[Samba] Samba4 AD sssd or pam_krb
rowlandpenny at googlemail.com
Mon Dec 30 05:46:53 MST 2013
On 30/12/13 11:38, Chan Min Wai wrote:
> Dear Rowland,
> Sorry if I've confused you.
No, you didn't confuse me, but I think that you are confusing yourself
with the way that you are doing your tests.
> You are correct to say that I've an ldap and also Samba AD setup.
> But only one are running at anytime.
Have you looked at 'samba-tool domain classicupgrade' ? This will take
the info from your existing S3 system and upgrade you to S4 AD, there is
info about this on the samba wiki.
> At the time being I'm switching to Samba AD (So that it can replace my
> You are correct saying that this might be a OS specified issue.
> I'm looking on how people would use it is other OS. As nss_ldap or etc
> should be working similarly in all Linux (the different are how we set
> it up)
> I'm thinking that as Samba AD are also running as an LDAP server
> I should be able to run nss_ldap and connect to it.
nss_ldap is old hat, it had problems and has been replaced with
nss_ldapd, you could also use nslcd or winbind or (if you changed OS) sssd.
> Well, my last test show that it is working. Just that it have some
> Thank you.
> On Mon, Dec 30, 2013 at 7:14 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
> On 30/12/13 06:19, Chan Min Wai wrote:
>> Dear Rowland
>> You are correct.
>> by change the server and also setting in ldap.conf and also
>> change back the nsswitch.conf
>> I can login as user which is already in the AD.
>> There are a few note, by the setup of my ldap.conf users and
>> group and computer need to be on a different OU and ldap read
>> from this OU with different nss_base
>> if using the base DN (location1.domain.com
>> <http://location1.domain.com>) will mixed up all users computer
>> and group will have issue.
>> Possible need to setup filter on nss_base_xxx (but not sure yet)
>> One issue I face is that when su to the username it show..
>> I have no name!@server1/var/log $
>> Which is strange...
>> Checking on log show this.
>> Dec 30 14:17:48 localhost su: + /dev/pts/1 root:dcmwai
>> Dec 30 14:17:48 localhost su: pam_unix(su:session):
>> session opened for user dcmwai by root(uid=0)
>> Dec 30 14:17:48 localhost -su: nss_ldap: reconnecting to LDAP
>> server (sleeping 1 seconds)...
>> Dec 30 14:17:49 localhost -su: nss_ldap: reconnecting to LDAP
>> server (sleeping 2 seconds)...
>> Dec 30 14:17:51 localhost -su: nss_ldap: reconnecting to LDAP
>> server (sleeping 4 seconds)...
>> Dec 30 14:17:55 localhost -su: nss_ldap: reconnecting to LDAP
>> server (sleeping 8 seconds)...
>> Dec 30 14:18:04 localhost -su: nss_ldap: could not search LDAP
>> server - Server is unavailable
>> Dec 30 14:18:06 localhost su: pam_unix(su:session):
>> session closed for user dcmwai
>> Any suggestion on what to look at?
>> getent password, shadow, group seem to be showing correctly.
>> Thank You.
>> On Mon, Dec 30, 2013 at 5:12 AM, Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>> On 29/12/13 19:02, Chan Min Wai wrote:
>>> Dear Rowland,
>>> I think that it does have it if they are same as what
>>> windows AD have according to the link below.
>> All samba4 AD attributes are the same as windows AD
>> attributes, because they ARE windows AD attributes
>>> Yes these are the attribute that I use.
>>> winbind might have a weakness on it home and also shell as
>>> it was not from AD but by smb.conf.
>>> Also without userPassword you will need to change pam config
>>> to work with winbind.
>> I think that you are falling into the 'lets put everything on
>> the AD server' trap, it would be better if you just use the
>> S4 AD server for authentication and then set up another
>> server as a fileserver.
>> You would also need to change the pam config if you used
>> sssd, so cannot see your problem here.
>>> With shadow in AD, your changes on that part will only be on
>>> ldap.conf which is just uncomment :)
>> If you use S4 AD as it is meant to be used, you do not need
>> the shadow atributes.
>>> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>> On 28/12/13 14:38, Chan Min Wai wrote:
>>> Dear Michael,
>>> I'm on gentoo, as far as I know sssd required
>>> mit-krb5 and wouldn't compile
>>> I do hope we can directly use shadow attribute from
>>> Samba AD and make it
>>> work like ldap...
>>> The hint is in the name, Samba 4 is an implementation of
>>> Active Directory, it is not at this time LDAP. Having
>>> said that, it does have the 'User' objectClass which has
>>> the auxiliaryClasses, shadowAccount & posixAccount. The
>>> attributes of shadowAccount are:
>>> uid, userPassword, description,
>>> shadowLastChange,shadowMin, shadowMax, shadowWarning,
>>> shadowInactive, shadowExpire,shadowFlag
>>> Are these of any use to you ?
>>> Also if you cannot use sssd, then why not try winbind ?
>>> But it is missing the access to userpasswd or
>>> shadow* attribute...
>>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood
>>> <esiotrot at gmail.com <mailto:esiotrot at gmail.com>> wrote:
>>> On 24 December 2013 14:12, Chan Min Wai
>>> <dcmwai at gmail.com <mailto:dcmwai at gmail.com>> wrote:
>>> Dear All,
>>> I was using Samba3 + LDAP central
>>> authentication for the pass 5 years.
>>> And since need to move to Samba4 AD was
>>> wonder if there is a way to do
>>> linux central authentication without sssd
>>> but using pam_krb
>>> I'm asking this because I've removed
>>> mit-krb5 on my testing machine as
>>> required by samba4 in my gentoo.
>>> Samba 4 AD includes its own KDC (based on
>>> Heimdal), but you should be able
>>> to install the MIT krb5 client libs which are
>>> what sssd or pam_krb would
>>> require. Otherwise, surely they would also work
>>> with the heimdal client
>>> I don't know how gentoo packages Samba 4, so it
>>> might be more or less
>>> tricky, but the main thing to do is avoid
>>> installing the MIT KDC.
>>> So without mit-krb5 sssd don't compile.
>>> So was wonder if there any other solution
>>> and how hard it will be.
>>> I've 2 linux gentoo server will dependent on
>>> this central authentication
>>> (at lease the user Id and the GID have to be
>>> without the proper UID and GID display, I
>>> can still see the number just
>>> very not convenient and hard to see what I'm
>>> Thank You
>>> Michael Wood <esiotrot at gmail.com
>>> <mailto:esiotrot at gmail.com>>
> By reading your last post, it would seem that you are trying to
> store your users etc in the AD database and also in an LDAP
> database, why? you only need one.
> Your main problem here (as far as I see it) is that you do not
> seem to understand how Active Directory works. For instance,
> users, groups and computers are all treated as objects and as such
> can be stored in the same place or 'OU'. Your problems are further
> compounded by using an OS that very few others use for a server,
> so the number of people that can help with your OS specific
> problems is extremely limited.
> Bearing in mind all the problems that you have had to get to here
> (and it is still not working correctly), have you considered using
> a main stream OS such as Centos, Debian, Ubuntu etc ? By using a
> main stream OS, you do not have to keep an eye out for security
> fixes that you would have to apply yourself, you would get them in
> an update from the OS. The other benefit is that you can create a
> new server very quickly, far faster than setting up a Gentoo machine.
More information about the samba