[Samba] Samba AD PDC , LDAP and Single-Sign-On

Rowland Penny rowlandpenny241155 at gmail.com
Thu Oct 8 20:52:04 UTC 2015


On 08/10/15 21:17, Mark Foley wrote:
> On Oct 8 2015 09:32 Rowlan Penny wrote:
>
>> It might help if you were to explain just what you require from single-sign-on ?
> Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?
>  From reading this list over the past couple of months it does not seem that
> Authenticating users on Windows workstations is the main thing people do.  But,
> is not the ability to authenticate user logins from any (Linux or Windows)
> workstation in the domain the chief purpose of Samab4? If not, please straighten
> me out.  What's it good for?
>
> As to what *I* require, scenario: I am sitting at a linux workstation on our
> office network, any linux workstation, not just the one in *my* office.  I have
> a login prompt.  I don't have a specific local account configured in /etc/passwd
> on this particular workstation.  I log in using my ID/PW which is authenticated
> centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure
> where I'm logged into yet, but I'll cross that bridge when I come to it.
>
> In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
> Start > Computer > Properties > Advanced System Settings > Computer Name >
> Change, and click 'Domain'.  I have to fill in the domain name, enter the Domain
> Administrator credentials and I'm done.  Now, any domain user can log into any
> Windows workstation anywhere on the domain.
>
> That's basically what I want to do with Linux workstations. I need to sort this
> out because we are looking at replacing Windows workstations with Linux
> workstations.
>
> I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
> Boing and see if I can make some headway.
>
>> Date: Thu, 08 Oct 2015 09:32:31 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>
>> On 08/10/15 04:16, Mark Foley wrote:
>>> I'm very confused. I have a Samba4 AD/DC which works great for Windows
>>> Authentication with our Windows 7 workstations.
>>>
>>> Now, I am trying to implement single-sign-on for our coming-soon Linux workstations.
>> It might help if you were to explain just what you require from
>> single-sign-on ?
>>
>> Rowland
>>
>>> All web documentation I've so far found on this references OpenLDAP as the server
>>> and describes server-side commands such as kadmin and slapd-config to get things
>>> set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn)
>>> which don't exist on the Samba4 AD/DC.
>>>
>>> Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does this mean
>>> everything should "just work" with LDAP clients and I need do no further
>>> server-side configuration? Or does it mean, "sorry, you can't do LDAP
>>> Authentication with Samba4."
>>>
>>> Please clarify so I can make some decisions.
>>>
>>> btw - the following command *does* work from a Linux client on the network:
>>>
>>> ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"
>>>
>>> --Mark
>>>
>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

So, you want to use a Linux computer just like a windows computer, well 
you can and you can't :-)

What you cannot do is use GPO's like windows does, everything else is 
possible, you just need to setup the clients correctly.

The first thing you need to understand is there is only one basic way to 
setup Samba in an AD domain, it is what you do with Samba after this 
that defines what it will be used for.
There is a page on the Samba wiki that purports to be for a member 
server, well, in my opinion, it is just the basic setup and you would 
need to extend it to make it a proper member server, you can also use 
this basic setup for a workstation.

Most, if not all, of the information you require is on the wiki and you 
only have to ask here about any gaps you find.

Rowland




More information about the samba mailing list