[Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ)

L.P.H. van Belle belle at bazuin.nl
Thu Oct 8 07:30:33 UTC 2015 

Hai Mark, 

Look here for a single sign on setup. 
Its not for linux clients, but you can learn / understand from it. 
Worth reading. 
https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 

Now, i dont have a linux workstation setup here, but you need to know is on the ubuntu page and samba wiki. 
As for the example, https://help.ubuntu.com/community/SingleSignOn tells.  
To put you in the correct direction. 

SSO KERBEROS AUTH 
1-4.1 skip. thats your addc. 
5. what you want. 
I suggest skip first, setup with mkhomedir in pam for the client and when that works, setup the shared file system. 

6.1 do 1. 2. 3. generate a keytab (on the DC) ( if you do a member server setup on the client, skip 4. 5. 6.) 
To create the keytab file, you can setup as a member server samba on the client, which generates te keytab file or create one yourself on dc. Instruktions on the wiki. 

6.2 (client configuration ) 
apt-get install libnss-ldapd libsasl2-modules-gssapi-heimdal libpam-ccreds
optional libpam-krb5 libpam-ldap/libpam-ldapd, not sure about these ldap(d) 
do 1. 2. ( skip the tls for now, test without ) 

do optional 6.3. 

SSO LDAP AUTH
Optional 8. ( so not kerberos auth but sso by ldap auth ) 
apt-get install ldap-auth-client libpam-krb5 krb5-user libpam-foreground libsasl2-modules-gssapi-heimdal 

That should get you going. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark Foley
> Verzonden: donderdag 8 oktober 2015 5:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re:
> Samba Internal DNS vs. BIND_DLZ)
> 
> I'm very confused. I have a Samba4 AD/DC which works great for Windows
> Authentication with our Windows 7 workstations.
> 
> Now, I am trying to implement single-sign-on for our coming-soon Linux
> workstations.
> All web documentation I've so far found on this references OpenLDAP as the
> server
> and describes server-side commands such as kadmin and slapd-config to get
> things
> set up on the server-side (e.g.
> https://help.ubuntu.com/community/SingleSignOn)
> which don't exist on the Samba4 AD/DC.
> 
> Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does this
> mean
> everything should "just work" with LDAP clients and I need do no further
> server-side configuration? Or does it mean, "sorry, you can't do LDAP
> Authentication with Samba4."
> 
> Please clarify so I can make some decisions.
> 
> btw - the following command *does* work from a Linux client on the
> network:
> 
> ldapsearch -xLLL -H ldap://mail:389 -D
> "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"
> 
> --Mark
> 
> -----Original Message-----
> > From: "L.P.H. van Belle" <belle at bazuin.nl>
> > To: "samba at lists.samba.org" <samba at lists.samba.org>
> > Date: Tue, 1 Sep 2015 08:21:27 +0200
> > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re:
> Samba Internal DNS vs. BIND_DLZ)
> >
> > Hai Jim,
> >
> > what is your looking for.
> > Im using a SSO for my Zarafa mail server.
> >
> > Greetz,
> >
> > Louis
> >
> > >-----Oorspronkelijk bericht-----
> > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim Seymour
> > >Verzonden: maandag 31 augustus 2015 21:21
> > >Aan: samba at lists.samba.org
> > >Onderwerp: [Samba] Samba AD PDC , LDAP and Single-Sign-On
> > >(was: re: Samba Internal DNS vs. BIND_DLZ)
> > >
> > >On Thu, 27 Aug 2015 23:03:39 -0400
> > >Robert Moskowitz <rgm at htt-consult.com> wrote:
> > >
> > >>
> > >> On 08/27/2015 08:45 PM, Jim Seymour wrote:
> > >> > On Thu, 27 Aug 2015 17:00:28 -0400
> > >> > Robert Moskowitz <rgm at htt-consult.com> wrote:
> > >> >
> > >> >> Ah, LDAP is included within Samba, I find.  Don't install provided
> > >> >> one...
> > >[snip]
> > >> >
> > >> > We *require*, not desire, but *require* OpenLDAP.  OpenLDAP is used
> > >> > for, amongst other things, a Corporate email address book
> > >and by the
> > >> > RADIUS server.  Eventually the entire set of network directory data
> > >> > that currently resides in and is served by NIS+ will be in LDAP.
> > >>
> > >> This is what runs on your DC.  I suspect you can use slapd to do any
> > >> syncing with OpenLDAP on other machines.
> > >[snip]
> > >
> > >I suspect this is not going in the direction I'd envisioned.
> > >
> > >The Plan was an AD PDC that used OpenLDAP.  That way: OpenLDAP data,
> > >replicated to the mail server, could be used for sign-on there, too.
> > >
> > >Somewhere somebody recently mentioned a single-sign-on doc.  I'll have
> > >to hunt that down and take a look.
> > >
> > >Thanks,
> > >Jim
> > >--
> > >Note: My mail server employs *very* aggressive anti-spam
> > >filtering.  If you reply to this email and your email is
> > >rejected, please accept my apologies and let me know via my
> > >web form at <http://jimsun.LinxNet.com/contact/scform.php>.
> > >
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list