[Samba] Linux machine to join Samba Domain
Rowland Penny
rowlandpenny at googlemail.com
Wed Apr 2 11:02:49 MDT 2014
On 02/04/14 17:11, vikas wrote:
> okay installed latest sssd and created sssd.conf file now where to go?
> how do i auth using Domain user? Or is there any thing more to do ?
> How do i verify things are now working(getent group shows only local
> info) ?
>
> sssd.conf
> [domain/IK.LOCAL]
>
> autofs_provider = ldap
> cache_credentials = False
> debug_level = 6
> krb5_realm = IK.LOCAL
> ldap_search_base = ou=users,dc=ik,dc=local
> id_provider = ldap
> auth_provider = ldap
> min_id = 10
> max_id = 99999
> chpass_provider = ldap
> ldap_schema = rfc2307
> ldap_uri = ldap://192.168.10.16/
> ldap_id_use_start_tls = False
> ldap_tls_reqcert = never
> #ldap_tls_cacertdir = /etc/openldap/cacerts
> ldap_group_search_base = ou=group,dc=ik,dc=local
> ldap_user_name=uid
> [sssd]
> services = nss, pam, autofs
> config_file_version = 2
>
> domains = IK.LOCAl
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
> add entry to hosts and resolv.conf
>
> On Wednesday 02 April 2014 05:58 PM, Rowland Penny wrote:
>> On 02/04/14 13:20, vikas wrote:
>>> Hi
>>> thanks for reply,
>>>
>>> i need to start from scratch can some one tell/help with sssd.
>>>
>>> question after reading
>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>>> what should i do to start ? Do i have to install sssd on server ?
>>>
>>> i tried to compile latest version on client ubuntu 12.04 64bit but
>>> it was asking that you do not have any openldap server so i though i
>>> should go with apt-get install samba-common-bin sssd sssd-tools
>>> autofs krb5-user ?
>>>
>>>
>> If you need the latest (well not quite the latest) sssd for 12.04,
>> see here:
>>
>> https://launchpad.net/~sssd/+archive/updates
>>
>> Rowland
>>> Samba compile and domain option used:
>>> ./configure --enable-debug --enable-selftest
>>> $/usr/local/samba/bin/samba-tool domain provision --use-rfc2307
>>> --interactive
>>>
>>> smb.conf *short version *
>>> [global]
>>> workgroup = IK
>>> realm = IK.LOCAL
>>> netbios name = DC
>>> server role = active directory domain controller
>>> dns forwarder = 192.168.1.1
>>> idmap_ldb:use rfc2307 = yes
>>> log file = /var/log/samba/log.%I
>>> log level = 0
>>> printing = bsd
>>> printcap name = /dev/null
>>> syslog = 0
>>> # include = /usr/local/samba/etc/smb.conf.client-%I
>>>
>>> smb.conf *long version*
>>> http://pastebin.com/P0V8BxAF
>>>
>>>
>>> PS: i just tried likewise which worked great but it was not what i
>>> want. Just thinking that if likewise can work, without modifying any
>>> thing on server how do i start with other tool(sssd,nslcd etc)
>>>
>>> On Saturday 29 March 2014 06:33 PM, steve wrote:
>>>> On Sat, 2014-03-29 at 17:50 +0530, vikas wrote:
>>>>> On Tuesday 18 March 2014 08:32 PM, Sven Schwedas wrote:
>>>>>> On 2014-03-18 15:48, vikas wrote:
>>>>>>> hi.. all...
>>>>>>>
>>>>>>> can some one help me understanding how to add linux (mostly
>>>>>>> ubuntu,suse
>>>>>>> etc)
>>>>>>>
>>>>>>> what exactly i am looking for is what one should do on linux
>>>>>>> machine
>>>>>>> like editing /etc/nssswitch.conf, pam related file etc..but i
>>>>>>> dont find
>>>>>>> any standard way where one can add any linux machine to samba
>>>>>>> domain
>>>>>> Because there isn't any. :-)
>>>>>>
>>>>>>> my goal is to just get authenticate through Samba
>>>>>> There's several ways for that...
>>>>>>
>>>>>> . Use winbindd. This is probably the most direct equivalent to
>>>>>> Windows'
>>>>>> "domain join". It's also crap and only has very limited features
>>>>>> right
>>>>>> now (Shell, home etc. aren't read from AD, but statically
>>>>>> configured).
>>>>>>
>>>>>> . Use pam_ldap, and nss_ldap, and pam_ccreds, and probably
>>>>>> half a dozen
>>>>>> other ill-documented tidbits and not-quite-sufficient software
>>>>>> bits and
>>>>>> stitch together a working environment. It's as flexible as it's
>>>>>> error
>>>>>> prone, but should work with all corner cases and distributions.
>>>>>> Eventually.
>>>>>>
>>>>>> . Use sssd. It's made by RedHat and should be the default for
>>>>>> CentOS,
>>>>>> and works sufficiently well with Samba. Needs a bit more client-side
>>>>>> configuration than winbind iirc, but actually uses the provided AD
>>>>>> information like shell and home dir.
>>>>>>
>>>>>>
>>>>>>> Windows machine are successful getting connected to samba with all
>>>>>>> policy working like USB disable through regedit, disable drives
>>>>>>> etc.
>>>>>> All of these provide authentication only, though. There's no policy
>>>>>> support, you'd need to use some other sync/deployment method for
>>>>>> PolKit
>>>>>> et. al. (and can't configure them via AD, as far as I know).
>>>>>>
>>>>>>
>>>>> Hi..all
>>>>> i am trying to authenticate linux machine to samba4 for which i am
>>>>> trying very hard to do using below mention links
>>>>> http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html
>>>>>
>>>>> http://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/
>>>>>
>>>>>
>>>>> using linuxcosta link i was somewhat near to success(joined domain
>>>>> ) but
>>>>> not able to login using domain user the only error it was showing was
>>>>> could not contact to ldap server (on local machine) . On server there
>>>>> was no error activity.
>>>> OK, you you've joined the domain but can't authenticate? Please post:
>>>> -smb.conf
>>>> -/etc/krb5.conf
>>>> -the output of:
>>>> klist -ke /etc/krb5.keytab
>>>> -/etc/nslcd.conf
>>>> -/etc/nsswitch.conf
>>>>
>>>> And we'll get you authenticated.
>>>> Cheers,
>>>> Steve
>>>
>>>
>>>
>>>> On Saturday 29 March 2014 06:48 PM, Rowland Penny wrote:
>>>> Just what did you do? and what are you confused about?
>>>> From what you have posted, I think that you want to authenticate
>>>> ubuntu
>>>> & suse clients to a Centos samba4 AD server. This should not be a
>>>> problem if you follow the instructions on Steves blog :
>>>> http://linuxcostablanca.blogspot.com.es
>>>>
>>>> Just try coming forward in time a bit on his blog, sometime in April
>>>> 2013, I think.
>>>>
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>
OK, I am sure that you posted that the client is joined to a Samba4 AD
domain, if so this is my sssd.conf from my laptop, I have sanitized it,
replace example.com with your realm (respecting case) and CLIENT$ with
the hostname of your client.
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
[nss]
[pam]
[domain/example.com]
cache_credentials = true
enumerate = true
#enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
krb5_server = DC.example.com
krb5_kpasswd = DC.example.com
krb5_realm = example.com
ldap_referrals = false
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = CLIENT$@example.com
ldap_krb5_init_creds = true
This relies on the users & groups having uidNumber's & gidNumber's in
AD, get this working, then add the autofs parts.
Rowland
More information about the samba
mailing list