Jim Seymour
2015-Aug-31 19:21 UTC
[Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ)
On Thu, 27 Aug 2015 23:03:39 -0400 Robert Moskowitz <rgm at htt-consult.com> wrote:> > On 08/27/2015 08:45 PM, Jim Seymour wrote: > > On Thu, 27 Aug 2015 17:00:28 -0400 > > Robert Moskowitz <rgm at htt-consult.com> wrote: > > > >> Ah, LDAP is included within Samba, I find. Don't install provided > >> one...[snip]> > > > We *require*, not desire, but *require* OpenLDAP. OpenLDAP is used > > for, amongst other things, a Corporate email address book and by the > > RADIUS server. Eventually the entire set of network directory data > > that currently resides in and is served by NIS+ will be in LDAP. > > This is what runs on your DC. I suspect you can use slapd to do any > syncing with OpenLDAP on other machines.[snip] I suspect this is not going in the direction I'd envisioned. The Plan was an AD PDC that used OpenLDAP. That way: OpenLDAP data, replicated to the mail server, could be used for sign-on there, too. Somewhere somebody recently mentioned a single-sign-on doc. I'll have to hunt that down and take a look. Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Marc Muehlfeld
2015-Aug-31 21:08 UTC
[Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ)
Hello, Am 31.08.2015 um 21:21 schrieb Jim Seymour:> The Plan was an AD PDC that used OpenLDAP. That way: OpenLDAP data, > replicated to the mail server, could be used for sign-on there, too.I haven't followed the original thread, so I don't know what was already discussed there. If you're talking about a PDC: Yes, you can use openLDAP as backend, as you always could for a NT4 domains. However you seem to talk about AD, so I think you wrongly mix up PDC with DC. If you're talking about Active Directory, then you can't use openLDAP as AD backend for Samba in it's current state. Nadya is working on this, but it will still take some time, until this is finished. And I can't say if and how replication between an AD openLDAP and a classic one would work because it requires special stuff. If interested, see Nadyas SambaXP talk from 2014: http://archive.sambaxp.org/fileadmin/user_upload/SambaXP2014-DATA/thu/track1/Nadezhd_Ivanova-Samba4withOpenLDAPBackend-It_sAlive.pdf Regards, Marc
L.P.H. van Belle
2015-Sep-01 06:21 UTC
[Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ)
Hai Jim, what is your looking for. Im using a SSO for my Zarafa mail server. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim Seymour >Verzonden: maandag 31 augustus 2015 21:21 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Samba AD PDC , LDAP and Single-Sign-On >(was: re: Samba Internal DNS vs. BIND_DLZ) > >On Thu, 27 Aug 2015 23:03:39 -0400 >Robert Moskowitz <rgm at htt-consult.com> wrote: > >> >> On 08/27/2015 08:45 PM, Jim Seymour wrote: >> > On Thu, 27 Aug 2015 17:00:28 -0400 >> > Robert Moskowitz <rgm at htt-consult.com> wrote: >> > >> >> Ah, LDAP is included within Samba, I find. Don't install provided >> >> one... >[snip] >> > >> > We *require*, not desire, but *require* OpenLDAP. OpenLDAP is used >> > for, amongst other things, a Corporate email address book >and by the >> > RADIUS server. Eventually the entire set of network directory data >> > that currently resides in and is served by NIS+ will be in LDAP. >> >> This is what runs on your DC. I suspect you can use slapd to do any >> syncing with OpenLDAP on other machines. >[snip] > >I suspect this is not going in the direction I'd envisioned. > >The Plan was an AD PDC that used OpenLDAP. That way: OpenLDAP data, >replicated to the mail server, could be used for sign-on there, too. > >Somewhere somebody recently mentioned a single-sign-on doc. I'll have >to hunt that down and take a look. > >Thanks, >Jim >-- >Note: My mail server employs *very* aggressive anti-spam >filtering. If you reply to this email and your email is >rejected, please accept my apologies and let me know via my >web form at <http://jimsun.LinxNet.com/contact/scform.php>. > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Mark Foley
