[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)

L.P.H. van Belle belle at bazuin.nl
Fri Jul 8 09:34:23 UTC 2016


This should work also on Samba4 since AD = ldap. 

Just keep notice of the last security changes as of 4.4.2+ 
( or 4.3.8+ or 4.2.10+ ) 

So few tips for debian/ubuntu. 
Read : https://www.spinics.net/lists/samba/msg134098.html 
And whats missing there is your CA Root must be in .crt format. 


Greetz, 

Louis






> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI
> Verzonden: vrijdag 8 juli 2016 11:03
> Aan: Samba List
> Onderwerp: Re: [Samba] Using Samba4 AD to authenticate users of other
> Linux services (SSH, Mail, etc.)
> 
> 
> Thanks.
> 
> pam-ldap is what I have now (libpam-ldapd 0.9.4-3+deb8u1) and which worked
> with openldap.
> 
> I do have UIDs/GIDs, which seem to have been preserved in the
> classicupgrade:
> 
>     # ldbsearch -H ldap://localhost -U Administrator -b
>     "CN=Users,DC=ad,DC=mydomain,DC=tld" ...
> 
>     # record 75
>     dn: CN=tobias,CN=Users,DC=ad,DC=mydomain,DC=tld
>     cn: tobias
>     name: tobias
>     sAMAccountName: tobias
>     displayName: Tobias Xyz
>     uidNumber: 1038
>     objectClass: top
>     objectClass: posixAccount
>     objectClass: person
>     objectClass: organizationalPerson
>     objectClass: user
>     unixHomeDirectory: /home/tobias
>     gidNumber: 513
> 
> 
> Maybe I only need some simple settings somewhere to use the Samba4 LDAP
> instead of
> openldap?
> 
> 
> -------- Original Message --------
> >> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
> and
> >> don't
> >> quite understand which of these I actually need.
> > Its your party...   and,., you forgot pam-ldap ;-)
> >
> > You need to set UID/GIDs on the users and groups.
> > And you need to make sure these users have a home dir.
> >
> > I choose kerberos for my linux auth.
> > Per example for ssh, if you install ssh-krb5 in debian,
> > you can use the AD-AC users to login on the linux systems.
> > Look here : https://wiki.samba.org/index.php/User_Documentation
> > Bit on the bottem there are some examples.
> > Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> > If you run pam-auth-update you can see the pam selected things.
> >
> > Hope this helps you a bit.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI
> >> Verzonden: donderdag 7 juli 2016 22:07
> >> Aan: Samba List
> >> Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
> >> services (SSH, Mail, etc.)
> >>
> >> I'm confused about how to authenticate users of other Unix services
> with
> >> Samba4 AD.
> >>
> >> After trying the classic upgrade on a test server, I can use smbclient.
> >> However,
> >> "getent passwd" doesn't show the users, and I'm not sure what I have to
> do
> >> now.
> >>
> >> On the live machines, I have openldap, pam-ldapd and nslcd running to
> >> authenticate
> >> users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki,
> >> postgresql, etc.
> >>
> >> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
> and
> >> don't
> >> quite understand which of these I actually need.
> >>
> >> The point is to use the Samba4 AD-DC to authenticate users for the
> other
> >> Linux
> >> services, including on other machines which may not be running Samba.
> >> Particularly
> >> for SSH and mail.
> >>
> >> All the Linux machines run Debian 8.
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list