samba - Oct 2015 - Samba AD PDC , LDAP and Single-Sign-On

I'm very confused. I have a Samba4 AD/DC which works great for Windows
Authentication with our Windows 7 workstations.

Now, I am trying to implement single-sign-on for our coming-soon Linux
workstations.
All web documentation I've so far found on this references OpenLDAP as the
server
and describes server-side commands such as kadmin and slapd-config to get things
set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn)
which don't exist on the Samba4 AD/DC.

Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does this
mean
everything should "just work" with LDAP clients and I need do no
further
server-side configuration? Or does it mean, "sorry, you can't do LDAP
Authentication with Samba4."

Please clarify so I can make some decisions.

btw - the following command *does* work from a Linux client on the network:

ldapsearch -xLLL -H ldap://mail:389 -D
"cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b
"dc=HPRS,dc=local"

--Mark

-----Original Message-----
> From: "L.P.H. van Belle" <belle at bazuin.nl>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Date: Tue, 1 Sep 2015 08:21:27 +0200
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re: Samba
Internal DNS vs. BIND_DLZ)
>
> Hai Jim,
>
> what is your looking for. 
> Im using a SSO for my Zarafa mail server.
>
> Greetz, 
>
> Louis
>
> >-----Oorspronkelijk bericht-----
> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim Seymour
> >Verzonden: maandag 31 augustus 2015 21:21
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] Samba AD PDC , LDAP and Single-Sign-On 
> >(was: re: Samba Internal DNS vs. BIND_DLZ)
> >
> >On Thu, 27 Aug 2015 23:03:39 -0400
> >Robert Moskowitz <rgm at htt-consult.com> wrote:
> >
> >> 
> >> On 08/27/2015 08:45 PM, Jim Seymour wrote:  
> >> > On Thu, 27 Aug 2015 17:00:28 -0400
> >> > Robert Moskowitz <rgm at htt-consult.com> wrote:
> >> >  
> >> >> Ah, LDAP is included within Samba, I find.  Don't
install provided
> >> >> one...  
> >[snip]
> >> >
> >> > We *require*, not desire, but *require* OpenLDAP.  OpenLDAP
is used
> >> > for, amongst other things, a Corporate email address book 
> >and by the
> >> > RADIUS server.  Eventually the entire set of network
directory data
> >> > that currently resides in and is served by NIS+ will be in
LDAP.
> >> 
> >> This is what runs on your DC.  I suspect you can use slapd to do
any
> >> syncing with OpenLDAP on other machines.  
> >[snip]
> >
> >I suspect this is not going in the direction I'd envisioned.
> >
> >The Plan was an AD PDC that used OpenLDAP.  That way: OpenLDAP data,
> >replicated to the mail server, could be used for sign-on there, too.
> >
> >Somewhere somebody recently mentioned a single-sign-on doc.  I'll
have
> >to hunt that down and take a look.
> >
> >Thanks,
> >Jim
> >-- 
> >Note: My mail server employs *very* aggressive anti-spam
> >filtering.  If you reply to this email and your email is
> >rejected, please accept my apologies and let me know via my
> >web form at <http://jimsun.LinxNet.com/contact/scform.php>.
> >
> >-- 
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 08/10/15 04:16, Mark Foley wrote:
> I'm very confused. I have a Samba4 AD/DC which works great for Windows
> Authentication with our Windows 7 workstations.
>
> Now, I am trying to implement single-sign-on for our coming-soon Linux
workstations.
It might help if you were to explain just what you require from 
single-sign-on ?

Rowland
> All web documentation I've so far found on this references OpenLDAP as
the server
> and describes server-side commands such as kadmin and slapd-config to get
things
> set up on the server-side (e.g.
https://help.ubuntu.com/community/SingleSignOn)
> which don't exist on the Samba4 AD/DC.
>
> Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does
this mean
> everything should "just work" with LDAP clients and I need do no
further
> server-side configuration? Or does it mean, "sorry, you can't do
LDAP
> Authentication with Samba4."
>
> Please clarify so I can make some decisions.
>
> btw - the following command *does* work from a Linux client on the network:
>
> ldapsearch -xLLL -H ldap://mail:389 -D
"cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b
"dc=HPRS,dc=local"
>
> --Mark
>
>
>

This is how I am authenticating users on OpenSSH with Samba4 AD without
joining the linux server to the domain http://pastebin.ca/3185321



