[Samba] Linux machine to join Samba Domain

Sat Mar 29 07:20:34 MDT 2014

At Sat, 29 Mar 2014 17:50:59 +0530 vikas <c.vikas at altechtechnologies.com> wrote:

> 
> 
> On Tuesday 18 March 2014 08:32 PM, Sven Schwedas wrote:
> > On 2014-03-18 15:48, vikas wrote:
> >> hi.. all...
> >>
> >> can some one help me understanding how to add linux (mostly ubuntu,suse
> >> etc)
> >>
> >> what exactly i am looking for is what one should do on linux machine
> >> like editing /etc/nssswitch.conf, pam related file etc..but i dont find
> >> any standard way where one can add any linux machine to samba domain
> > Because there isn't any. :-)
> >
> >> my goal is to just get authenticate through Samba
> > There's several ways for thatÃ‚...
> >
> >   Ã‚o Use winbindd. This is probably the most direct equivalent to Windows'
> > "domain join". It's also crap and only has very limited features right
> > now (Shell, home etc. aren't read from AD, but statically configured).
> >
> >   Ã‚o Use pam_ldap, and nss_ldap, and pam_ccreds, and probably half a dozen
> > other ill-documented tidbits and not-quite-sufficient software bits and
> > stitch together a working environment. It's as flexible as it's error
> > prone, but should work with all corner cases and distributions. Eventually.
> >
> >   Ã‚o Use sssd. It's made by RedHat and should be the default for CentOS,
> > and works sufficiently well with Samba. Needs a bit more client-side
> > configuration than winbind iirc, but actually uses the provided AD
> > information like shell and home dir.
> >
> >
> >> Windows machine are successful getting connected to samba with all
> >> policy working like USB disable through regedit, disable drives etc.
> >
> > All of these provide authentication only, though. There's no policy
> > support, you'd need to use some other sync/deployment method for PolKit
> > et. al. (and can't configure them via AD, as far as I know).
> >
> >
> 
> Hi..all
> i am trying to authenticate linux machine to samba4 for which i am 
> trying very hard to do using below mention links
> http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html
> http://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/
> 
> okay so what is the question ?
> some one told me "you can use ldap to authenticate there is no need to 
> join linux machine to samba" so i searched and got this link 
> http://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/ 
> which doesn't mention joining linux OR probably i am not able to 
> understand it wholly what it is saying due to my confusion..?
> 
> So how do i authenticate linux using ldap ?

Assuming the server is a Linux server running samba and using OpenLDap as the 
authentifcation system, then the linux *client* has no need of the samba 
server itself, unless you are only serving the home directory via samba (and 
not running nfs on the Linux server running samba).  

> 
> Did you got success using above link ?
> using linuxcosta link i was somewhat near to success(joined domain ) but 
> not able to login using domain user the only error it was showing was 
> could not contact to ldap server (on local machine) . On server there 
> was no error activity.

The *first* step is to ask these questions about the LDap setup on the 
server: 

1) Is the server making LDap available on the local subset (as opposed to only
127.0.0.1 for the local smb process)?

2) Is the server using ldap: or ldaps: or something else? 

3) If the server is using SSL or TLS, what is it using as a certificate? Who 
signed the certificate (self-signed or not)?

4) What is Base on the server set to?

With the answers to these questions, you have the information you need to 
configure /etc/ldap.conf on the client and then nsswitch.conf to use ldap 
authenitifcation.  You will need the PAM LDap libraries installed as well, so 
that PAM can talk to the ldap server (using configuration info in 
/etc/ldap.conf).  This gets users autheniticated.  This is all pretty straight 
forward.  The only other issues are things like firewall settings.  The Linux 
server needs to have a 'hole' in its firewall for LDap: port 389 for non-SSL 
and port 636 if using SSL have to be open on the server, assuming the server 
is running a firewall against the LAN. (It probably already has this open, 
since it is my understanding that AD services is just M$ terminology for LDAP, 
so if the M$ boxes are autheniticating with AD, they are actually using LDAP 
themselves, but don't quote me on that.)

The next step is dealing with $HOME. If the server can run nfsd and friends
(any Linux machine can do this, if all of the pieces are installed), that
would be *easiest*. Just a matter of exporting whatever file system $HOME is
on, usually /home, which presumably is a separate file system from / (if not
you have a really dumb system admin). If that is the case, the client just
needs /sbin/mount.nfs* (nfs-utils) and autofs installed. You then just need a
automount pattern for /home/$USER to mount server:/home/$USER. If NFS is not
happening, you'll need support for mounting Samba shares under Linux
(mount.cifs, which should be in the samba-client package), which is somewhat
nasty because you need to pass authenitifcation information on the mount
command. The thing here is that NFS is the 'native' (easy) Linux file sharing
and Netbios (Samba) is the 'foreign' (hard) thing. 

> 
> if some one can post there method of linux using samba4 would be great ..
> 
> thanks...
> 
> 
> 
> 
> 
> 
> 

-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments