CIFS + OpenLDAP - Plaintext password

DAVIDBERANEK · ‎2013-01-29

Hi all,

I have problem with CIFS authentification from client to FAS2240-4 with Data Ontap 8.1.1. Storage to OpenLDAP. Comunication is ok, storage can read user information from OpenLDAP, but if client want login to CIFS share for communication must use plaintext password. Configuration without plaintext passwords cant authenticate me. Is it really necessary to use plainttext password?

My CIFS configuration:

WINS – OFF

multiprotocol filer

(4) /etc/passwd and/or NIS/LDAP authentication

/etc/nsswitch.conf

hosts: files dns
passwd: ldap files
netgroup: ldap files
group: ldap files
shadow: files nis

Ldap config:

ldap.ADdomain

ldap.base ou=Users,dc=XX,dc=XX,dc=mycompany,dc=

ldap.base.group ou=XX,ou=Groups,dc=XX,dc=XX,dc=XX,dc=XX

ldap.base.netgroup

ldap.base.passwd ou=Users,dc=XX,dc=XX,dc=XX,dc=XX

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name cn=XX,ou=Special accounts,dc=XX,dc=XX,dc=XX,dc=XX

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 389

ldap.servers XXX.XXX.XXX

ldap.servers.preferred XXX.XXX.XXX

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable off

Cifs config:

cifs.LMCompatibilityLevel 1

cifs.W2K_password_change off

cifs.W2K_password_change_interval 4w

cifs.W2K_password_change_within 3600h

cifs.audit.account_mgmt_events.enable off

cifs.audit.autosave.file.extension timestamp

cifs.audit.autosave.file.limit 0

cifs.audit.autosave.onsize.enable off

cifs.audit.autosave.onsize.threshold 75%

cifs.audit.autosave.ontime.enable on

cifs.audit.autosave.ontime.interval 1d

cifs.audit.enable on

cifs.audit.file_access_events.enable on

cifs.audit.liveview.allowed_users

cifs.audit.liveview.enable off

cifs.audit.logon_events.enable on

cifs.audit.logsize 1048576

cifs.audit.nfs.enable off

cifs.audit.nfs.filter.filename

cifs.audit.saveas /etc/log/adtlog.evt

cifs.bypass_traverse_checking on

cifs.client.dup-detection ip-address

cifs.comment

cifs.enable_share_browsing on

cifs.gpo.enable off

cifs.gpo.trace.enable off

cifs.grant_implicit_exe_perms off

cifs.guest_account

cifs.home_dir_namestyle

cifs.home_dirs_public_for_admin on

cifs.idle_timeout 1800

cifs.ipv6.enable off

cifs.max_mpx 253

cifs.ms_snapshot_mode pre-xp

cifs.netbios_aliases

cifs.netbios_over_tcp.enable on

cifs.nfs_root_ignore_acl off

cifs.oplocks.enable on

cifs.oplocks.opendelta 0

cifs.per_client_stats.enable off

cifs.perfmon.allowed_users

cifs.perm_check_ro_del_ok off

cifs.perm_check_use_gid on

cifs.preserve_unix_security off

cifs.restrict_anonymous 0

cifs.restrict_anonymous.enable off

cifs.save_case on

cifs.scopeid

cifs.search_domains

cifs.show_dotfiles on

cifs.show_snapshot off

cifs.shutdown_msg_level 2

cifs.sidcache.enable on

cifs.sidcache.lifetime 1440

cifs.signing.enable on

cifs.smb2.client.enable on

cifs.smb2.enable on

cifs.smb2.signing.required off

cifs.smb2_1.branch_cache.enable off

cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover)

cifs.snapshot_file_folding.enable off

cifs.symlinks.cycleguard on

cifs.symlinks.enable on

cifs.trace_dc_connection off

cifs.trace_login off

cifs.universal_nested_groups.enable on

cifs.widelink.ttl 10m

aborzenkov · ‎2013-01-29

Yes, when using this CIFS setup option you are limited to plain text passwords.

Отправлено с iPhone

29.01.2013, в 15:45, "David Beranek" <xdl-communities@communities.netapp.com<mailto:xdl-communities@communities.netapp.com>> написал(а):

<https://communities.netapp.com/index.jspa>

CIFS + OpenLDAP - Plaintext password

created by David Beranek<https://communities.netapp.com/people/DAVIDBERANEK> in Products & Solutions - View the full discussion<https://communities.netapp.com/message/99214#99214>

Hi all,

I have problem with CIFS authentification from client to FAS2240-4 with Data Ontap 8.1.1. Storage to OpenLDAP. Comunication is ok, storage can read user information from OpenLDAP, but if client want login to CIFS share for communication must use plaintext password. Configuration without plaintext passwords cant authenticate me. Is it really necessary to use plainttext password?

