  6 12:06:06 ubuserver slapd[1088]: => access_allowed: search access to "dc=itthon,dc=cucc" "entry" requested
Jul  6 12:06:06 ubuserver slapd[1088]: => acl_get: [1] attr entry
Jul  6 12:06:06 ubuserver slapd[1088]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Jul  6 12:06:06 ubuserver slapd[1088]: => acl_mask: to all values by "", (=0)
Jul  6 12:06:06 ubuserver slapd[1088]: <= check a_dn_pat: *
Jul  6 12:06:06 ubuserver slapd[1088]: <= acl_mask: [2] applying +0 (break)
Jul  6 12:06:06 ubuserver slapd[1088]: <= acl_mask: [2] mask: =0
Jul  6 12:06:06 ubuserver slapd[1088]: => dn: [2] dc=example,dc=com
Jul  6 12:06:06 ubuserver slapd[1088]: => dn: [4] ou=people,dc=example,dc=com
Jul  6 12:06:06 ubuserver slapd[1088]: => acl_get: [6] attr entry
Jul  6 12:06:06 ubuserver slapd[1088]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Jul  6 12:06:06 ubuserver slapd[1088]: => acl_mask: to all values by "", (=0)
Jul  6 12:06:06 ubuserver slapd[1088]: <= check a_dn_pat: users
Jul  6 12:06:06 ubuserver slapd[1088]: <= acl_mask: no more <who> clauses, returning =0 (stop)

Questions:

1. Do I understand things right that the problem is caused by the anonymous rebind?
2. Is there way to tell Samba to bind always with the proxy user (the one specified in the ldap admin dn in the smb.conf)?
3. If not, the is there a way to set up secure ACLs, i.e. not to give read rights to everyone?

(System is Ubuntu 12.04)

I have two NICs and two IPs. How do I set up routing in a way where everything is sent through the first IP, except the traffic of a given (local) user, whose traffic is sent through the second IP?

I know there are some HOWTOs out there but in the last 3 days I could not succeed using them.

I liked this http://www.debian-administration.org/article/379/Policy_routing article the best, the only difference in my situation is that I do not deal with PPP connections, I have two Ethernet interfaces.

After setting up everything(?), the given local user's web browsing traffic can be seen in wireshark, the SYN ACK comes back to the right IP and interface, but the browser does not answer.

Please help.

---THE WHOLE STORY---

Using a fresh install of Ubuntu 10.10 for testing, the two connectons are:

eth0: ip=192.168.168.236 gw=192.168.168.1
wlan0: ip=192.168.2.12 gw=192.168.2.1
nameserver is 192.168.168.1

Firewall is empty at the start (i.e. no rules), all policies are ACCEPT.

root@kipkopp:~# ip rule list
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
root@kipkopp:~# ip route show
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.12  metric 2 
192.168.168.0/24 dev eth0  proto kernel  scope link  src 192.168.168.236  metric 1 
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 192.168.168.1 dev eth0  proto static 

root@kipkopp:~# cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
100 copyofmain
101 new

(Buidling the copyofmain table, table new is empty)

root@kipkopp:~# ip route show table copyofmain
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.12  metric 2 
192.168.168.0/24 dev eth0  proto kernel  scope link  src 192.168.168.236  metric 1 
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 192.168.168.1 dev eth0  proto static 

root@kipkopp:~# iptables -t mangle -A OUTPUT -m owner --uid-owner 1001 -j MARK --set-mark 1
root@kipkopp:~# ip rule add fwmark 1 pri 100 table copyofmain
root@kipkopp:~# ip rule add from 192.168.168.236 pri 200 table copyofmain
root@kipkopp:~# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source=192.168.168.236

Trying to browse to websites as uid=1001 everything is okay.

(Buidling the 'new' table)

root@kipkopp:~# ip route show table new
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.12  metric 1 
192.168.168.0/24 dev eth0  proto kernel  scope link  src 192.168.168.236  metric 2 
169.254.0.0/16 dev wlan0  scope link  metric 1000 
default via 192.168.2.1 dev wlan0  proto static 

root@kipkopp:~# ip rule add from 192.168.2.1 pri 200 table new
root@kipkopp:~# iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to-source=192.168.2.12

root@kipkopp:~# ip rule show
0:  from all lookup local 
100:    from all fwmark 0x1 lookup copyofmain 
200:    from 192.168.168.236 lookup copyofmain 
200:    from 192.168.2.12 lookup new 
32766:  from all lookup main 
32767:  from all lookup default 

Uid 1001 still uses the copyofmain table, and is able to surf the net.

root@kipkopp:~# ip rule delete from all fwmark 0x1 lookup copyofmain
root@kipkopp:~# ip rule add fwmark 1 pri 100 table new

root@kipkopp:~# ip rule list
0:  from all lookup local 
100:    from all fwmark 0x1 lookup new 
200:    from 192.168.168.236 lookup copyofmain 
200:    from 192.168.2.12 lookup new 
32766:  from all lookup main 
32767:  from all lookup default 

Uid 1001 cannot browse any more.

root@kipkopp:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter 
root@kipkopp:~# echo 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter 

root@kipkopp:~# ip route flush cache

No improvement.

I change the default route in the main(!) table:

root@kipkopp:~# ip route delete default via 192.168.168.1 dev eth0  proto static
root@kipkopp:~# ip route add default via 192.168.2.1 dev wlan0  proto static

Uid 1001 is happy browsing, just like the other users.

I have set up an ubuntu lucid LDAP+SAMBA PDC, mainly based on this article: http://ubuntuforums.org/showthread.php?t=1499753 - it works. Users can change their password by logging on to a Win Pc, and hitting Ctrl+Alt+Del. This way the unix passwords are changed as well - samba takes care of that.

I use that LDAP server for authentication from ubuntu desktops as well. They can logon, and change their password using /usr/bin/passwd, but this way the samba password does not change.

Questions:

1) Is there a way to change not only the userPassword, but the sambaNTpassword attribute as well? I've read of pam_smbpass.so but I have no clue how to use that - I've even read somewhere that this way only the local smb passwords can be updated.

2) If the answer would be "no" for the 1st question, then is there a way to have slapd sync sambaNTPassword based on unixPassword? Maybe setting up the "exop" to do that?

3) If once again the answer is "no", then I could live with clear thext passwords in the userPassword and run an external script to calculate the hash for sambaNTpassword. I tried jacksum -a md4 -q "txt:password" but the calculated hash is not equal to the ones stored in the ldap. I have no idea why.

4) What else could I do?