samba - Oct 2015 - Workstations are member servers (or domain members) Re: Samba AD PDC , LDAP and Single-Sign-On

On Thu, 8 Oct 2015 15:46 Sketch wrote:
> It's easy in Linux with Samba as well.  You basically just need to
follow
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Thanks for the feedback.  OK, I'll check out your link ASAP.  The
"Server" bit
in the link gives me pause.  I *have* a Samba4 AD/DC "server" already.
I think
the linux workstations need to be "clients", but maybe this is just a
matter of
semantics.  I'll research. 
> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.
I prefer the simplest approach.  If there is some way I can get this to work
without adding LDAP, PAM, kerberos, NSS, etc.  I'm all for it.  Note that in
my
Windows example the workstation is joined to the domain.  That's fine I have
no
problem with that versus not joining.  I'm looking for the easiest, simplest
way
for workstation users to log into any (linux) workstation in the LAN with ONE
SET of credentials.  So far I haven't found this "magic bullet"
after months of
surfing.
> you may want to check your distro docs too
I'm using Ubuntu as the client workstations. Apparently, Ubuntu knowns
nothing
about Samba4 AD/DC and the docs have lots of instruction on setting up OpenLDAP,
Kerberos, etc. Things that aren't going to work (at least on the server
side)
with Samba4 since it has its own built-in versions of these things.

--Mark

-----Original Message-----
> Date: Thu, 8 Oct 2015 15:46:50 -0500 (CDT)
> From: Sketch <smblist at rednsx.org>
> To: Mark Foley <mfoley at ohprs.org>
> cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On Thu, 8 Oct 2015, Mark Foley wrote:
>
> > On Oct 8 2015 09:32 Rowlan Penny wrote:
> >
> >> It might help if you were to explain just what you require from
single-sign-on ?
> >
> > Well, perhaps I'm mistaken, but is this not the #1 reason to
install Samba4?
> > From reading this list over the past couple of months it does not seem
that
> > Authenticating users on Windows workstations is the main thing people
do.  But,
> > is not the ability to authenticate user logins from any (Linux or
Windows)
> > workstation in the domain the chief purpose of Samab4? If not, please
straighten
> > me out.  What's it good for?
>
> Samba 4 is just a version of Samba that is newer than Samba 3.  Samba 4 
> can be a file server, an NT4 PDC, an active directory domain controller, 
> or an NT4 or AD member server.  Probably other things I am forgetting too.
>
> "Single Sign On" is a term used by many people to mean different
things.
> To some people, it means you can use the same password to log into any 
> system.  To some, it means into any resource.  To other, it means that 
> once you log into a system, you have passwordless login into any other 
> resource.  All of these things are possible (within limitations) with 
> samba.
>
> > As to what *I* require, scenario: I am sitting at a linux workstation
on our
> > office network, any linux workstation, not just the one in *my*
office.  I have
> > a login prompt.  I don't have a specific local account configured
in /etc/passwd
> > on this particular workstation.  I log in using my ID/PW which is
authenticated
> > centrally (presumably via the Samba4 AD/DC), and I'm logged in!
I'm not quite sure
> > where I'm logged into yet, but I'll cross that bridge when I
come to it.
> >
> > In Windows, using Samba4 AD/DC, this is a snap.  I just join the
domain via
> > Start > Computer > Properties > Advanced System Settings >
Computer Name >
> > Change, and click 'Domain'.  I have to fill in the domain
name, enter the Domain
> > Administrator credentials and I'm done.  Now, any domain user can
log into any
> > Windows workstation anywhere on the domain.
>
> It's easy in Linux with Samba as well.  You basically just need to
follow
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> > I will investigate the recommendations posted by L.P.H. van Belle and
Guilherme
> > Boing and see if I can make some headway.
>
> No offense against L.P.H. van Belle, but his directions are for the hard 
> way to set up kerberos.  Creating a domain controller handles all of the 
> server side, and "net ads join" handles all of the client side if
you are
> using winbind.
>
> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.
>
> Also note that some distros have tools to automate some or all of the 
> PAM/NSS stuff (this applies to the member server directions above as 
> well), so you may want to check your distro docs too.  Redhat/Fedora in 
> particular has authconfig, and in newer versions realmd.
>
>

I'm using Sketch's referenced link: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
to attempt to set up my Ubuntu workstation for connection to my Samba4 AD/DC
server. The example smb.conf file from the link is shown at bottom.

My domain is hprs.local, so I've replaced SAMDOM with HPRS and
SAMDOM.EXAMPLE.COM with HPRS.LOCAL. My Ubuntu hostname is uCommon, so I've
put
that in the 'netbios name'. So far so good?

First question.  I understand the basic concept of 'idmap config range',
but not
sure what I should put in here for my system.  My GID for AD users is 100 and my
UID range is 3000000-3000099.  For example (on the AD):

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Not sure what the example range 2000-9999 is versus the 10000-99999 range.
Given my GID/UIDs, what should go in my smb.conf?

Second question. What is the [demoshare] section for? Who/what will access such
a share?

Third question. In the referenced link, under "General Settings" it
has:

Add 'winbind' to the 'passwd' and 'group' entry of your
/etc/nsswitch.conf:

passwd: compat winbind
group:  compat winbind

Does this go on the client or the AD server? Not clear.

I'll probably have more questions, but I'll have to get past these first
so I
can fire thing up.

THX - Mark

[global]

  netbios name = Member1
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = ad
  idmap config SAMDOM:schema_mode = rfc2307
  idmap config SAMDOM:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

[demoshare]
  path = /srv/samba/test
  read only = no

-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Thu, 08 Oct 2015 18:08:45 -0400
To: samba at lists.samba.org
Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On

On Thu, 8 Oct 2015 15:46 Sketch wrote:
> It's easy in Linux with Samba as well.  You basically just need to
follow
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Thanks for the feedback.  OK, I'll check out your link ASAP.  The
"Server" bit
in the link gives me pause.  I *have* a Samba4 AD/DC "server" already.
I think
the linux workstations need to be "clients", but maybe this is just a
matter of
semantics.  I'll research. 
> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.
I prefer the simplest approach.  If there is some way I can get this to work
without adding LDAP, PAM, kerberos, NSS, etc.  I'm all for it.  Note that in
my
Windows example the workstation is joined to the domain.  That's fine I have
no
problem with that versus not joining.  I'm looking for the easiest, simplest
way
for workstation users to log into any (linux) workstation in the LAN with ONE
SET of credentials.  So far I haven't found this "magic bullet"
after months of
surfing.
> you may want to check your distro docs too
I'm using Ubuntu as the client workstations. Apparently, Ubuntu knowns
nothing
about Samba4 AD/DC and the docs have lots of instruction on setting up OpenLDAP,
Kerberos, etc. Things that aren't going to work (at least on the server
side)
with Samba4 since it has its own built-in versions of these things.

--Mark

-----Original Message-----
> Date: Thu, 8 Oct 2015 15:46:50 -0500 (CDT)
> From: Sketch <smblist at rednsx.org>
> To: Mark Foley <mfoley at ohprs.org>
> cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On Thu, 8 Oct 2015, Mark Foley wrote:
>
> > On Oct 8 2015 09:32 Rowlan Penny wrote:
> >
> >> It might help if you were to explain just what you require from
single-sign-on ?
> >
> > Well, perhaps I'm mistaken, but is this not the #1 reason to
install Samba4?
> > From reading this list over the past couple of months it does not seem
that
> > Authenticating users on Windows workstations is the main thing people
do.  But,
> > is not the ability to authenticate user logins from any (Linux or
Windows)
> > workstation in the domain the chief purpose of Samab4? If not, please
straighten
> > me out.  What's it good for?
>
> Samba 4 is just a version of Samba that is newer than Samba 3.  Samba 4 
> can be a file server, an NT4 PDC, an active directory domain controller, 
> or an NT4 or AD member server.  Probably other things I am forgetting too.
>
> "Single Sign On" is a term used by many people to mean different
things.
> To some people, it means you can use the same password to log into any 
> system.  To some, it means into any resource.  To other, it means that 
> once you log into a system, you have passwordless login into any other 
> resource.  All of these things are possible (within limitations) with 
> samba.
>
> > As to what *I* require, scenario: I am sitting at a linux workstation
on our
> > office network, any linux workstation, not just the one in *my*
office.  I have
> > a login prompt.  I don't have a specific local account configured
in /etc/passwd
> > on this particular workstation.  I log in using my ID/PW which is
authenticated
> > centrally (presumably via the Samba4 AD/DC), and I'm logged in!
I'm not quite sure
> > where I'm logged into yet, but I'll cross that bridge when I
come to it.
> >
> > In Windows, using Samba4 AD/DC, this is a snap.  I just join the
domain via
> > Start > Computer > Properties > Advanced System Settings >
Computer Name >
> > Change, and click 'Domain'.  I have to fill in the domain
name, enter the Domain
> > Administrator credentials and I'm done.  Now, any domain user can
log into any
> > Windows workstation anywhere on the domain.
>
> It's easy in Linux with Samba as well.  You basically just need to
follow
> the directions here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> > I will investigate the recommendations posted by L.P.H. van Belle and
Guilherme
> > Boing and see if I can make some headway.
>
> No offense against L.P.H. van Belle, but his directions are for the hard 
> way to set up kerberos.  Creating a domain controller handles all of the 
> server side, and "net ads join" handles all of the client side if
you are
> using winbind.
>
> If you prefer not to join your machines to the domain and use LDAP to 
> authenticate, Guilherme's documentation looks like a good start.
>
> Also note that some distros have tools to automate some or all of the 
> PAM/NSS stuff (this applies to the member server directions above as 
> well), so you may want to check your distro docs too.  Redhat/Fedora in 
> particular has authconfig, and in newer versions realmd.
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 2015-10-08 at 18:08 -0400, Mark Foley wrote:
> On Thu, 8 Oct 2015 15:46 Sketch wrote:
> 
> > It's easy in Linux with Samba as well.  You basically just need to
> > follow 
> > the directions here:
> > 
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> 
> Thanks for the feedback.  OK, I'll check out your link ASAP.  The
> "Server" bit
> in the link gives me pause.  I *have* a Samba4 AD/DC "server"
> already.  I think
> the linux workstations need to be "clients", but maybe this is
just a
> matter of
> semantics.  I'll research. 
In short, workstations are member servers too.  

