[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
Yvan Masson
yvan.masson at openmailbox.org
Fri Jul 8 08:22:06 UTC 2016
Hi,
Please correct me if I am wrong, but here are some possibilities:
- as Louis said, use ssh-krb5 to authenticate through AD's Kerberos
(never tried that, interesting to know)
- install pam-ldap to authenticate through AD's LDAP (never tried)
- if you issued "net ads join..." to integrate the box to your domain,
you can use pam-winbind to authenticate
- you can also use sssd to integrate the domain and then pam-sss to
authenticate (maybe the easiest, but then impossible to use samba to
share files or printers)
Personnaly I use the 2 lasts. Those implies that your Linux box is
integrated to the domain (which can be good or not).
Regards,
Yvan
Le vendredi 08 juillet 2016 à 08:46 +0200, L.P.H. van Belle a écrit :
> >
> > For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd,
> > kerberos, and
> > don't
> > quite understand which of these I actually need.
> Its your party... and,., you forgot pam-ldap ;-)
>
> You need to set UID/GIDs on the users and groups.
> And you need to make sure these users have a home dir.
>
> I choose kerberos for my linux auth.
> Per example for ssh, if you install ssh-krb5 in debian,
> you can use the AD-AC users to login on the linux systems.
> Look here : https://wiki.samba.org/index.php/User_Documentation
> Bit on the bottem there are some examples.
> Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> If you run pam-auth-update you can see the pam selected things.
>
> Hope this helps you a bit.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI
> > Verzonden: donderdag 7 juli 2016 22:07
> > Aan: Samba List
> > Onderwerp: [Samba] Using Samba4 AD to authenticate users of other
> > Linux
> > services (SSH, Mail, etc.)
> >
> > I'm confused about how to authenticate users of other Unix services
> > with
> > Samba4 AD.
> >
> > After trying the classic upgrade on a test server, I can use
> > smbclient.
> > However,
> > "getent passwd" doesn't show the users, and I'm not sure what I
> > have to do
> > now.
> >
> > On the live machines, I have openldap, pam-ldapd and nslcd running
> > to
> > authenticate
> > users of Samba 3 as well as ssh, postfix, dovecot, apache,
> > mediawiki,
> > postgresql, etc.
> >
> > For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd,
> > kerberos, and
> > don't
> > quite understand which of these I actually need.
> >
> > The point is to use the Samba4 AD-DC to authenticate users for the
> > other
> > Linux
> > services, including on other machines which may not be running
> > Samba.
> > Particularly
> > for SSH and mail.
> >
> > All the Linux machines run Debian 8.
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20160708/8526d103/signature.sig>
More information about the samba
mailing list