My CIFS configuration:

WINS – OFF

multiprotocol filer

(4) /etc/passwd and/or NIS/LDAP authentication

/etc/nsswitch.conf

hosts: files dns

passwd: ldap files

netgroup: ldap files

group: ldap files

shadow: files nis

Ldap config:

ldap.ADdomain

ldap.base ou=Users,dc=XX,dc=XX,dc=mycompany,dc=

ldap.base.group ou=XX,ou=Groups,dc=XX,dc=XX,dc=XX,dc=XX

ldap.base.netgroup

ldap.base.passwd ou=Users,dc=XX,dc=XX,dc=XX,dc=XX

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name cn=XX,ou=Special accounts,dc=XX,dc=XX,dc=XX,dc=XX

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 389

ldap.servers XXX.XXX.XXX

ldap.servers.preferred XXX.XXX.XXX

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable off

Cifs config:

cifs.LMCompatibilityLevel 1

cifs.W2K_password_change off

cifs.W2K_password_change_interval 4w

cifs.W2K_password_change_within 3600h

cifs.audit.account_mgmt_events.enable off

cifs.audit.autosave.file.extension timestamp

cifs.audit.autosave.file.limit 0

cifs.audit.autosave.onsize.enable off

cifs.audit.autosave.onsize.threshold 75%

cifs.audit.autosave.ontime.enable on

cifs.audit.autosave.ontime.interval 1d

cifs.audit.enable on

cifs.audit.file_access_events.enable on

cifs.audit.liveview.allowed_users

cifs.audit.liveview.enable off

cifs.audit.logon_events.enable on

cifs.audit.logsize 1048576

cifs.audit.nfs.enable off

cifs.audit.nfs.filter.filename

cifs.audit.saveas /etc/log/adtlog.evt

cifs.bypass_traverse_checking on

cifs.client.dup-detection ip-address

cifs.comment

cifs.enable_share_browsing on

cifs.gpo.enable off

cifs.gpo.trace.enable off

cifs.grant_implicit_exe_perms off

cifs.guest_account

cifs.home_dir_namestyle

cifs.home_dirs_public_for_admin on

cifs.idle_timeout 1800

cifs.ipv6.enable off

cifs.max_mpx 253

cifs.ms_snapshot_mode pre-xp

cifs.netbios_aliases

cifs.netbios_over_tcp.enable on

cifs.nfs_root_ignore_acl off

cifs.oplocks.enable on

cifs.oplocks.opendelta 0

cifs.per_client_stats.enable off

cifs.perfmon.allowed_users

cifs.perm_check_ro_del_ok off

cifs.perm_check_use_gid on

cifs.preserve_unix_security off

cifs.restrict_anonymous 0

cifs.restrict_anonymous.enable off

cifs.save_case on

cifs.scopeid

cifs.search_domains

cifs.show_dotfiles on

cifs.show_snapshot off

cifs.shutdown_msg_level 2

cifs.sidcache.enable on

cifs.sidcache.lifetime 1440

cifs.signing.enable on

cifs.smb2.client.enable on

cifs.smb2.enable on

cifs.smb2.signing.required off

cifs.smb2_1.branch_cache.enable off

cifs.smb2_1.branch_cache.hash_time_out 3600 (value might be overwritten in takeover)

cifs.snapshot_file_folding.enable off

cifs.symlinks.cycleguard on

cifs.symlinks.enable on

cifs.trace_dc_connection off

cifs.trace_login off

cifs.universal_nested_groups.enable on

cifs.widelink.ttl 10m

Reply to this message by replying to this email -or- go to the message on NetApp Community<https://communities.netapp.com/message/99214#99214>

Start a new discussion in Products & Solutions by email<mailto:discussions-community-products_and_solutions@communities.netapp.com> or at NetApp Community<https://communities.netapp.com/choose-container.jspa?contentType=1&containerType=14&container=2068>

DAVIDBERANEK · ‎2013-01-31

OK, thanks. Any suggestion for use CIFS with OpenLDAP with secure connection?