Beyond samba4 wiki page

Colin Simpson Colin.Simpson at
Fri Oct 12 05:50:00 MDT 2012

On Thu, 2012-10-11 at 21:28 +0200, Marc.Muehlfelda wrote:
> Am 08.10.2012 21:57, schrieb Marc Muehlfeld:
> > I created a new page and started adding some first topics:
> >
> >
> I added two more topics to the page I've created.
> Maybe you can have a short look on the page and give me a small feedback.
> Maybe you have improvement suggestions. If you find it usefull, I can add some
> more topics in the next time.
> Is it OK to link it a the bottom of the s4 howto? I guess many could be
> interested to link other services to their s4 AD after the installation/migration.
> Regards,
> Marc

Great thing to put out there.

But I'm not sure that Authenticated Apache via LDAP on AD style directory is the best
method. Much much better to use Kerberos, this then allows true single
sign on i.e once you login to a Linux or Windows machine you should get
a TGT and then not be challenged for a password in your browser unless your TGT has
expired or is non-existent. This blog is pretty good on setting this up:

Not sure how you do the equivalent of ktpass.exe with Samba 4 is (I'm sure
easily possible). I was working against a Windows AD.

On the browser side you just needs, (IE will just work)

Firefox needs about:config

"network.negotiate-auth.trusted-uris" set to "http://sitename" or
"http://" (if feeling brave).

"network.negotiate-auth.using-native-gsslib" enabled on Windows and off
on Linux

Chrome is pretty easy:

google-chrome --auth-server-whitelist="http://sitename"

Or these can be auth options can be "*" if feeling brave(unwise) on Chrome.

A good section would also be passwordless SSH too.

/etc/ssh/sshd_config containing

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes # If your version supports this
GSSAPIStoreCredentialsOnRekey yes # If your version supports this

/etc/ssh/ssh_config containing

Host *
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
        GSSAPIKeyExchange yes # If your version supports this
        GSSAPIRenewalForcesRekey yes # If your version supports this
        GSSAPITrustDns yes

I don't know if Winbind adds "host/" SPNs by default when used against a
Samba 4 domain.




This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.

More information about the samba-technical mailing list