What is the best way to authenticate users in SMB4 DC on Linux workstation? I'm using pam_winbind, but sometimes its very slow... -- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628
Would kerberos be an option? I have used kerberos to authenticate Linux users against a Win 2008 or Win 2012 domain controller. On 07/31/15 09:22, Jefferson B. Limeira wrote:> What is the best way to authenticate users in SMB4 DC on Linux > workstation? > I'm using pam_winbind, but sometimes its very slow... >
On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote:> What is the best way to authenticate users in SMB4 DC on Linux workstation? > I'm using pam_winbind, but sometimes its very slow... >How slow is "very slow"? That said, nslcd with LDAP over SSL works, and it's fast in my experience. You could combine nslcd with Kerberos, which also works very well. Of course both of these methods require you to have unix attributes stored in AD for your users. -- John Yocum, Systems Administrator, DEOHS
Hi Jefferson, Le 31/07/2015 15:22, Jefferson B. Limeira a écrit :> What is the best way to authenticate users in SMB4 DC on Linux workstation? > I'm using pam_winbind, but sometimes its very slow...Configuring everything correctly on the workstation side is quite tricky. If you have laptops among your workstations, you'll have to deal with caching credentials, groups, users, sid mappings, and so on. Otherwise it will be a PITA when network connection to the DC is not available. PAM and NSSwitch are very tricky beasts to tame properly! Currently, I'd say that the easiest way of dealing with all those tricky thing is to use the pbis from Powerbroker : http://www.powerbrokeropen.org/ Cheers, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
On 31/07/15 18:53, Denis Cardon wrote:> Hi Jefferson, > > Le 31/07/2015 15:22, Jefferson B. Limeira a écrit : >> What is the best way to authenticate users in SMB4 DC on Linux >> workstation? >> I'm using pam_winbind, but sometimes its very slow... > > Configuring everything correctly on the workstation side is quite > tricky. If you have laptops among your workstations, you'll have to > deal with caching credentials, groups, users, sid mappings, and so on. > Otherwise it will be a PITA when network connection to the DC is not > available. > > PAM and NSSwitch are very tricky beasts to tame properly! Currently, > I'd say that the easiest way of dealing with all those tricky thing is > to use the pbis from Powerbroker : > > http://www.powerbrokeropen.org/ > > Cheers, > > Denis >Why put another layer on top of winbind ? PAM is only tricky to setup if you *don't* use the OS tools, authconfig on red hat, just installing the various pam packages on debian. Do you by any chance have enumeration turned on in smb.conf ? Rowland
On 31/07/15 18:19, John Yocum wrote:> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >> What is the best way to authenticate users in SMB4 DC on Linux workstation? >> I'm using pam_winbind, but sometimes its very slow... >> > How slow is "very slow"? > > That said, nslcd with LDAP over SSL works, and it's fast in my > experience. You could combine nslcd with Kerberos, which also works very > well. Of course both of these methods require you to have unix > attributes stored in AD for your users. >+1 to not using winbind. We would recommend sssd too as well as the nslcd alternative you mention. Both the latter are faster.
An example of how slow is... [root at CTA1PAPAN001645 ~]# time id teste uid=16777232(teste) gid=16777216(domain users) grupos=16777216(domain users),16777220(operacao),16777222(BUILTIN\users) real 1m15.981s user 0m0.005s sys 0m0.007s According this documentation, if I want use File Sharing without AD modifications only option is Winbind (idmap_rid). https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf Em 2015-07-31 13:19, John Yocum escreveu:> On 07/31/2015 06:22 AM, Jefferson B. Limeira wrote: >> What is the best way to authenticate users in SMB4 DC on Linux >> workstation? >> I'm using pam_winbind, but sometimes its very slow... >> > > How slow is "very slow"? > > That said, nslcd with LDAP over SSL works, and it's fast in my > experience. You could combine nslcd with Kerberos, which also works > very > well. Of course both of these methods require you to have unix > attributes stored in AD for your users. > > -- > John Yocum, Systems Administrator, DEOHS-- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628