On Thu, Oct 8, 2015 at 12:16 AM, Mark Foley <mfoley at ohprs.org> wrote:
> I'm very confused. I have a Samba4 AD/DC which works great for Windows
> Authentication with our Windows 7 workstations.
>
> Now, I am trying to implement single-sign-on for our coming-soon Linux
> workstations.
> All web documentation I've so far found on this references OpenLDAP as
the
> server
> and describes server-side commands such as kadmin and slapd-config to get
> things
> set up on the server-side (e.g.
> https://help.ubuntu.com/community/SingleSignOn)
> which don't exist on the Samba4 AD/DC.
>
> Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does
this
> mean
> everything should "just work" with LDAP clients and I need do no
further
> server-side configuration? Or does it mean, "sorry, you can't do
LDAP
> Authentication with Samba4."
>
> Please clarify so I can make some decisions.
>
> btw - the following command *does* work from a Linux client on the network:
>
> ldapsearch -xLLL -H ldap://mail:389 -D
> "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b
"dc=HPRS,dc=local"
>
> --Mark
>
> -----Original Message-----
> > From: "L.P.H. van Belle" <belle at bazuin.nl>
> > To: "samba at lists.samba.org" <samba at
lists.samba.org>
> > Date: Tue, 1 Sep 2015 08:21:27 +0200
> > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On (was: re:
> Samba Internal DNS vs. BIND_DLZ)
> >
> > Hai Jim,
> >
> > what is your looking for.
> > Im using a SSO for my Zarafa mail server.
> >
> > Greetz,
> >
> > Louis
> >
> > >-----Oorspronkelijk bericht-----
> > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim
Seymour
> > >Verzonden: maandag 31 augustus 2015 21:21
> > >Aan: samba at lists.samba.org
> > >Onderwerp: [Samba] Samba AD PDC , LDAP and Single-Sign-On
> > >(was: re: Samba Internal DNS vs. BIND_DLZ)
> > >
> > >On Thu, 27 Aug 2015 23:03:39 -0400
> > >Robert Moskowitz <rgm at htt-consult.com> wrote:
> > >
> > >>
> > >> On 08/27/2015 08:45 PM, Jim Seymour wrote:
> > >> > On Thu, 27 Aug 2015 17:00:28 -0400
> > >> > Robert Moskowitz <rgm at htt-consult.com> wrote:
> > >> >
> > >> >> Ah, LDAP is included within Samba, I find. 
Don't install provided
> > >> >> one...
> > >[snip]
> > >> >
> > >> > We *require*, not desire, but *require* OpenLDAP. 
OpenLDAP is used
> > >> > for, amongst other things, a Corporate email address
book
> > >and by the
> > >> > RADIUS server.  Eventually the entire set of network
directory data
> > >> > that currently resides in and is served by NIS+ will be
in LDAP.
> > >>
> > >> This is what runs on your DC.  I suspect you can use slapd to
do any
> > >> syncing with OpenLDAP on other machines.
> > >[snip]
> > >
> > >I suspect this is not going in the direction I'd envisioned.
> > >
> > >The Plan was an AD PDC that used OpenLDAP.  That way: OpenLDAP
data,
> > >replicated to the mail server, could be used for sign-on there,
too.
> > >
> > >Somewhere somebody recently mentioned a single-sign-on doc. 
I'll have
> > >to hunt that down and take a look.
> > >
> > >Thanks,
> > >Jim
> > >--
> > >Note: My mail server employs *very* aggressive anti-spam
> > >filtering.  If you reply to this email and your email is
> > >rejected, please accept my apologies and let me know via my
> > >web form at <http://jimsun.LinxNet.com/contact/scform.php>.
> > >
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Oct 8 2015 09:32 Rowlan Penny wrote:
> It might help if you were to explain just what you require from
single-sign-on ?
Well, perhaps I'm mistaken, but is this not the #1 reason to install
Samba4?
>From reading this list over the past couple of months it does not seem that
Authenticating users on Windows workstations is the main thing people do.  But,
is not the ability to authenticate user logins from any (Linux or Windows)
workstation in the domain the chief purpose of Samab4? If not, please straighten
me out.  What's it good for?

As to what *I* require, scenario: I am sitting at a linux workstation on our
office network, any linux workstation, not just the one in *my* office.  I have
a login prompt.  I don't have a specific local account configured in
/etc/passwd
on this particular workstation.  I log in using my ID/PW which is authenticated
centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not
quite sure
where I'm logged into yet, but I'll cross that bridge when I come to it.

In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
Start > Computer > Properties > Advanced System Settings > Computer
Name >
Change, and click 'Domain'.  I have to fill in the domain name, enter
the Domain
Administrator credentials and I'm done.  Now, any domain user can log into
any
Windows workstation anywhere on the domain. 

That's basically what I want to do with Linux workstations. I need to sort
this
out because we are looking at replacing Windows workstations with Linux
workstations.

I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
Boing and see if I can make some headway. 
> Date: Thu, 08 Oct 2015 09:32:31 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On 08/10/15 04:16, Mark Foley wrote:
> > I'm very confused. I have a Samba4 AD/DC which works great for
Windows
> > Authentication with our Windows 7 workstations.
> >
> > Now, I am trying to implement single-sign-on for our coming-soon Linux
workstations.
>
> It might help if you were to explain just what you require from 
> single-sign-on ?
>
> Rowland
>
> > All web documentation I've so far found on this references
OpenLDAP as the server
> > and describes server-side commands such as kadmin and slapd-config to
get things
> > set up on the server-side (e.g.
https://help.ubuntu.com/community/SingleSignOn)
> > which don't exist on the Samba4 AD/DC.
> >
> > Samaba4 apparently has it's own LDAP (Heimdal?) implementation. 
Does this mean
> > everything should "just work" with LDAP clients and I need
do no further
> > server-side configuration? Or does it mean, "sorry, you can't
do LDAP
> > Authentication with Samba4."
> >
> > Please clarify so I can make some decisions.
> >
> > btw - the following command *does* work from a Linux client on the
network:
> >
> > ldapsearch -xLLL -H ldap://mail:389 -D
"cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b
"dc=HPRS,dc=local"
> >
> > --Mark
> >
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi,

Am 08.10.2015 um 05:16 schrieb Mark Foley:
> I'm very confused. I have a Samba4 AD/DC which works great for Windows
> Authentication with our Windows 7 workstations.
>
> Now, I am trying to implement single-sign-on for our coming-soon Linux
workstations.
> All web documentation I've so far found on this references OpenLDAP as
the server
The keywords are "sssd" and "realmd" in this case. This
works great with
RedHat/CentOS 7 including access to CIFS and DFS shares with dolphin for 
example.
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/realmd-domain.html#realmd-join

I don't know about Ubuntu, please have a look at this:
> https://wiki.ubuntu.com/Enterprise/Authentication/sssd
and this:
>
http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/
cu,
Uwe