[Samba] Migrating Samba NT4 Domain to Samba AD
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 17 07:41:00 UTC 2019
Gooood morning guys,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: maandag 16 september 2019 22:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Migrating Samba NT4 Domain to Samba AD
>
> On 16/09/2019 20:39, Bart??omiej Solarz-Nies??uchowski via
> samba wrote:
> >
> > How many AD DC servers are recommended for network my size (600+
> > workstations?) 2? 3? more?
> At least two, but if you can afford it, more are better.
> >
> >>>
> >>>
> >
> > linux workstation aren't samba domain member... they use ldap as
> > source for passwd and authentication - thru e.g. nslcd
> Then join them to the domain, that way you will not need nslcd, the
> 'getent' example I posted came from a Unix domain member aka Linux
> workstation.
Yes, this is what i do also, all my servers are in the samba AD domain.
Just configure ldap (client), setup you ssl certificates where needed.
And try to use kerberos as authentication first with ldap as fallback.
> >
> >
> >
> >> I am not 100% convinced you need to do anything like this.
> >>
> >> What do you use the openldap for ?
> >>
> >> A mailserver or something else ?
> > mailserver, ssh, as source of authentication for users for e.g.
> > apache, email aliases database for postfix
>
> Louis, can you help here, this sounds right up your street ;-)
Sure, I use this on debian buster:
Setup..
- if only auth it needed i only install :
winbind krb5-user acl
- if i need access shares samba winbind acl
All server do have there own certificates, managed by my own CA root.
Once that set/done.
Ssh
# Use Dns for kerberos auth
UseDNS yes
# Enable kerberos GSSAPI tickets
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
Mail/postfix aliases. ( against kopano )
server_host = ldaps://ldap1.internal.domain.tld:636 ldaps://ldap2.internal.domain.tld:636
# ldap1/2 are CNAMES to my DC1 and DC2, that saves time if you switch in DC names.
search_base = DC=internal,DC=domain,DC=tld
version = 3
bind_dn = CN=ldap-connect,OU=SA,OU=Company,DC=internal,DC=domain,DC=tld
bind_pw = YouMayGuessIt.
# adapt the query_filter to you needs.
scope = sub
Aliases mail adres: query_filter = (&(objectClass=user)(otherMailbox=%s))
result_attribute = mail
#samba, just make sure you have at least.
winbind refresh tickets = yes
Do you kerberos tickets of the server dont expire.
# apache, a nice example here.
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory
#squid..
Already on the list.
See : https://www.spinics.net/lists/samba/msg159262.html
Anything i missed ;-) ?
NFSv4 kerberized mounts..
See: https://www.spinics.net/lists/samba/msg156758.html
>
> You should be able to do most, if not all, of this from AD,
> for a start
> see here:
>
> https://wiki.samba.org/index.php/Authenticating_other_services
> _against_Samba_AD
>
> >>
> >> You may be able to extend the AD schema with whatever it
> is you are
> >> using openldap for.
> >
> > May I please ssome link how to extend AD schema (I made it
> on openldap
> > but on samba ldap I have no idea how add custom schema)?
Which schema's do you want to add, any examples?
That might help to see if more i needed.
> >
> It is very similar to adding a schema to openldap, you just need the
> schema in a format suitable for AD, having said that, you can use
> kerberos for ssh without having to extend the schema, for the basics,
> see here:
>
> https://wiki.samba.org/index.php/Samba_AD_schema_extensions
>
> Rowland
>
>
>
Greetz,
Louis
More information about the samba
mailing list