[Samba] Re: Single Sign On

Sat Feb 14 23:39:31 GMT 2004

On Sat, 14 Feb 2004, Jamrock wrote:

> "Mani, Greg SPAWAR" <greg.mani at navy.mil> wrote in message
> news:00E4BF0C009B8544B4010B1D6D86E42A0144A592 at NAWESPSCEX08VA.nadsuswe.nads.navy.mil...
> >      We have a network of PCs running XP and servers running Win 2k and
> Win 2003.  User Account management is done with Active Directory (AD).  We
> want to add some Sun Solaris computers to this network.  One of the network
> guys said that Samba could be used as a single sign on solution for a
> network of Windows and Solaris computers.  He said that Samba 3.x provided
> the capability to use Active Directory to manage/synchronize the user
> accounts.  In other words, with Samba, the accounts on the AD server could
> be used when logging onto the Solaris computers, the Xp computers, and the
> Windows servers.

Samba-3 can be a full native Active Directory member server. Through the
use of winbind (as documented in the Samba-HOWTO-Collection - also
available as "The Official Samba-3 HOWTO and Reference Guide" book - see
Amazon.Com) you can use Active Directory user accounts to log onto the
Solaris client (domain member). If you want to do this you must configure
Samba (smb.conf), PAM (/etc/pam.conf) and NSS (/etc/nsswitch.conf) for
this to work.

>
> You did not specify how you wanted to use the Solaris machines.  Do you want
> to run Solaris applications on them or do you want them to be able to access
> shares on the Windows network?

I believe this was not intimated in the original question.

>
> Samba will allow your Unix/Linux machines to access Windows shares.  This
> happens because Samba uses the same SMB/CIFS protocol that Windows uses.

Yes, only through smbclient. Please note that smbfs (smbmount, smbumount,
et al.) are not part of Samba and are not supported on Solaris.

Samba is designed primarily to support access of UNIX resources from
Windows clients as if the UNIX server is a Windows 200x server.

>
> Single Sign On  (SSO) to me is a separate issue.  SSO allows you to have one
> database of usernames and passwords.  Users can access this database and be
> authenticated no matter which operating system they are using.

Corect. That is exactly what winbind permits. The question asked
originally was quite valid and on target. Samba winbind permits use of the
Windows (NT4 style or ADS style) accounts (users and groups) for
UNIX/Linux system logins.

>
> OpenLDAP is one of the user database backends that Samba 3.x can use.
>
> If you use an OpenLDAP database of usernames and passwords, Windows clients
> and Linux/Unix clients can use it for authentication.
>
> To do this you would need to use a Linux/Unix machine running Samba and
> OpenLDAP for authentication.

These comments are not relevant to the question asked.

> The Linux/Unix client's don't need Samba.  OpenLDAP can be used to replace
> the traditional password files that Linux/Unix machines use for user
> authentication.

Winbind permits the use of Windows domain accounts as if they were in
/etc/passwd (or any other password backend).

>
> The Windows clients need Samba and OpenLDAP.

Nope. Windows clients can use Windows domain accounts. :)
PS: I know I am splitting hairs here!

>
>  A Samba member server can authenticate against Active Directory,  However,
> Samba will not allow you to use Active Directory to authenticate the Solaris
> boxes.

Wrong! Samba through winbindd (a part of Samba) permits precisely this.

>
> This is my understanding of how the process works.  Perhaps John or Jerry
> would like to comment.

So I did chime in here.

Cheers,
John T.
-- 
John H Terpstra
Email: jht at samba.org