[Samba] Samba AD PDC , LDAP and Single-Sign-On

Mark Foley mfoley at ohprs.org
Thu Oct 8 22:08:45 UTC 2015


On Thu, 8 Oct 2015 15:46 Sketch wrote:

> It's easy in Linux with Samba as well.  You basically just need to follow 
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Thanks for the feedback.  OK, I'll check out your link ASAP.  The "Server" bit
in the link gives me pause.  I *have* a Samba4 AD/DC "server" already.  I think
the linux workstations need to be "clients", but maybe this is just a matter of
semantics.  I'll research. 

> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.

I prefer the simplest approach.  If there is some way I can get this to work
without adding LDAP, PAM, kerberos, NSS, etc.  I'm all for it.  Note that in my
Windows example the workstation is joined to the domain.  That's fine I have no
problem with that versus not joining.  I'm looking for the easiest, simplest way
for workstation users to log into any (linux) workstation in the LAN with ONE
SET of credentials.  So far I haven't found this "magic bullet" after months of
surfing.

> you may want to check your distro docs too

I'm using Ubuntu as the client workstations. Apparently, Ubuntu knowns nothing
about Samba4 AD/DC and the docs have lots of instruction on setting up OpenLDAP,
Kerberos, etc. Things that aren't going to work (at least on the server side)
with Samba4 since it has its own built-in versions of these things.

--Mark

-----Original Message-----
> Date: Thu, 8 Oct 2015 15:46:50 -0500 (CDT)
> From: Sketch <smblist at rednsx.org>
> To: Mark Foley <mfoley at ohprs.org>
> cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On Thu, 8 Oct 2015, Mark Foley wrote:
>
> > On Oct 8 2015 09:32 Rowlan Penny wrote:
> >
> >> It might help if you were to explain just what you require from single-sign-on ?
> >
> > Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?
> > From reading this list over the past couple of months it does not seem that
> > Authenticating users on Windows workstations is the main thing people do.  But,
> > is not the ability to authenticate user logins from any (Linux or Windows)
> > workstation in the domain the chief purpose of Samab4? If not, please straighten
> > me out.  What's it good for?
>
> Samba 4 is just a version of Samba that is newer than Samba 3.  Samba 4 
> can be a file server, an NT4 PDC, an active directory domain controller, 
> or an NT4 or AD member server.  Probably other things I am forgetting too.
>
> "Single Sign On" is a term used by many people to mean different things. 
> To some people, it means you can use the same password to log into any 
> system.  To some, it means into any resource.  To other, it means that 
> once you log into a system, you have passwordless login into any other 
> resource.  All of these things are possible (within limitations) with 
> samba.
>
> > As to what *I* require, scenario: I am sitting at a linux workstation on our
> > office network, any linux workstation, not just the one in *my* office.  I have
> > a login prompt.  I don't have a specific local account configured in /etc/passwd
> > on this particular workstation.  I log in using my ID/PW which is authenticated
> > centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure
> > where I'm logged into yet, but I'll cross that bridge when I come to it.
> >
> > In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
> > Start > Computer > Properties > Advanced System Settings > Computer Name >
> > Change, and click 'Domain'.  I have to fill in the domain name, enter the Domain
> > Administrator credentials and I'm done.  Now, any domain user can log into any
> > Windows workstation anywhere on the domain.
>
> It's easy in Linux with Samba as well.  You basically just need to follow 
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> > I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
> > Boing and see if I can make some headway.
>
> No offense against L.P.H. van Belle, but his directions are for the hard 
> way to set up kerberos.  Creating a domain controller handles all of the 
> server side, and "net ads join" handles all of the client side if you are 
> using winbind.
>
> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.
>
> Also note that some distros have tools to automate some or all of the 
> PAM/NSS stuff (this applies to the member server directions above as 
> well), so you may want to check your distro docs too.  Redhat/Fedora in 
> particular has authconfig, and in newer versions realmd.
>
>



More information about the samba mailing list