[Samba] Samba AD PDC , LDAP and Single-Sign-On

Mark Foley mfoley at ohprs.org
Fri Oct 9 04:10:32 UTC 2015


I'm using Sketch's referenced link: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
to attempt to set up my Ubuntu workstation for connection to my Samba4 AD/DC
server. The example smb.conf file from the link is shown at bottom.

My domain is hprs.local, so I've replaced SAMDOM with HPRS and
SAMDOM.EXAMPLE.COM with HPRS.LOCAL. My Ubuntu hostname is uCommon, so I've put
that in the 'netbios name'. So far so good?

First question.  I understand the basic concept of 'idmap config range', but not
sure what I should put in here for my system.  My GID for AD users is 100 and my
UID range is 3000000-3000099.  For example (on the AD):

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Not sure what the example range 2000-9999 is versus the 10000-99999 range.
Given my GID/UIDs, what should go in my smb.conf?

Second question. What is the [demoshare] section for? Who/what will access such
a share?

Third question. In the referenced link, under "General Settings" it has:

Add 'winbind' to the 'passwd' and 'group' entry of your /etc/nsswitch.conf: 

passwd: compat winbind
group:  compat winbind

Does this go on the client or the AD server? Not clear.

I'll probably have more questions, but I'll have to get past these first so I
can fire thing up.

THX - Mark

[global]

  netbios name = Member1
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = ad
  idmap config SAMDOM:schema_mode = rfc2307
  idmap config SAMDOM:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

[demoshare]
  path = /srv/samba/test
  read only = no

-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Thu, 08 Oct 2015 18:08:45 -0400
To: samba at lists.samba.org
Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On

On Thu, 8 Oct 2015 15:46 Sketch wrote:

> It's easy in Linux with Samba as well.  You basically just need to follow 
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Thanks for the feedback.  OK, I'll check out your link ASAP.  The "Server" bit
in the link gives me pause.  I *have* a Samba4 AD/DC "server" already.  I think
the linux workstations need to be "clients", but maybe this is just a matter of
semantics.  I'll research. 

> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.

I prefer the simplest approach.  If there is some way I can get this to work
without adding LDAP, PAM, kerberos, NSS, etc.  I'm all for it.  Note that in my
Windows example the workstation is joined to the domain.  That's fine I have no
problem with that versus not joining.  I'm looking for the easiest, simplest way
for workstation users to log into any (linux) workstation in the LAN with ONE
SET of credentials.  So far I haven't found this "magic bullet" after months of
surfing.

> you may want to check your distro docs too

I'm using Ubuntu as the client workstations. Apparently, Ubuntu knowns nothing
about Samba4 AD/DC and the docs have lots of instruction on setting up OpenLDAP,
Kerberos, etc. Things that aren't going to work (at least on the server side)
with Samba4 since it has its own built-in versions of these things.

--Mark

-----Original Message-----
> Date: Thu, 8 Oct 2015 15:46:50 -0500 (CDT)
> From: Sketch <smblist at rednsx.org>
> To: Mark Foley <mfoley at ohprs.org>
> cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On Thu, 8 Oct 2015, Mark Foley wrote:
>
> > On Oct 8 2015 09:32 Rowlan Penny wrote:
> >
> >> It might help if you were to explain just what you require from single-sign-on ?
> >
> > Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?
> > From reading this list over the past couple of months it does not seem that
> > Authenticating users on Windows workstations is the main thing people do.  But,
> > is not the ability to authenticate user logins from any (Linux or Windows)
> > workstation in the domain the chief purpose of Samab4? If not, please straighten
> > me out.  What's it good for?
>
> Samba 4 is just a version of Samba that is newer than Samba 3.  Samba 4 
> can be a file server, an NT4 PDC, an active directory domain controller, 
> or an NT4 or AD member server.  Probably other things I am forgetting too.
>
> "Single Sign On" is a term used by many people to mean different things. 
> To some people, it means you can use the same password to log into any 
> system.  To some, it means into any resource.  To other, it means that 
> once you log into a system, you have passwordless login into any other 
> resource.  All of these things are possible (within limitations) with 
> samba.
>
> > As to what *I* require, scenario: I am sitting at a linux workstation on our
> > office network, any linux workstation, not just the one in *my* office.  I have
> > a login prompt.  I don't have a specific local account configured in /etc/passwd
> > on this particular workstation.  I log in using my ID/PW which is authenticated
> > centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure
> > where I'm logged into yet, but I'll cross that bridge when I come to it.
> >
> > In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
> > Start > Computer > Properties > Advanced System Settings > Computer Name >
> > Change, and click 'Domain'.  I have to fill in the domain name, enter the Domain
> > Administrator credentials and I'm done.  Now, any domain user can log into any
> > Windows workstation anywhere on the domain.
>
> It's easy in Linux with Samba as well.  You basically just need to follow 
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> > I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
> > Boing and see if I can make some headway.
>
> No offense against L.P.H. van Belle, but his directions are for the hard 
> way to set up kerberos.  Creating a domain controller handles all of the 
> server side, and "net ads join" handles all of the client side if you are 
> using winbind.
>
> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.
>
> Also note that some distros have tools to automate some or all of the 
> PAM/NSS stuff (this applies to the member server directions above as 
> well), so you may want to check your distro docs too.  Redhat/Fedora in 
> particular has authconfig, and in newer versions realmd.
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list