[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
L.P.H. van Belle
belle at bazuin.nl
Fri Jul 8 09:34:23 UTC 2016
This should work also on Samba4 since AD = ldap.
Just keep notice of the last security changes as of 4.4.2+
( or 4.3.8+ or 4.2.10+ )
So few tips for debian/ubuntu.
Read : https://www.spinics.net/lists/samba/msg134098.html
And whats missing there is your CA Root must be in .crt format.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI
> Verzonden: vrijdag 8 juli 2016 11:03
> Aan: Samba List
> Onderwerp: Re: [Samba] Using Samba4 AD to authenticate users of other
> Linux services (SSH, Mail, etc.)
>
>
> Thanks.
>
> pam-ldap is what I have now (libpam-ldapd 0.9.4-3+deb8u1) and which worked
> with openldap.
>
> I do have UIDs/GIDs, which seem to have been preserved in the
> classicupgrade:
>
> # ldbsearch -H ldap://localhost -U Administrator -b
> "CN=Users,DC=ad,DC=mydomain,DC=tld" ...
>
> # record 75
> dn: CN=tobias,CN=Users,DC=ad,DC=mydomain,DC=tld
> cn: tobias
> name: tobias
> sAMAccountName: tobias
> displayName: Tobias Xyz
> uidNumber: 1038
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> unixHomeDirectory: /home/tobias
> gidNumber: 513
>
>
> Maybe I only need some simple settings somewhere to use the Samba4 LDAP
> instead of
> openldap?
>
>
> -------- Original Message --------
> >> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
> and
> >> don't
> >> quite understand which of these I actually need.
> > Its your party... and,., you forgot pam-ldap ;-)
> >
> > You need to set UID/GIDs on the users and groups.
> > And you need to make sure these users have a home dir.
> >
> > I choose kerberos for my linux auth.
> > Per example for ssh, if you install ssh-krb5 in debian,
> > you can use the AD-AC users to login on the linux systems.
> > Look here : https://wiki.samba.org/index.php/User_Documentation
> > Bit on the bottem there are some examples.
> > Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> > If you run pam-auth-update you can see the pam selected things.
> >
> > Hope this helps you a bit.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI
> >> Verzonden: donderdag 7 juli 2016 22:07
> >> Aan: Samba List
> >> Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
> >> services (SSH, Mail, etc.)
> >>
> >> I'm confused about how to authenticate users of other Unix services
> with
> >> Samba4 AD.
> >>
> >> After trying the classic upgrade on a test server, I can use smbclient.
> >> However,
> >> "getent passwd" doesn't show the users, and I'm not sure what I have to
> do
> >> now.
> >>
> >> On the live machines, I have openldap, pam-ldapd and nslcd running to
> >> authenticate
> >> users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki,
> >> postgresql, etc.
> >>
> >> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
> and
> >> don't
> >> quite understand which of these I actually need.
> >>
> >> The point is to use the Samba4 AD-DC to authenticate users for the
> other
> >> Linux
> >> services, including on other machines which may not be running Samba.
> >> Particularly
> >> for SSH and mail.
> >>
> >> All the Linux machines run Debian 8.
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list