samba - Jul 2013 - Question on approach to authenticate Linux against Samba4

This is in a test environment: Also, it is wordy, but I'm hoping it explains
my scenario.

I am migrating from a custom LDAP+Samba3 authentication solution to Samba4. I
have used the classicupgrade option to pull off the data from the existing ldap
server to populate the samba4 database. I've installed AD DS and Server for
NIS tools on a Windows 2008 server that is connected to the Samba4 DC as a
member server. All the information appears to be correct, including the Unix uid
and group memberships, and the unixHomedirectory.

Now I need to authenticate a Linux system against the Samba4 DC and I need to
have the unixHomedirectory used. There is a lot of older information on the net
on how to authenticate. I'd prefer to not be required to install samba4 on
these other Linux systems which a lot of these approaches seem to require. These
linux systems are running LTSP so I have 50+ users logged in at any given time.
I currently NFS mount home directories for the linux systems from a central
fileserver. Home directories are of the pattern /home/Graduation_year/username.

I've tested the Windows logins. I have an issue with mapped drives to the
fileservers but I expected this since the fileservers don't exist on the
test network. I expect this issue to be resolved once the fileservers are
upgraded to samba4 and joined as member servers.

I found http://zachbethel.com/2013/04/10/linux-ldap-authentication-with-samba4/
which I think will work, The ldbsearch works but before embarking further on
this approach, I have some concerns.

1) will the unixHomedirectory be honored? 
2) will I be able to easily add users so that the unix settings will be properly
configured? I currently use the IDEALX smbldap tools. Being able to script
account creation is very important to me .. adding 200+ user accounts manually
each year is not very appealing. ;)

3) Will the scripting tools be able to automatically assign a unique uid for
each unix account. Current approach uses NextFreeUnixID but this does not exist
in the Samba4 database (the ldap entry is shown below )

dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us 
objectClass: inetOrgPerson 
objectClass: sambaUnixIdPool 
cn: NextFreeUnixId 
sn: NextFreeUnixId 
structuralObjectClass: inetOrgPerson 
entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 
creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us 
createTimestamp: 20050708023946Z 
gidNumber: 1002 
uidNumber: 3885 

I have read through the recent thread on winbind and honestly I am not sure that
I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap
which seems closest to the current approach.


Thank you for your patience and taking the time to read the above. 

Sincerely, 
Dave Hopkins

On Thu, 2013-07-25 at 16:59 +0000, dahopkins at comcast.net
wrote:
> 
> I have read through the recent thread on winbind and honestly I am not sure
that I want to pursue either winbind or sssd if it is possible to use
nss_pam_ldap which seems closest to the current approach.
Hi
Ok, I can understand that. So why not have a look at nss-pam-ldapd with
nslcd? It's almost as good as sssd and it's quick and easy to setup:
http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html
hth
Steve

On 25/07/13 17:59, dahopkins at comcast.net wrote:
>
> 1) will the unixHomedirectory be honored?
>
> 2) will I be able to easily add users so that the unix settings will
> be properly configured? I currently use the IDEALX smbldap tools.
> Being able to script account creation is very important to me ..
> adding 200+ user accounts manually each year is not very appealing.
> ;)
>
It is scriptable, though to be honest a powershell script from Windows 
probably works better at this point in time.
> 3) Will the scripting tools be able to automatically assign a unique
>  uid for each unix account. Current approach uses NextFreeUnixID but
>  this does not exist in the Samba4 database (the ldap entry is shown
>  below )
Nope. Either maintain the accounts somewhere else where you can do that 
and have a script that then creates and disables accounts as needed in 
AD, or have your script look for the highest UID and increment from that.
> I have read through the recent thread on winbind and honestly I am
> not sure that I want to pursue either winbind or sssd if it is
> possible to use nss_pam_ldap which seems closest to the current
> approach.
>
Assuming these are Linux workstations, then sssd is the way to go for 
the future. If you are running a samba 3.x member file server then I 
personally would use winbind. I have not looked at Samba4 yet (campus 
agreements in higher education where I work make real Microsoft AD 
controllers very very cheap that why would you do it), but there are 
reports of issues with winbind on samba4 file servers. Then again I 
would be hesitant in putting a Samba 4 file server into production. You 
gain little over a Samba 3.6.x server.

JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

So first of all winbind is  the fastest and easiest solution with samba 4:
Just be sure winbind is loaded in your samba4 smb.conf. So winbind can read
from samba:
wbinfo -u
Administrator
Guest
krbtgt
dns-s4master
then do a ldconfig -v | grep winbind
If the result is ex:

ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-358.11.1.el6.x86_64.conf:6:
duplicate hwcap 1 nosegneg
        libnss_winbind.so -> libnss_winbind.so.2

You have to link libnss_winbind this way ex.:

ln -s  /usr/local/samba/lib/libnss_winbind.so.2  /lib64/libnss_winbind.so
ln  -s /lib64/libnss_winbind.so  /lib64/libnss_winbind.so.2

In your nsswitch.conf:
passwd:     files winbind 
shadow:     files
group:      files winbind 

now you get all your ads members and groups with getent passwd and group.

Good luck
Daniel 


-----------------------------------------------
EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von dahopkins at comcast.net
Gesendet: Donnerstag, 25. Juli 2013 18:59
An: samba at lists.samba.org
Betreff: [Samba] Question on approach to authenticate Linux against Samba4






This is in a test environment: Also, it is wordy, but I'm hoping it explains
my scenario. 

I am migrating from a custom LDAP+Samba3 authentication solution to Samba4.
I have used the classicupgrade option to pull off the data from the existing
ldap server to populate the samba4 database. I've installed AD DS and Server
for NIS tools on a Windows 2008 server that is connected to the Samba4 DC as
a member server. All the information appears to be correct, including the
Unix uid and group memberships, and the unixHomedirectory. 

Now I need to authenticate a Linux system against the Samba4 DC and I need
to have the unixHomedirectory used. There is a lot of older information on
the net on how to authenticate. I'd prefer to not be required to install
samba4 on these other Linux systems which a lot of these approaches seem to
require. These linux systems are running LTSP so I have 50+ users logged in
at any given time. I currently NFS mount home directories for the linux
systems from a central fileserver. Home directories are of the pattern
/home/Graduation_year/username. 

I've tested the Windows logins. I have an issue with mapped drives to the
fileservers but I expected this since the fileservers don't exist on the
test network. I expect this issue to be resolved once the fileservers are
upgraded to samba4 and joined as member servers. 

I found
http://zachbethel.com/2013/04/10/linux-ldap-authentication-with-samba4/
which I think will work, The ldbsearch works but before embarking further on
this approach, I have some concerns. 

1) will the unixHomedirectory be honored? 
2) will I be able to easily add users so that the unix settings will be
properly configured? I currently use the IDEALX smbldap tools. Being able to
script account creation is very important to me .. adding 200+ user accounts
manually each year is not very appealing. ;) 

3) Will the scripting tools be able to automatically assign a unique uid for
each unix account. Current approach uses NextFreeUnixID but this does not
exist in the Samba4 database (the ldap entry is shown below ) 

dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us 
objectClass: inetOrgPerson 
objectClass: sambaUnixIdPool 
cn: NextFreeUnixId 
sn: NextFreeUnixId 
structuralObjectClass: inetOrgPerson 
entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 
creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us 
createTimestamp: 20050708023946Z 
gidNumber: 1002 
uidNumber: 3885 

I have read through the recent thread on winbind and honestly I am not sure
that I want to pursue either winbind or sssd if it is possible to use
nss_pam_ldap which seems closest to the current approach. 


Thank you for your patience and taking the time to read the above. 

Sincerely, 
Dave Hopkins 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba