[Samba] Linux machine to join Samba Domain

Rowland Penny rowlandpenny at googlemail.com
Wed Apr 2 11:02:49 MDT 2014 

On 02/04/14 17:11, vikas wrote:
> okay installed latest sssd and created sssd.conf file now where to go? 
> how do i auth using Domain user? Or is there any thing more to do ? 
> How do i verify things are now working(getent group shows only local 
> info) ?
>
> sssd.conf
> [domain/IK.LOCAL]
>
> autofs_provider = ldap
> cache_credentials = False
> debug_level = 6
> krb5_realm = IK.LOCAL
> ldap_search_base = ou=users,dc=ik,dc=local
> id_provider = ldap
> auth_provider = ldap
> min_id = 10
> max_id = 99999
> chpass_provider = ldap
> ldap_schema = rfc2307
> ldap_uri = ldap://192.168.10.16/
> ldap_id_use_start_tls = False
> ldap_tls_reqcert = never
> #ldap_tls_cacertdir = /etc/openldap/cacerts
> ldap_group_search_base = ou=group,dc=ik,dc=local
> ldap_user_name=uid
> [sssd]
> services = nss, pam, autofs
> config_file_version = 2
>
> domains = IK.LOCAl
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
> add entry to hosts and resolv.conf
>
> On Wednesday 02 April 2014 05:58 PM, Rowland Penny wrote:
>> On 02/04/14 13:20, vikas wrote:
>>> Hi
>>> thanks for reply,
>>>
>>> i need to start from scratch can some one tell/help with sssd.
>>>
>>> question after reading 
>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>>> what should i do to start ? Do i have to install sssd on server ?
>>>
>>> i tried to compile latest version on client ubuntu 12.04 64bit but 
>>> it was asking that you do not have any openldap server so i though i 
>>> should go with apt-get install samba-common-bin sssd sssd-tools 
>>> autofs krb5-user ?
>>>
>>>
>> If you need the latest (well not quite the latest) sssd for 12.04, 
>> see here:
>>
>> https://launchpad.net/~sssd/+archive/updates
>>
>> Rowland
>>> Samba compile and domain option used:
>>> ./configure --enable-debug --enable-selftest
>>> $/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 
>>> --interactive
>>>
>>> smb.conf *short version *
>>> [global]
>>>         workgroup = IK
>>>         realm = IK.LOCAL
>>>         netbios name = DC
>>>         server role = active directory domain controller
>>>         dns forwarder = 192.168.1.1
>>>         idmap_ldb:use rfc2307 = yes
>>>         log file = /var/log/samba/log.%I
>>>         log level = 0
>>>         printing = bsd
>>>         printcap name = /dev/null
>>>         syslog = 0
>>> #       include = /usr/local/samba/etc/smb.conf.client-%I
>>>
>>> smb.conf *long version*
>>> http://pastebin.com/P0V8BxAF
>>>
>>>
>>> PS: i just tried likewise which worked great but it was not what i 
>>> want. Just thinking that if likewise can work, without modifying any 
>>> thing on server how do i start with other tool(sssd,nslcd etc)
>>>
>>>     On Saturday 29 March 2014 06:33 PM, steve wrote:
>>>> On Sat, 2014-03-29 at 17:50 +0530, vikas wrote:
>>>>> On Tuesday 18 March 2014 08:32 PM, Sven Schwedas wrote:
>>>>>> On 2014-03-18 15:48, vikas wrote:
>>>>>>> hi.. all...
>>>>>>>
>>>>>>> can some one help me understanding how to add linux (mostly 
>>>>>>> ubuntu,suse
>>>>>>> etc)
>>>>>>>
>>>>>>> what exactly i am looking for is what one should do on linux 
>>>>>>> machine
>>>>>>> like editing /etc/nssswitch.conf, pam related file etc..but i 
>>>>>>> dont find
>>>>>>> any standard way where one can add any linux machine to samba 
>>>>>>> domain
>>>>>> Because there isn't any. :-)
>>>>>>
>>>>>>> my goal is to just get authenticate through Samba
>>>>>> There's several ways for that...
>>>>>>
>>>>>>    . Use winbindd. This is probably the most direct equivalent to 
>>>>>> Windows'
>>>>>> "domain join". It's also crap and only has very limited features 
>>>>>> right
>>>>>> now (Shell, home etc. aren't read from AD, but statically 
>>>>>> configured).
>>>>>>
>>>>>>    . Use pam_ldap, and nss_ldap, and pam_ccreds, and probably 
>>>>>> half a dozen
>>>>>> other ill-documented tidbits and not-quite-sufficient software 
>>>>>> bits and
>>>>>> stitch together a working environment. It's as flexible as it's 
>>>>>> error
>>>>>> prone, but should work with all corner cases and distributions. 
>>>>>> Eventually.
>>>>>>
>>>>>>    . Use sssd. It's made by RedHat and should be the default for 
>>>>>> CentOS,
>>>>>> and works sufficiently well with Samba. Needs a bit more client-side
>>>>>> configuration than winbind iirc, but actually uses the provided AD
>>>>>> information like shell and home dir.
>>>>>>
>>>>>>
>>>>>>> Windows machine are successful getting connected to samba with all
>>>>>>> policy working like USB disable through regedit, disable drives 
>>>>>>> etc.
>>>>>> All of these provide authentication only, though. There's no policy
>>>>>> support, you'd need to use some other sync/deployment method for 
>>>>>> PolKit
>>>>>> et. al. (and can't configure them via AD, as far as I know).
>>>>>>
>>>>>>
>>>>> Hi..all
>>>>> i am trying to authenticate linux machine to samba4 for which i am
>>>>> trying very hard to do using below mention links
>>>>> http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html 
>>>>>
>>>>> http://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/ 
>>>>>
>>>>>
>>>>> using linuxcosta link i was somewhat near to success(joined domain 
>>>>> ) but
>>>>> not able to login using domain user the only error it was showing was
>>>>> could not contact to ldap server (on local machine) . On server there
>>>>> was no error activity.
>>>> OK, you you've joined the domain but can't authenticate? Please post:
>>>> -smb.conf
>>>> -/etc/krb5.conf
>>>> -the output of:
>>>> klist -ke /etc/krb5.keytab
>>>> -/etc/nslcd.conf
>>>> -/etc/nsswitch.conf
>>>>
>>>> And we'll get you authenticated.
>>>> Cheers,
>>>> Steve
>>>
>>>
>>>
>>>> On Saturday 29 March 2014 06:48 PM, Rowland Penny wrote:
>>>> Just what did you do? and what are you confused about?
>>>>  From what you have posted, I think that you want to authenticate 
>>>> ubuntu
>>>> & suse clients to a Centos samba4 AD server. This should not be a
>>>> problem if you follow the instructions on Steves blog :
>>>> http://linuxcostablanca.blogspot.com.es
>>>>
>>>> Just try coming forward in time a bit on his blog, sometime in April
>>>> 2013, I think.
>>>>
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>
OK, I am sure that you posted that the client is joined to a Samba4 AD 
domain, if so this is my sssd.conf from my laptop, I have sanitized it, 
replace example.com with your realm (respecting case) and CLIENT$ with 
the hostname of your client.

[sssd]
config_file_version = 2
domains = example.com
services = nss, pam

[nss]

[pam]

[domain/example.com]
cache_credentials = true
enumerate = true
#enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

krb5_server = DC.example.com
krb5_kpasswd = DC.example.com
krb5_realm = example.com

ldap_referrals = false

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = sAMAccountName

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = CLIENT$@example.com
ldap_krb5_init_creds = true

This relies on the users & groups having uidNumber's & gidNumber's in 
AD, get this working, then add the autofs parts.

Rowland

More information about the samba mailing list