[Samba] Samba AD PDC , LDAP and Single-Sign-On

Thu Oct 8 20:46:50 UTC 2015

On Thu, 8 Oct 2015, Mark Foley wrote:

> On Oct 8 2015 09:32 Rowlan Penny wrote:
>
>> It might help if you were to explain just what you require from single-sign-on ?
>
> Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?
> From reading this list over the past couple of months it does not seem that
> Authenticating users on Windows workstations is the main thing people do.  But,
> is not the ability to authenticate user logins from any (Linux or Windows)
> workstation in the domain the chief purpose of Samab4? If not, please straighten
> me out.  What's it good for?

Samba 4 is just a version of Samba that is newer than Samba 3.  Samba 4 
can be a file server, an NT4 PDC, an active directory domain controller, 
or an NT4 or AD member server.  Probably other things I am forgetting too.

"Single Sign On" is a term used by many people to mean different things. 
To some people, it means you can use the same password to log into any 
system.  To some, it means into any resource.  To other, it means that 
once you log into a system, you have passwordless login into any other 
resource.  All of these things are possible (within limitations) with 
samba.

> As to what *I* require, scenario: I am sitting at a linux workstation on our
> office network, any linux workstation, not just the one in *my* office.  I have
> a login prompt.  I don't have a specific local account configured in /etc/passwd
> on this particular workstation.  I log in using my ID/PW which is authenticated
> centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure
> where I'm logged into yet, but I'll cross that bridge when I come to it.
>
> In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
> Start > Computer > Properties > Advanced System Settings > Computer Name >
> Change, and click 'Domain'.  I have to fill in the domain name, enter the Domain
> Administrator credentials and I'm done.  Now, any domain user can log into any
> Windows workstation anywhere on the domain.

It's easy in Linux with Samba as well.  You basically just need to follow 
the directions here:

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

> I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
> Boing and see if I can make some headway.

No offense against L.P.H. van Belle, but his directions are for the hard 
way to set up kerberos.  Creating a domain controller handles all of the 
server side, and "net ads join" handles all of the client side if you are 
using winbind.

If you prefer not to join your machines to the domain and use LDAP to 
authenticate, Guilherme's documentation looks like a good start.

Also note that some distros have tools to automate some or all of the 
PAM/NSS stuff (this applies to the member server directions above as 
well), so you may want to check your distro docs too.  Redhat/Fedora in 
particular has authconfig, and in newer versions realmd.