We're running a file-sharing server running MacOS 10.15 that is bound (for reasons outside of my control) to a bare openldap (slapd) server running on Ubuntu Server 18.04. The LDAP server is using a "self-signed" cert on its SSL interface, as the organization I'm at has their own CA.
After working some magic to load the apple.schema and backfill apple guids for each user/group, every service that we offer for our mac clients bound to LDAP (AFP, screen sharing, ssh, etc) will successfully authenticate authorized network users/groups, except for SMB. Right now I am just trying to get smb sharing from a mac client to the file share.
Some notes:
- SMB was initially not working for non-admin local accounts. I manually added the SMB SACL group,
com.apple.access_smb, as it wasn't there by default. The resolves access issues for local accounts, but not network accounts. Not sure why it doesn't ship with that group since the PAM module specifically references it:
% cat /etc/pam.d/smbd
# smbd: service ACL account management support
account required pam_sacl.so sacl_service=smb allow_trustacct
session required pam_permit.so
I can confirm that my network user is a member,
% dseditgroup -o checkmember -m $USER com.apple.access_smb
yes $USER is a member of com.apple.access_smb
-
Following the instructions in: https://support.apple.com/en-us/HT204021, I have disallowed validate negotiate requests from the client and only allowed SMB v2 on the server. There are no options for "authenticated binds" or Open Directory replica, as also referenced in the link.
-
The config for the LDAP binding in directory utility uses custom mappings and authentication as a read-only user. I've added some custom mappings for apple-y and other things, and included the output of odutil at the bottom in case there are any obvious mappings I am missing.
-
The tail-end of the debug logs when trying to mount shared drives using SMB as a network user show some ocspd errors, so for the time being I've added
127.0.0.1 ocsp.apple.comto my/etc/hosts.
Long story short I still cannot get network users to mount shared drives over SMB. From the client, the login box errors with the invalid request "shake". From the fileshare server, I pull the following using smbdiagnose – note we still have the ocspd error, and the smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a doesn't seem to go anywhere…
smbd: (Security) [com.apple.securityd:security_exception] mach error: 1100
smbd: (Security) [com.apple.securityd:ocspdError] ocspdGlobals: error contacting server
smbd: (Security) [com.apple.securityd:ocspdError] ocspdTrustSettingsRead: OCSPD server error
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings: record not found for domain 1
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings(domain 1) destructor
smbd: (Security) [com.apple.securityd:trustSettings] tsGetGlobalTrustSettings: could not connect to ocspd for domain (1)
smbd: (Security) [com.apple.securityd:trustSettingsEval] evaluateCert: no trust settings
smbd: (Security) [com.apple.securityd:trustSettings] SecTrustSettingsEvaluateCert: found in domain 2
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -2
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/Info.plist,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeTopDirectory error=-10
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] 7 fcntl(48,0x1) = 0
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:staticCode] 0x7fb40041c908 loaded InfoDict 0x7fb401a14790
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeEntitlements error=-10
smbd: (Security) [com.apple.securityd:handleobj] create 0x7fb401a0fd1d for 0x7fb401a0fd00
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 attached module 0x7fb40052ee50(AppleX509CL) (ssid 0 type 8)
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 detach module 0x7fb40052ee50(AppleX509CL)
smbd: (Security) [com.apple.securityd:unixio] close(8) err: 0
smbd: logoff_dequeue_session: Processing session id: 0xc86e29a600000001
smbd: handle_logoff_event: Session not in active state, sessid: 0xc86e29a600000001, state: 1
smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a
Does anyone have any suggestions on other routes to try re: samba authenticated against an openldap server? Is it even possible? If not, is there an alternative filesharing protocol that would allow mounting shared drives to both macos and windows clients?
Thanks for any help you're able to give!
The OD configuration for the LDAP server, as mentioned:
% sudo odutil show configuration /LDAPv3/$LDAP_SERVER
{
description = "$LDAP_SERVER";
mappings = {
attributes = (
objectClass
);
function = "ldap:translate_recordtype";
recordtypes = {
"dsRecTypeStandard:Groups" = {
attributetypes = {
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:GeneratedUID" = {
native = "apple-generateduid";
};
"dsAttrTypeStandard:GroupMembers" = {
native = "apple-group-memberguid";
};
"dsAttrTypeStandard:GroupMembership" = {
native = memberUid;
};
"dsAttrTypeStandard:Member" = {
native = memberUid;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:PrimaryGroupID" = {
native = gidNumber;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
posixGroup,
"apple-group"
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:Mounts" = {
attributetypes = {
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
"dsAttrTypeStandard:VFSDumpFreq" = {
native = mountDumpFrequency;
};
"dsAttrTypeStandard:VFSLinkDir" = {
native = mountDirectory;
};
"dsAttrTypeStandard:VFSOpts" = {
native = mountOption;
};
"dsAttrTypeStandard:VFSPassNo" = {
native = mountPassNo;
};
"dsAttrTypeStandard:VFSType" = {
native = mountType;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
mount
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:OrganizationalUnit" = {
attributetypes = {
"dsAttrTypeStandard:AddressLine1" = {
native = street;
};
"dsAttrTypeStandard:City" = {
native = l;
};
"dsAttrTypeStandard:Comment" = {
native = description;
};
"dsAttrTypeStandard:Country" = {
native = c;
};
"dsAttrTypeStandard:FAXNumber" = {
native = facsimileTelephoneNumber;
};
"dsAttrTypeStandard:Password" = {
native = userPassword;
};
"dsAttrTypeStandard:PhoneNumber" = {
native = telephoneNumber;
};
"dsAttrTypeStandard:PostalAddress" = {
native = postalAddress;
};
"dsAttrTypeStandard:PostalCode" = {
native = postalCode;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = ou;
};
"dsAttrTypeStandard:State" = {
native = st;
};
"dsAttrTypeStandard:Street" = {
native = street;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
organizationalUnit
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:People" = {
attributetypes = {
"dsAttrTypeStandard:AddressLine1" = {
native = street;
};
"dsAttrTypeStandard:Building" = {
native = buildingName;
};
"dsAttrTypeStandard:City" = {
native = l;
};
"dsAttrTypeStandard:Country" = {
native = c;
};
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:Department" = {
native = departmentNumber;
};
"dsAttrTypeStandard:EMailAddress" = {
native = mail;
};
"dsAttrTypeStandard:FAXNumber" = {
native = facsimileTelephoneNumber;
};
"dsAttrTypeStandard:FirstName" = {
native = givenName;
};
"dsAttrTypeStandard:HomePhoneNumber" = {
native = homePhone;
};
"dsAttrTypeStandard:JobTitle" = {
native = title;
};
"dsAttrTypeStandard:LastName" = {
native = sn;
};
"dsAttrTypeStandard:MobileNumber" = {
native = mobile;
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:OrganizationName" = {
native = o;
};
"dsAttrTypeStandard:PagerNumber" = {
native = pager;
};
"dsAttrTypeStandard:PhoneNumber" = {
native = telephoneNumber;
};
"dsAttrTypeStandard:PostalAddress" = {
native = postalAddress;
};
"dsAttrTypeStandard:PostalCode" = {
native = postalCode;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = cn;
};
"dsAttrTypeStandard:State" = {
native = st;
};
"dsAttrTypeStandard:Street" = {
native = street;
};
"dsAttrTypeStandard:UserCertificate" = {
native = "userCertificate;binary";
};
"dsAttrTypeStandard:UserPKCS12Data" = {
native = userPKCS12;
};
"dsAttrTypeStandard:UserSMIMECertificate" = {
native = userSMIMECertificate;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
inetOrgPerson
);
"Search Base" = "...";
};
};
"dsRecTypeStandard:Users" = {
attributetypes = {
"dsAttrTypeStandard:Change" = {
native = shadowLastChange;
};
"dsAttrTypeStandard:Comment" = {
native = description;
};
"dsAttrTypeStandard:CreationTimestamp" = {
native = createTimestamp;
};
"dsAttrTypeStandard:Expire" = {
native = shadowExpire;
};
"dsAttrTypeStandard:GeneratedUID" = {
native = "apple-generateduid";
};
"dsAttrTypeStandard:ModificationTimestamp" = {
native = modifyTimestamp;
};
"dsAttrTypeStandard:NFSHomeDirectory" = {
native = "#/System/Volumes/Data/Users/$uid$";
};
"dsAttrTypeStandard:Password" = {
native = userPassword;
};
"dsAttrTypeStandard:PrimaryGroupID" = {
native = gidNumber;
};
"dsAttrTypeStandard:RealName" = {
native = cn;
};
"dsAttrTypeStandard:RecordName" = {
native = uid;
};
"dsAttrTypeStandard:UniqueID" = {
native = uidNumber;
};
"dsAttrTypeStandard:UserShell" = {
native = loginShell;
};
};
info = {
"Group Object Classes" = OR;
"Object Classes" = (
posixAccount,
inetOrgPerson,
shadowAccount,
"apple-user"
);
"Search Base" = "...";
};
};
};
};
"module options" = {
AppleODClient = {
"Server Mappings" = 0;
};
ldap = {
"Denied SASL Methods" = (
"DIGEST-MD5",
"CRAM-MD5",
NTLM,
GSSAPI
);
"LDAP Referrals" = 0;
"Template Search Base Suffix" = "...";
"Use DNS replicas" = 0;
};
};
"node name" = "$LDAP_SERVER";
options = {
"connection idle disconnect" = 60;
"connection setup timeout" = 30;
destination = {
host = "LDAP_HOST";
other = ldaps;
port = 636;
};
"man-in-the-middle" = 0;
"no cleartext authentication" = 0;
"packet encryption" = 3;
"packet signing" = 1;
"query timeout" = 60;
};
template = LDAPv3;
trustaccount = "$TRUSTED_ACCOUNT";
trustoptions = (
"system keychain"
);
trusttype = authenticated;
uuid = "...";
}
Best Answer
Answering my own question here:
This setup does not work. The MacOS SMB server cannot use a bare openldap (slapd) server on Ubuntu because it uses NTLM for authentication. SASL mechanisms are not supported out of the box with slapd, and have to be configured differently. Ubuntu 18.04 comes with Cyrus SASL, but setting it up requires moving user passwords into the sasldb, configuring and testing SASL auth against the Ubuntu server, and reconfiguring the openldap bind accordingly. Given the complexity there, we're likely going to be moving to FreeIPA or Active Directory that have greater built in support for different auth mechanisms.