2015-Oct-08 03:16 UTC
[Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ)
I'm very confused. I have a Samba4 AD/DC which works great for Windows Authentication with our Windows 7 workstations. Now, I am trying to implement single-sign-on for our coming-soon Linux workstations. All web documentation I've so far found on this references OpenLDAP as the server and describes server-side commands such as kadmin and slapd-config to get things set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn) which don't exist on the Samba4 AD/DC. Samaba4 apparently has it's own LDAP (Heimdal?) implementation. Does this mean everything should "just work" with LDAP clients and I need do no further server-side configuration? Or does it mean, "sorry, you can't do LDAP Authentication with Samba4." Please clarify so I can make some decisions. btw - the following command *does* work from a Linux client on the network: ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local" --Mark -----Original Message-----> From: "L.P.H. van Belle" <belle at bazuin.nl> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Date: Tue, 1 Sep 2015 08:21:27 +0200 > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ) > > Hai Jim, > > what is your looking for. > Im using a SSO for my Zarafa mail server. > > Greetz, > > Louis > > >-----Oorspronkelijk bericht----- > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim Seymour > >Verzonden: maandag 31 augustus 2015 21:21 > >Aan: samba at lists.samba.org > >Onderwerp: [Samba] Samba AD PDC , LDAP and Single-Sign-On > >(was: re: Samba Internal DNS vs. BIND_DLZ) > > > >On Thu, 27 Aug 2015 23:03:39 -0400 > >Robert Moskowitz <rgm at htt-consult.com> wrote: > > > >> > >> On 08/27/2015 08:45 PM, Jim Seymour wrote: > >> > On Thu, 27 Aug 2015 17:00:28 -0400 > >> > Robert Moskowitz <rgm at htt-consult.com> wrote: > >> > > >> >> Ah, LDAP is included within Samba, I find. Don't install provided > >> >> one... > >[snip] > >> > > >> > We *require*, not desire, but *require* OpenLDAP. OpenLDAP is used > >> > for, amongst other things, a Corporate email address book > >and by the > >> > RADIUS server. Eventually the entire set of network directory data > >> > that currently resides in and is served by NIS+ will be in LDAP. > >> > >> This is what runs on your DC. I suspect you can use slapd to do any > >> syncing with OpenLDAP on other machines. > >[snip] > > > >I suspect this is not going in the direction I'd envisioned. > > > >The Plan was an AD PDC that used OpenLDAP. That way: OpenLDAP data, > >replicated to the mail server, could be used for sign-on there, too. > > > >Somewhere somebody recently mentioned a single-sign-on doc. I'll have > >to hunt that down and take a look. > > > >Thanks, > >Jim > >-- > >Note: My mail server employs *very* aggressive anti-spam > >filtering. If you reply to this email and your email is > >rejected, please accept my apologies and let me know via my > >web form at <http://jimsun.LinxNet.com/contact/scform.php>. > > > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2015-Oct-08 07:30 UTC
[Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba Internal DNS vs. BIND_DLZ)
Hai Mark, Look here for a single sign on setup. Its not for linux clients, but you can learn / understand from it. Worth reading. https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 Now, i dont have a linux workstation setup here, but you need to know is on the ubuntu page and samba wiki. As for the example, https://help.ubuntu.com/community/SingleSignOn tells. To put you in the correct direction. SSO KERBEROS AUTH 1-4.1 skip. thats your addc. 5. what you want. I suggest skip first, setup with mkhomedir in pam for the client and when that works, setup the shared file system. 6.1 do 1. 2. 3. generate a keytab (on the DC) ( if you do a member server setup on the client, skip 4. 5. 