[Samba] /etc/hosts and DHCP

mathias dufresne infractory at gmail.com
Mon Sep 28 08:58:10 UTC 2015


2015-09-25 23:44 GMT+02:00 Ross Boylan <rossboylan at stanfordalumni.org>:

> It's sounding as if maybe I should stick with some earlier server model
> because the AD I participate in is not one I administer.  Even if I did, I
> wouldn't want all the accounts on my local machine to be in the AD.
>

Local accounts don't go in AD. Even in Samba's AD.

AD comes with its own users database. This database can be used by system
side - using winbind or sssd or perhaps nlscd, this kind of configuration
is done through /etc/nsswitch.conf and a bit more - but is not system
database.

Linux system users database is /etc/passwd (keyworkd "files" in
nsswitch.conf for lines "shadow", "passwd" and "group").

So including your server into AD would not transfer local users into AD but
merely give that server the possibility to use AD users as system users and
as file sharing users. (Dear list members, correct me if I was wrong, it's
morning there ;)



>
> Is it technically possible for me to have a subdomain within the larger
> one?  E.g., if the overall realm is ucsf.edu, I'd administer ross.ucsf.edu
> ?
>

Yes it is, this is called "trust relationship".
To proceed you will need a full agreement from ucsf.edu domain admins as
they will trust your domain, giving all your users access to their
resources, which won't certainly not be possible (these admins could have
reasons not trusting you nor your users).


>
> I have been looking for a way to centralize account management within my
> linux machines, but doing so via AD sounds very indirect.
>

What do you meant by "looking for a way to centralize account management
within my
linux machines"?
Did you meant you want your Linux machines can use centralized users
database? (Here you would plug your linux on AD)
Or did you meant you want to have another database with your own users
dedicated to Linux Boxes? (Here you would need a new AD domain or something
similar)


> Ross
>
> On Fri, Sep 25, 2015 at 9:18 AM, Rowland Penny <
> rowlandpenny241155 at gmail.com
> > wrote:
>
> > On 25/09/15 17:05, Ross Boylan wrote:
> >
> >
> >>
> >> On Fri, Sep 25, 2015 at 12:49 AM, Rowland Penny <
> >> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
> >> wrote:
> >>
> >>     On 24/09/15 22:08, Ross Boylan wrote:
> >>
> >>         I am trying to follow the advice on
> >>         https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> .
> >>         Among
> >>         other things, it says "Make sure that your /etc/hosts has a
> >>         valid entry for
> >>         resolving your hostname to its public IP (not 127.0.0.1!),
> >>         when you join
> >>         the domain:"
> >>
> >>         But my machine is using DHCP and so I can't hard code this.
> >>    What to do?
> >>
> >>
> >>     Ignore the wiki and don't put anything in /etc/hosts, if (like on
> >>     ubuntu) you have 127.0.1.1 pointing to your hostname, remove or
> >>     comment out this line, but you really should give a member server
> >>     a fixed ip
> >>
> >>
> >>         I am using Debian's resolvconf and bind.  I suspect I'll need
> >>         to use bind
> >>         to manage things properly, but perhaps I could let samba do
> >>         the name
> >>         resolution.
> >>
> >>
> >>     you need to use the internal DNS or bind DNS, you cannot use both.
> >>
> >> Understood.  My meaning was using samba in place of bind.
> >> Things are even messier, because the VM is relying on DNS from the
> >> virtual network (libvirt's internal dnsmasq) at the moment.
> >>
> >>
> >>
> >>         A possibly related issue is that the machine has 2 network
> >>         interfaces, one
> >>         for a private network and one for the public one that
> >>         participates in the
> >>         AD.  So there is not one right answer for the name -> IP
> >>         resolution, though
> >>         possibly the fully qualified domain name that goes with active
> >>         directory
> >>         could be reserved for the external IP.
> >>
> >>
> >>     This could be interesting, how are you going to authenticate the
> >>     private network users to a machine that is joined to a domain?
> >>
> >> I don't follow.  The machine has Unix users and a mapping between AD
> >> users and Unix users.  Are you saying I can't have both, and that my
> users
> >> must come either from AD or from local sources, but not both?
> >>
> >
> > With samba3 you could have Unix users and Samba users which were synced
> > together, if you set up Samba4 and join it to an AD domain, then all your
> > user & group info is stored in AD, you cannot have a local Unix user on
> the
> > AD joined machine with the same name as an AD user. This means that if
> you
> > have a user in your private network called 'fred' and he connects to your
> > AD member server (fileserver, client, call it what you will) and there
> is a
> > user called 'fred' in AD, the user 'may' be able to connect, but not if
> > either of the users was to change their password, because now the user
> > wouldn't have the same password as the AD user 'fred'. I hope you get my
> > drift, the whole idea behind AD is centralisation  of authentication etc.
> >
> > Rowland
> >
> >
> >>
> >>
> >>
> >>         I'm going on the assumption that "AD Member Server" is what I
> >>         want, because
> >>         I want to join the domain, use it for authentication, and
> >>         server files.
> >>         Originally I thought "Member Server" meant I was publicly
> >>         serving up
> >>         members of the domain; that is not my intention.
> >>
> >>
> >>     The term 'member server' is a bit of a misnomer, it really should
> >>     be 'a Linux client that serves files', any Linux client is
> >>     basically set up in the same way, what you do with it after, is
> >>     what defines its role.
> >>
> >> Thanks.  So it's a server that's a domain member, not a server that
> >> serves member identities (which would make it a controller).
> >>
> >> Ross
> >>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list