2 Replies Latest reply: Jan 31, 2013 1:16 AM by DAVIDBERANEK RSS

CIFS + OpenLDAP - Plaintext password

DAVIDBERANEK Novice
Currently Being Moderated

Hi all,

 

I have problem with CIFS authentification from client to FAS2240-4 with Data Ontap 8.1.1. Storage to OpenLDAP. Comunication is ok, storage can read user information from OpenLDAP, but if client want login to CIFS share for communication must use plaintext password. Configuration without plaintext passwords cant authenticate me. Is it really necessary to use plainttext password?

 

My CIFS configuration:

 

WINS – OFF

multiprotocol filer

(4) /etc/passwd and/or NIS/LDAP authentication

 

/etc/nsswitch.conf

hosts: files dns
passwd: ldap files
netgroup: ldap files
group: ldap files
shadow: files nis


Ldap config:

ldap.ADdomain

ldap.base ou=Users,dc=XX,dc=XX,dc=mycompany,dc=

ldap.base.group ou=XX,ou=Groups,dc=XX,dc=XX,dc=XX,dc=XX

ldap.base.netgroup

ldap.base.passwd ou=Users,dc=XX,dc=XX,dc=XX,dc=XX

ldap.enable on

ldap.minimum_bind_level anonymous

ldap.name cn=XX,ou=Special accounts,dc=XX,dc=XX,dc=XX,dc=XX

ldap.nssmap.attribute.gecos gecos

ldap.nssmap.attribute.gidNumber gidNumber

ldap.nssmap.attribute.groupname cn

ldap.nssmap.attribute.homeDirectory homeDirectory

ldap.nssmap.attribute.loginShell loginShell

ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

ldap.nssmap.attribute.memberUid memberUid

ldap.nssmap.attribute.netgroupname cn

ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

ldap.nssmap.attribute.uid uid

ldap.nssmap.attribute.uidNumber uidNumber

ldap.nssmap.attribute.userPassword userPassword

ldap.nssmap.objectClass.nisNetgroup nisNetgroup

ldap.nssmap.objectClass.posixAccount posixAccount

ldap.nssmap.objectClass.posixGroup posixGroup

ldap.passwd ******

ldap.port 389

ldap.servers XXX.XXX.XXX

ldap.servers.preferred XXX.XXX.XXX

ldap.ssl.enable off

ldap.timeout 20

ldap.usermap.attribute.unixaccount unixaccount

ldap.usermap.attribute.windowsaccount windowsaccount

ldap.usermap.base

ldap.usermap.enable off

 

 

Cifs config:

cifs.LMCompatibilityLevel 1

cifs.W2K_password_change off

cifs.W2K_password_change_interval 4w

cifs.W2K_password_change_within 3600h

cifs.audit.account_mgmt_events.enable off

cifs.audit.autosave.file.extension timestamp

cifs.audit.autosave.file.limit 0

cifs.audit.autosave.onsize.enable off

cifs.audit.autosave.onsize.threshold 75%

cifs.audit.autosave.ontime.enable on

cifs.audit.autosave.ontime.interval 1d

cifs.audit.enable on

cifs.audit.file_access_events.enable on

cifs.audit.liveview.allowed_users

cifs.audit.liveview.enable off

cifs.audit.logon_events.enable on

cifs.audit.logsize 1048576

cifs.audit.nfs.enable off

cifs.audit.nfs.filter.filename

cifs.audit.saveas /etc/log/adtlog.evt

cifs.bypass_traverse_checking on

cifs.client.dup-detection ip-address

cifs.comment

cifs.enable_share_browsing on

cifs.gpo.enable off

cifs.gpo.trace.enable off

cifs.grant_implicit_exe_perms off

cifs.guest_account

cifs.home_dir_namestyle

cifs.home_dirs_public_for_admin on

cifs.idle_timeout 1800

cifs.ipv6.enable off

cifs.max_mpx 253

cifs.ms_snapshot_mode pre-xp

cifs.netbios_aliases

cifs.netbios_over_tcp.enable on

cifs.nfs_root_ignore_acl off

cifs.oplocks.enable on

cifs.oplocks.opendelta 0

cifs.per_client_stats.enable off

cifs.perfmon.allowed_users

cifs.perm_check_ro_del_ok off

cifs.perm_check_use_gid on

cifs.preserve_unix_security off

cifs.restrict_anonymous 0

cifs.restrict_anonymous.enable off

cifs.save_case on

cifs.scopeid

cifs.search_domains

cifs.show_dotfiles on

cifs.show_snapshot off

cifs.shutdown_msg_level 2

cifs.sidcache.enable on

cifs.sidcache.lifetime 1440

cifs.signing.enable on

cifs.smb2.client.enable on

cifs.smb2.enable on

cifs.smb2.signing.required off

cifs.smb2_1.branch_cache.enable off

cifs.smb2_1.branch_cache.hash_time_out 3600       (value might be overwritten in takeover)

cifs.snapshot_file_folding.enable off

cifs.symlinks.cycleguard on

cifs.symlinks.enable on

cifs.trace_dc_connection off

cifs.trace_login off

cifs.universal_nested_groups.enable on

cifs.widelink.ttl 10m



  • Re: CIFS + OpenLDAP - Plaintext password
    aborzenkov Grand Marshal
    Currently Being Moderated

    Yes, when using this CIFS setup option you are limited to plain text passwords.

     

    Отправлено с iPhone

     

    29.01.2013, в 15:45, "David Beranek" <xdl-communities@communities.netapp.com<mailto:xdl-communities@communities.netapp.com>> написал(а):

     

    http://media.netapp.com/images/community-600x130.jpg<https://communities.netapp.com/index.jspa>

     

    CIFS + OpenLDAP - Plaintext password

    created by David Beranek<https://communities.netapp.com/people/DAVIDBERANEK> in Products & Solutions - View the full discussion<https://communities.netapp.com/message/99214#99214>

     

    Hi all,

     

     

     

    I have problem with CIFS authentification from client to FAS2240-4 with Data Ontap 8.1.1. Storage to OpenLDAP. Comunication is ok, storage can read user information from OpenLDAP, but if client want login to CIFS share for communication must use plaintext password. Configuration without plaintext passwords cant authenticate me. Is it really necessary to use plainttext password?

     

     

     

    My CIFS configuration:

     

     

     

    WINS – OFF

     

    multiprotocol filer

     

    (4) /etc/passwd and/or NIS/LDAP authentication

     

     

     

    /etc/nsswitch.conf

     

    hosts: files dns

    passwd: ldap files

    netgroup: ldap files

    group: ldap files

    shadow: files nis

     

     

    Ldap config:

     

    ldap.ADdomain

     

    ldap.base ou=Users,dc=XX,dc=XX,dc=mycompany,dc=

     

    ldap.base.group ou=XX,ou=Groups,dc=XX,dc=XX,dc=XX,dc=XX

     

    ldap.base.netgroup

     

    ldap.base.passwd ou=Users,dc=XX,dc=XX,dc=XX,dc=XX

     

    ldap.enable on

     

    ldap.minimum_bind_level anonymous

     

    ldap.name cn=XX,ou=Special accounts,dc=XX,dc=XX,dc=XX,dc=XX

     

    ldap.nssmap.attribute.gecos gecos

     

    ldap.nssmap.attribute.gidNumber gidNumber

     

    ldap.nssmap.attribute.groupname cn

     

    ldap.nssmap.attribute.homeDirectory homeDirectory

     

    ldap.nssmap.attribute.loginShell loginShell

     

    ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup

     

    ldap.nssmap.attribute.memberUid memberUid

     

    ldap.nssmap.attribute.netgroupname cn

     

    ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple

     

    ldap.nssmap.attribute.uid uid

     

    ldap.nssmap.attribute.uidNumber uidNumber

     

    ldap.nssmap.attribute.userPassword userPassword

     

    ldap.nssmap.objectClass.nisNetgroup nisNetgroup

     

    ldap.nssmap.objectClass.posixAccount posixAccount

     

    ldap.nssmap.objectClass.posixGroup posixGroup

     

    ldap.passwd ******

     

    ldap.port 389

     

    ldap.servers XXX.XXX.XXX

     

    ldap.servers.preferred XXX.XXX.XXX

     

    ldap.ssl.enable off

     

    ldap.timeout 20

     

    ldap.usermap.attribute.unixaccount unixaccount

     

    ldap.usermap.attribute.windowsaccount windowsaccount

     

    ldap.usermap.base

     

    ldap.usermap.enable off

     

     

     

     

     

    Cifs config:

     

    cifs.LMCompatibilityLevel 1

     

    cifs.W2K_password_change off

     

    cifs.W2K_password_change_interval 4w

     

    cifs.W2K_password_change_within 3600h

     

    cifs.audit.account_mgmt_events.enable off

     

    cifs.audit.autosave.file.extension timestamp

     

    cifs.audit.autosave.file.limit 0

     

    cifs.audit.autosave.onsize.enable off

     

    cifs.audit.autosave.onsize.threshold 75%

     

    cifs.audit.autosave.ontime.enable on

     

    cifs.audit.autosave.ontime.interval 1d

     

    cifs.audit.enable on

     

    cifs.audit.file_access_events.enable on

     

    cifs.audit.liveview.allowed_users

     

    cifs.audit.liveview.enable off

     

    cifs.audit.logon_events.enable on

     

    cifs.audit.logsize 1048576

     

    cifs.audit.nfs.enable off

     

    cifs.audit.nfs.filter.filename

     

    cifs.audit.saveas /etc/log/adtlog.evt

     

    cifs.bypass_traverse_checking on

     

    cifs.client.dup-detection ip-address

     

    cifs.comment

     

    cifs.enable_share_browsing on

     

    cifs.gpo.enable off

     

    cifs.gpo.trace.enable off

     

    cifs.grant_implicit_exe_perms off

     

    cifs.guest_account

     

    cifs.home_dir_namestyle

     

    cifs.home_dirs_public_for_admin on

     

    cifs.idle_timeout 1800

     

    cifs.ipv6.enable off

     

    cifs.max_mpx 253

     

    cifs.ms_snapshot_mode pre-xp

     

    cifs.netbios_aliases

     

    cifs.netbios_over_tcp.enable on

     

    cifs.nfs_root_ignore_acl off

     

    cifs.oplocks.enable on

     

    cifs.oplocks.opendelta 0

     

    cifs.per_client_stats.enable off

     

    cifs.perfmon.allowed_users

     

    cifs.perm_check_ro_del_ok off

     

    cifs.perm_check_use_gid on

     

    cifs.preserve_unix_security off

     

    cifs.restrict_anonymous 0

     

    cifs.restrict_anonymous.enable off

     

    cifs.save_case on

     

    cifs.scopeid

     

    cifs.search_domains

     

    cifs.show_dotfiles on

     

    cifs.show_snapshot off

     

    cifs.shutdown_msg_level 2

     

    cifs.sidcache.enable on

     

    cifs.sidcache.lifetime 1440

     

    cifs.signing.enable on

     

    cifs.smb2.client.enable on

     

    cifs.smb2.enable on

     

    cifs.smb2.signing.required off

     

    cifs.smb2_1.branch_cache.enable off

     

    cifs.smb2_1.branch_cache.hash_time_out 3600       (value might be overwritten in takeover)

     

    cifs.snapshot_file_folding.enable off

     

    cifs.symlinks.cycleguard on

     

    cifs.symlinks.enable on

     

    cifs.trace_dc_connection off

     

    cifs.trace_login off

     

    cifs.universal_nested_groups.enable on

     

    cifs.widelink.ttl 10m

     

     

     

    Reply to this message by replying to this email -or- go to the message on NetApp Community<https://communities.netapp.com/message/99214#99214>

     

    Start a new discussion in Products & Solutions by email<mailto:discussions-community-products_and_solutions@communities.netapp.com> or at NetApp Community<https://communities.netapp.com/choose-container.jspa?contentType=1&containerType=14&container=2068>

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points