[Samba] Linux machine to join Samba Domain

vikas c.vikas at altechtechnologies.com
Thu Apr 3 10:22:05 MDT 2014 

On Wednesday 02 April 2014 10:32 PM, Rowland Penny wrote:
> On 02/04/14 17:11, vikas wrote:
>> okay installed latest sssd and created sssd.conf file now where to 
>> go? how do i auth using Domain user? Or is there any thing more to do 
>> ? How do i verify things are now working(getent group shows only 
>> local info) ?
>>
>> sssd.conf
>> [domain/IK.LOCAL]
>>
>> autofs_provider = ldap
>> cache_credentials = False
>> debug_level = 6
>> krb5_realm = IK.LOCAL
>> ldap_search_base = ou=users,dc=ik,dc=local
>> id_provider = ldap
>> auth_provider = ldap
>> min_id = 10
>> max_id = 99999
>> chpass_provider = ldap
>> ldap_schema = rfc2307
>> ldap_uri = ldap://192.168.10.16/
>> ldap_id_use_start_tls = False
>> ldap_tls_reqcert = never
>> #ldap_tls_cacertdir = /etc/openldap/cacerts
>> ldap_group_search_base = ou=group,dc=ik,dc=local
>> ldap_user_name=uid
>> [sssd]
>> services = nss, pam, autofs
>> config_file_version = 2
>>
>> domains = IK.LOCAl
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>> add entry to hosts and resolv.conf
>>
>> On Wednesday 02 April 2014 05:58 PM, Rowland Penny wrote:
>>> On 02/04/14 13:20, vikas wrote:
>>>> Hi
>>>> thanks for reply,
>>>>
>>>> i need to start from scratch can some one tell/help with sssd.
>>>>
>>>> question after reading 
>>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>>>> what should i do to start ? Do i have to install sssd on server ?
>>>>
>>>> i tried to compile latest version on client ubuntu 12.04 64bit but 
>>>> it was asking that you do not have any openldap server so i though 
>>>> i should go with apt-get install samba-common-bin sssd sssd-tools 
>>>> autofs krb5-user ?
>>>>
>>>>
>>> If you need the latest (well not quite the latest) sssd for 12.04, 
>>> see here:
>>>
>>> https://launchpad.net/~sssd/+archive/updates
>>>
>>> Rowland
>>>> Samba compile and domain option used:
>>>> ./configure --enable-debug --enable-selftest
>>>> $/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 
>>>> --interactive
>>>>
>>>> smb.conf *short version *
>>>> [global]
>>>>         workgroup = IK
>>>>         realm = IK.LOCAL
>>>>         netbios name = DC
>>>>         server role = active directory domain controller
>>>>         dns forwarder = 192.168.1.1
>>>>         idmap_ldb:use rfc2307 = yes
>>>>         log file = /var/log/samba/log.%I
>>>>         log level = 0
>>>>         printing = bsd
>>>>         printcap name = /dev/null
>>>>         syslog = 0
>>>> #       include = /usr/local/samba/etc/smb.conf.client-%I
>>>>
>>>> smb.conf *long version*
>>>> http://pastebin.com/P0V8BxAF
>>>>
>>>>
>>>> PS: i just tried likewise which worked great but it was not what i 
>>>> want. Just thinking that if likewise can work, without modifying 
>>>> any thing on server how do i start with other tool(sssd,nslcd etc)
>>>>
>>>>     On Saturday 29 March 2014 06:33 PM, steve wrote:
>>>>> On Sat, 2014-03-29 at 17:50 +0530, vikas wrote:
>>>>>> On Tuesday 18 March 2014 08:32 PM, Sven Schwedas wrote:
>>>>>>> On 2014-03-18 15:48, vikas wrote:
>>>>>>>> hi.. all...
>>>>>>>>
>>>>>>>> can some one help me understanding how to add linux (mostly 
>>>>>>>> ubuntu,suse
>>>>>>>> etc)
>>>>>>>>
>>>>>>>> what exactly i am looking for is what one should do on linux 
>>>>>>>> machine
>>>>>>>> like editing /etc/nssswitch.conf, pam related file etc..but i 
>>>>>>>> dont find
>>>>>>>> any standard way where one can add any linux machine to samba 
>>>>>>>> domain
>>>>>>> Because there isn't any. :-)
>>>>>>>
>>>>>>>> my goal is to just get authenticate through Samba
>>>>>>> There's several ways for that...
>>>>>>>
>>>>>>>    . Use winbindd. This is probably the most direct equivalent 
>>>>>>> to Windows'
>>>>>>> "domain join". It's also crap and only has very limited features 
>>>>>>> right
>>>>>>> now (Shell, home etc. aren't read from AD, but statically 
>>>>>>> configured).
>>>>>>>
>>>>>>>    . Use pam_ldap, and nss_ldap, and pam_ccreds, and probably 
>>>>>>> half a dozen
>>>>>>> other ill-documented tidbits and not-quite-sufficient software 
>>>>>>> bits and
>>>>>>> stitch together a working environment. It's as flexible as it's 
>>>>>>> error
>>>>>>> prone, but should work with all corner cases and distributions. 
>>>>>>> Eventually.
>>>>>>>
>>>>>>>    . Use sssd. It's made by RedHat and should be the default for 
>>>>>>> CentOS,
>>>>>>> and works sufficiently well with Samba. Needs a bit more 
>>>>>>> client-side
>>>>>>> configuration than winbind iirc, but actually uses the provided AD
>>>>>>> information like shell and home dir.
>>>>>>>
>>>>>>>
>>>>>>>> Windows machine are successful getting connected to samba with all
>>>>>>>> policy working like USB disable through regedit, disable drives 
>>>>>>>> etc.
>>>>>>> All of these provide authentication only, though. There's no policy
>>>>>>> support, you'd need to use some other sync/deployment method for 
>>>>>>> PolKit
>>>>>>> et. al. (and can't configure them via AD, as far as I know).
>>>>>>>
>>>>>>>
>>>>>> Hi..all
>>>>>> i am trying to authenticate linux machine to samba4 for which i am
>>>>>> trying very hard to do using below mention links
>>>>>> http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html 
>>>>>>
>>>>>> http://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/ 
>>>>>>
>>>>>>
>>>>>> using linuxcosta link i was somewhat near to success(joined 
>>>>>> domain ) but
>>>>>> not able to login using domain user the only error it was showing 
>>>>>> was
>>>>>> could not contact to ldap server (on local machine) . On server 
>>>>>> there
>>>>>> was no error activity.
>>>>> OK, you you've joined the domain but can't authenticate? Please post:
>>>>> -smb.conf
>>>>> -/etc/krb5.conf
>>>>> -the output of:
>>>>> klist -ke /etc/krb5.keytab
>>>>> -/etc/nslcd.conf
>>>>> -/etc/nsswitch.conf
>>>>>
>>>>> And we'll get you authenticated.
>>>>> Cheers,
>>>>> Steve
>>>>
>>>>
>>>>
>>>>> On Saturday 29 March 2014 06:48 PM, Rowland Penny wrote:
>>>>> Just what did you do? and what are you confused about?
>>>>>  From what you have posted, I think that you want to authenticate 
>>>>> ubuntu
>>>>> & suse clients to a Centos samba4 AD server. This should not be a
>>>>> problem if you follow the instructions on Steves blog :
>>>>> http://linuxcostablanca.blogspot.com.es
>>>>>
>>>>> Just try coming forward in time a bit on his blog, sometime in April
>>>>> 2013, I think.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
> OK, I am sure that you posted that the client is joined to a Samba4 AD 
> domain, if so this is my sssd.conf from my laptop, I have sanitized 
> it, replace example.com with your realm (respecting case) and CLIENT$ 
> with the hostname of your client.
>
> [sssd]
> config_file_version = 2
> domains = example.com
> services = nss, pam
>
> [nss]
>
> [pam]
>
> [domain/example.com]
> cache_credentials = true
> enumerate = true
> #enumerate = false
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> access_provider = ldap
>
> krb5_server = DC.example.com
> krb5_kpasswd = DC.example.com
> krb5_realm = example.com
>
> ldap_referrals = false
>
> ldap_schema = rfc2307bis
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
>
> ldap_user_object_class = user
> ldap_user_name = sAMAccountName
> ldap_user_fullname = displayName
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
>
> ldap_group_object_class = group
> ldap_group_name = sAMAccountName
>
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = CLIENT$@example.com
> ldap_krb5_init_creds = true
>
> This relies on the users & groups having uidNumber's & gidNumber's in 
> AD, get this working, then add the autofs parts.
>
> Rowland

I think I misrepresented myself. I am just trying my steps this time 
very carefully. Things i have done are below.
*******At client*********
1.installed sssd latest
2.edited sssd.conf file (now edited with your file reference)
3.not added machine to domain

what I have to do now?
1 should i use net ads join method and then try sssd
2.what is uid number & gid number of use, okay i have seen (in server 
log) that, do i have to map uid&gid in server smb.conf file(correct me here)


*******At server*********
1.is there any thing to do related to uid n gid or any thing on server ? 
if yes what ?
2. do i have to generate krb,*.keytab,etc file ?

thanks

More information about the samba mailing list