I do thank you for pointing out the gap in our naming scheme here -
indeed we deviate a little from the common usage by saying 'member
server' not 'domain member', but I can confirm that a
linux-installed
laptop and a windows-installed laptop desiring single-sign-on from the
login prompt should be configured as 'domain members' or as we put it
in that link, 'member servers'.

The main difference between use as a file server vs use as a desktop,
is that pam_winbindd is mandatory for the Samba method (see elsewhere
for using sssd or other tools), as that will get you you the desktop
login.

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sat, 10 Oct 2015 08:23 Andrew Bartlett wrote:
> The main difference between use as a file server vs use as a desktop,
> is that pam_winbindd is mandatory for the Samba method (see elsewhere
> for using sssd or other tools), as that will get you you the desktop
> login.
Yes, that does clarify and give me comfort with respect to naming.  I understand
that the office-central Samba4 AD/DC is quite logically a "server",
and I now
understand that my personal linux desktop in my private office is also referred
to as a "member server" (or will be when I get it set up properly),
even though
my brain thinks of it as a "client" of the AD "server".  OK,
not the first time
these terms have gotten scrambled in my mind. 

I'm not deep enough into it yet to grasp what you mean by "pam_winbindd
is
mandatory". So far, Rowland, Sketch and their referenced link
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
are omitting references to PAM, but I'll cross that bridge if/when I get
there.

Thanks, --Mark

-----Original Message-----
> Subject: Workstations are member servers (or domain members) Re: [Samba]
>  Samba AD PDC , LDAP and Single-Sign-On
> From: Andrew Bartlett <abartlet at samba.org>
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> Date: Sat, 10 Oct 2015 08:23:23 +1300
>
> On Thu, 2015-10-08 at 18:08 -0400, Mark Foley wrote:
> > On Thu, 8 Oct 2015 15:46 Sketch wrote:
> > 
> > > It's easy in Linux with Samba as well.  You basically just
need to
> > > follow 
> > > the directions here:
> > > 
> > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> > 
> > Thanks for the feedback.  OK, I'll check out your link ASAP.  The
> > "Server" bit
> > in the link gives me pause.  I *have* a Samba4 AD/DC
"server"
> > already.  I think
> > the linux workstations need to be "clients", but maybe this
is just a
> > matter of
> > semantics.  I'll research. 
>
> In short, workstations are member servers too.  
>
> I do thank you for pointing out the gap in our naming scheme here -
> indeed we deviate a little from the common usage by saying 'member
> server' not 'domain member', but I can confirm that a
linux-installed
> laptop and a windows-installed laptop desiring single-sign-on from the
> login prompt should be configured as 'domain members' or as we put
it
> in that link, 'member servers'.
>
> The main difference between use as a file server vs use as a desktop,
> is that pam_winbindd is mandatory for the Samba method (see elsewhere
> for using sssd or other tools), as that will get you you the desktop
> login.
>
> I hope this clarifies things,
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>