[Samba] Samba AD PDC , LDAP and Single-Sign-On

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 08:12:31 UTC 2015 

On 08/10/15 23:24, Mark Foley wrote:
> On Thu, 08 Oct 2015 21:52 Rowland Penny wrote:
>
>> What you cannot do is use GPO's like windows does, everything else is
>> possible, you just need to setup the clients correctly.
> Excellent! I've been messing around with GPOs on Windows AD domains for years,
> more extensively this past year with Samba4 AD/DC and I absolutely hate them.
> In my opinion they are yet another attempt by Microsoft to shore up a
> fundamentally insecure OS.  I have yet to find a GPO that would be worthwhile in
> Linux.  "Trust Center"? Gee, can't execute macros in Linux that run as root -
> don't need that.  "Remote Desktop GPO"? How about VNC.  I've got more, lots
> more, but I'll stop.  If you can give me an example of one GPO that would be
> useful in Linux I'll moderate my position.  Sorry to get on a rant, but if we do
> manage to convert away from Windows, I say "good riddance" to GPOs!
>
>> There is a page on the Samba wiki that purports to be for a member
>> server, well, in my opinion, it is just the basic setup and you would
>> need to extend it to make it a proper member server, you can also use
>> this basic setup for a workstation.
>>
>> Most, if not all, of the information you require is on the wiki and you
>> only have to ask here about any gaps you find.
> That's great!!! I've been searching for that particular wiki for a couple of
> months now without success.  Can you point me to it? Are you referring to
> Sketch's link?
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Yes that is the page, but what you have to understand is that a proper 
'member server' is just a Unix client on steroids :-D

If you follow that wiki page, you will end up with a Unix client just 
like this one I am typing this on. The wiki page shows how to use the 
'ad' backend, with this you need to add 'uidNumber' & 'gidNumber' 
attributes to your users & groups in AD, but you could use the 'rid' 
backend instead and not need to add anything.
The ranges shown on the wiki page '2000-9999' & '10000-99999' were 
chosen because you need to have somewhere to store the well-known RIDs 
and your users & groups. The lower range was chosen for the well-known 
RIDs because:
A) there are only approx 100 of them at present'
B) the chosen range will allow a small amount of local users (not that 
you actually need local users) to fix things if connection to the domain 
is broken.
The upper range was chosen because '10000' is where ADUC starts from and 
'99999' allows for the number to be raised i.e. you could add another '9'

How do I know all this? simple, it is my basic smb.conf :-)

Once you have the basic smb.conf and the workstation joined to the 
domain, you could, if you wish, upgrade the workstation to a proper 
member server (by adding the profiles stanza) or a fileserver by adding 
shares, or a print server, I think you get the drift by now.

You can do more, the info (hopefully) is on the wiki and if it isn't, 
ask here, there are no stupid questions :-)

Rowland

>
> --Mark
>
> -----Original Message-----
>> Date: Thu, 08 Oct 2015 21:52:04 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>
>> On 08/10/15 21:17, Mark Foley wrote:
>>> On Oct 8 2015 09:32 Rowlan Penny wrote:
>>>
>>>> It might help if you were to explain just what you require from single-sign-on ?
>>> Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?
>>>   From reading this list over the past couple of months it does not seem that
>>> Authenticating users on Windows workstations is the main thing people do.  But,
>>> is not the ability to authenticate user logins from any (Linux or Windows)
>>> workstation in the domain the chief purpose of Samab4? If not, please straighten
>>> me out.  What's it good for?
>>>
>>> As to what *I* require, scenario: I am sitting at a linux workstation on our
>>> office network, any linux workstation, not just the one in *my* office.  I have
>>> a login prompt.  I don't have a specific local account configured in /etc/passwd
>>> on this particular workstation.  I log in using my ID/PW which is authenticated
>>> centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure
>>> where I'm logged into yet, but I'll cross that bridge when I come to it.
>>>
>>> In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
>>> Start > Computer > Properties > Advanced System Settings > Computer Name >
>>> Change, and click 'Domain'.  I have to fill in the domain name, enter the Domain
>>> Administrator credentials and I'm done.  Now, any domain user can log into any
>>> Windows workstation anywhere on the domain.
>>>
>>> That's basically what I want to do with Linux workstations. I need to sort this
>>> out because we are looking at replacing Windows workstations with Linux
>>> workstations.
>>>
>>> I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
>>> Boing and see if I can make some headway.
>>>
>>>> Date: Thu, 08 Oct 2015 09:32:31 +0100
>>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>>>> To: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>>>
>>>> On 08/10/15 04:16, Mark Foley wrote:
>>>>> I'm very confused. I have a Samba4 AD/DC which works great for Windows
>>>>> Authentication with our Windows 7 workstations.
>>>>>
>>>>> Now, I am trying to implement single-sign-on for our coming-soon Linux workstations.
>>>> It might help if you were to explain just what you require from
>>>> single-sign-on ?
>>>>
>>>> Rowland
>>>>
>>>>> All web documentation I've so far found on this references OpenLDAP as the server
>>>>> and describes server-side commands such as kadmin and slapd-config to get things
>>>>> set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn)
>>>>> which don't exist on the Samba4 AD/DC.
>>>>>
>>>>> Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does this mean
>>>>> everything should "just work" with LDAP clients and I need do no further
>>>>> server-side configuration? Or does it mean, "sorry, you can't do LDAP
>>>>> Authentication with Samba4."
>>>>>
>>>>> Please clarify so I can make some decisions.
>>>>>
>>>>> btw - the following command *does* work from a Linux client on the network:
>>>>>
>>>>> ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"
>>>>>
>>>>> --Mark
>>>>>
>>>>>
>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>> So, you want to use a Linux computer just like a windows computer, well
>> you can and you can't :-)
>>
>> What you cannot do is use GPO's like windows does, everything else is
>> possible, you just need to setup the clients correctly.
>>
>> The first thing you need to understand is there is only one basic way to
>> setup Samba in an AD domain, it is what you do with Samba after this
>> that defines what it will be used for.
>> There is a page on the Samba wiki that purports to be for a member
>> server, well, in my opinion, it is just the basic setup and you would
>> need to extend it to make it a proper member server, you can also use
>> this basic setup for a workstation.
>>
>> Most, if not all, of the information you require is on the wiki and you
>> only have to ask here about any gaps you find.
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list