6.) To create the keytab file, you can setup as a member server samba on the client, which generates te keytab file or create one yourself on dc. Instruktions on the wiki. 6.2 (client configuration ) apt-get install libnss-ldapd libsasl2-modules-gssapi-heimdal libpam-ccreds optional libpam-krb5 libpam-ldap/libpam-ldapd, not sure about these ldap(d) do 1. 2. ( skip the tls for now, test without ) do optional 6.3. SSO LDAP AUTH Optional 8. ( so not kerberos auth but sso by ldap auth ) apt-get install ldap-auth-client libpam-krb5 krb5-user libpam-foreground libsasl2-modules-gssapi-heimdal That should get you going. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark Foley > Verzonden: donderdag 8 oktober 2015 5:17 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: > Samba Internal DNS vs. BIND_DLZ) > > I'm very confused. I have a Samba4 AD/DC which works great for Windows > Authentication with our Windows 7 workstations. > > Now, I am trying to implement single-sign-on for our coming-soon Linux > workstations. > All web documentation I've so far found on this references OpenLDAP as the > server > and describes server-side commands such as kadmin and slapd-config to get > things > set up on the server-side (e.g. > https://help.ubuntu.com/community/SingleSignOn) > which don't exist on the Samba4 AD/DC. > > Samaba4 apparently has it's own LDAP (Heimdal?) implementation. Does this > mean > everything should "just work" with LDAP clients and I need do no further > server-side configuration? Or does it mean, "sorry, you can't do LDAP > Authentication with Samba4." > > Please clarify so I can make some decisions. > > btw - the following command *does* work from a Linux client on the > network: > > ldapsearch -xLLL -H ldap://mail:389 -D > "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local" > > --Mark > > -----Original Message----- > > From: "L.P.H. van Belle" <belle at bazuin.nl> > > To: "samba at lists.samba.org" <samba at lists.samba.org> > > Date: Tue, 1 Sep 2015 08:21:27 +0200 > > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: > Samba Internal DNS vs. BIND_DLZ) > > > > Hai Jim, > > > > what is your looking for. > > Im using a SSO for my Zarafa mail server. > > > > Greetz, > > > > Louis > > > > >-----Oorspronkelijk bericht----- > > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim Seymour > > >Verzonden: maandag 31 augustus 2015 21:21 > > >Aan: samba at lists.samba.org > > >Onderwerp: [Samba] Samba AD PDC , LDAP and Single-Sign-On > > >(was: re: Samba Internal DNS vs. BIND_DLZ) > > > > > >On Thu, 27 Aug 2015 23:03:39 -0400 > > >Robert Moskowitz <rgm at htt-consult.com> wrote: > > > > > >> > > >> On 08/27/2015 08:45 PM, Jim Seymour wrote: > > >> > On Thu, 27 Aug 2015 17:00:28 -0400 > > >> > Robert Moskowitz <rgm at htt-consult.com> wrote: > > >> > > > >> >> Ah, LDAP is included within Samba, I find. Don't install provided > > >> >> one... > > >[snip] > > >> > > > >> > We *require*, not desire, but *require* OpenLDAP. OpenLDAP is used > > >> > for, amongst other things, a Corporate email address book > > >and by the > > >> > RADIUS server. Eventually the entire set of network directory data > > >> > that currently resides in and is served by NIS+ will be in LDAP. > > >> > > >> This is what runs on your DC. I suspect you can use slapd to do any > > >> syncing with OpenLDAP on other machines. > > >[snip] > > > > > >I suspect this is not going in the direction I'd envisioned. > > > > > >The Plan was an AD PDC that used OpenLDAP. That way: OpenLDAP data, > > >replicated to the mail server, could be used for sign-on there, too. > > > > > >Somewhere somebody recently mentioned a single-sign-on doc. I'll have > > >to hunt that down and take a look. > > > > > >Thanks, > > >Jim > > >-- > > >Note: My mail server employs *very* aggressive anti-spam > > >filtering. If you reply to this email and your email is > > >rejected, please accept my apologies and let me know via my > > >web form at <http://jimsun.LinxNet.com/contact/scform.php>. > > > > > >-- > > >To unsubscribe from this list go to the following URL and read the > > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba