[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network

Mike samba at norgie.net
Fri Jan 29 13:15:54 UTC 2021

Hi All,

I have a small network at home of mostly Linux hosts.  I have OpenLDAP
set up for user information, MIT Kerberos for authentication and BIND
for DNS.  I've also aquired a handful of Windows hosts.  I've finally
got around to setting up a shared filesystem (NFS / Samba) to share
files between hosts.  At this point (feature creap) it occured to me
that it might be nice to have central authentication for the Windows
machines and even nicer to actually syncronise / intergrate that with
Linux hosts.

I've had a look at Samba AD and it looks like there may be many ways to
approach this, so I was hoping to get some input from the comminity as
to the best approach to go with.  It looks like it makes sense to use
Samba as an AD server.  The first thoughts that spring into my mind are:

* LDAP: Does it make more sense to allow Samba to handle the AD parts of
LDAP with its own LDAP stuff or should I try to use my existing OpenLDAP
system?  Is it possible to have Linux and Windows read the same user
object in LDAP (this would be marginally neater) or would one have to
defined a Linux user and a Windows user as two objects?

* BIND: Again, should one attempt to use one's existing BIND zones for
AD or let Samba handle it internally in its own subdomain?

* Kerberos: This is probably the big one.  One would expect a user to be
able to log into either a Linux or Windows box.  Is there a neat way to
use the same accounts?  Can Samba use the existing Kerberos
infrastructure and indeed should it?  I've read that MIT kerberos
support in Samba is experimental, does this mean "it works but we
wouldn't want to stake our reputations on it" or "it doesn't work"?
Would a better approach be to allow Samba to manage its own Kerberos and
create the users in MIT kerberos and use cross-realm authentication to
make the users available to Linux and AD (does this work)?

I guess this boils down to two questions:

1) Should one just install Samba AD and let it handle its own stuff or
should one aim to backend it all with my existing BIND/LDAP/Kerberos?

2) How should one set it up so that one can create a user that can
seamlessly log into both Linux and Windows hosts?

Thanks in advance for any advice,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20210129/ba2efc38/signature.sig>

More information about the samba mailing list