Hi, I have configured OpenLdap server with Samba Domain Controller. My problem is I cannot get any other users to logon in windows client machine only the default administrator account can login. Can anyone guide me how to authenticate ldap user in windows client through samba DC. Regards, Parag +91 8308806004
On Sun, 21 Aug 2016 15:04:35 +0000 Parag Khuraswar via samba <samba at lists.samba.org> wrote:> Hi, > > I have configured OpenLdap server with Samba Domain Controller. > My problem is I cannot get any other users to logon in windows client > machine only the default administrator account can login. Can anyone > guide me how to authenticate ldap user in windows client through > samba DC. > > Regards, > Parag > +91 8308806004 >Are we actually talking about an NT4-style PDC ? Can you give us a bit more info, what Distro ? What version of Samba and did you compile it yourself or are you using the distros packages ? Can you post the smb.conf from the Samba machine. Rowland
On Sun, 21 Aug 2016 16:15:35 +0000 Parag Khuraswar <parag_k at citilindia.com> wrote:> Hi Rowland, > > Thanks for reply, > > I'm using:- > Samba - SAMBA4 Domain Controller > OS - RHEL 6.8 64bit > Samba Version - Version 4.4.5 (compiled) > Samba config file:- > -------------------------------------------------------------------- > # Global parameters > [global] > netbios name = CONLDAP > realm = <My Domain> > workgroup = <My Domain> > dns forwarder = <DNS forwarder IP> > server role = active directory domain controller > > # LDAP Settings > ldap admin dn = cn=Manager,dc=<My Domain>,dc=in > ldap group suffix = ou=Groups > ldap passwd sync = Yes > ldap suffix = dc=<My Domain>,dc=in > idmap backend = ldap:ldap:// <My Domain Host Name> > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/arde.in/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > ------------------------------------------------------------------------------- > > > Regards, > Parag > +91 8308806004 > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > Rowland Penny via samba Sent: Sunday, August , 2016 9:28 PM > To: samba at lists.samba.org > Subject: Re: [Samba] ldap user login issue > > On Sun, 21 Aug 2016 15:04:35 +0000 > Parag Khuraswar via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > I have configured OpenLdap server with Samba Domain Controller. > > My problem is I cannot get any other users to logon in windows > > client machine only the default administrator account can login. > > Can anyone guide me how to authenticate ldap user in windows client > > through samba DC. > > > > Regards, > > Parag > > +91 8308806004 > > >I am a bit confused now, you say 'I have configured OpenLdap server with Samba Domain Controller.' but you then produce a smb.conf that is for an AD DC. The two are not compatible, you cannot use openldap with a Samba AD DC. How did you provision your Samba AD DC ? Rowland
On Sun, 21 Aug 2016 19:09:25 +0000 Parag Khuraswar <parag_k at citilindia.com> wrote:> Hi Rowland, > > I followed below link to configure samba PDC > > http://suresh-chandra.blogspot.in/2014/08/samba4-as-active-directory-domain.html > > My original smb.conf file is:- > > -------------------------------------------------- > # Global parameters > [global] > netbios name = CONLDAP > realm = <MY DOMAIN> > workgroup = <DOMAIN> > dns forwarder = 192.168.1.11 > server role = active directory domain controller > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/arde.in/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > --------------------------------------------------- > I tried other options when this did not work for me. > > Please share any appropriate document to configure SAMBA PDC with > Openldap at backend if this is not the proper way to configure it. >OK, after reading the link you posted, you have an AD DC, this comes with its own version of ldap, it does not use openldap. If you use AD, you can have multiple DCs, they will all be the same, apart from the FSMO roles and any DC can hold a FSMO role. A PDC is not a DC, a PDC is a Primary Domain Controller for an NT4-style domain and this is very different from an Active Directory domain. If you are setting up a new domain, I would go for an AD domain, it seems as if microsoft (and this is only my opinion) is trying to make it harder and harder for win10 to work with an NT4-style domain. Can I suggest you read the samba wiki: https://wiki.samba.org/index.php/Main_Page Pay particular attention to this page: https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller I think you may decide to re-provision after reading the above page' If you are going to allow your users to log into the DC (by any method), you would do well to read and follow this: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind Rowland
On Mon, 22 Aug 2016 04:38:48 +0000 Parag Khuraswar <parag_k at citilindia.com> wrote:> Hi Rowland, > > I can't use Microsoft AD due to licensing term. I have windows client > and those are need to be added to linux domain also it should be > single sign on(SSO), so what should I go for with OpenLdap in the > backend. > > >There are no 'licensing terms', as you put it, if you use Samba 4 as an AD DC. If you set up a new Samba AD domain (or classicupgrade an existing Samba NT4-style domain), all your users can be members of it, be they Unix or windows clients. Rowland
On Mon, 22 Aug 2016 09:05:13 +0000 Parag Khuraswar <parag_k at citilindia.com> wrote:> Hi Rowland, > > Can you please share a proper document to setup a new Samba Primary > Domain. >There is a basic one on the Samba wiki and the internet is littered with them. The only problem is that there have been reports posted on here about big problems with using an NT4-style PDC with the latest windows versions. Anything you can do with an NT4-style domain, you can do better with a Samba 4 AD domain, so why make problems for yourself ? It might help if you were to explain just what you need to do with your new domain, you have said you need Unix & windows machines to join the domain, but is there anything else ? like a mail server or squid etc. Rowland
On Mon, 22 Aug 2016 10:53:01 +0000 Parag Khuraswar <parag_k at citilindia.com> wrote:> Hi Rowland, > > So as per your suggestion I should configure Samba 4 AD Domain and > whatever I have configured now is Active Directory Domain Controller. > Correct ? I will give you a brief idea of my setup & requirement, > > I have 1 RHEL server on which newly installed Openldap is configured > for user authentication. (this is the only Linux Server in my > environment), I have all windows 7 machines as client machines. I > need Single Sign On (SSO).For this I want to add all client in one > Domain so that Openldap user will be login in all client machines. To > add all windows client machine in one domain I want to configure > SAMBA domain controller/Samba PDC/Samba 4 AD Domain whichever will > fulfill my requirement with the OpenLDAP at backend.If you set up Samba 4 as an AD DC, you can then use this as the Domain Controller for your windows machines, this way you will get SSO. You do not need 'cals' with a Samba AD DC. If you have any Unix machines, you can also extend your windows users to become Unix users as well, you do this by adding RFC2307 attributes to the users. Samba 4 running as an AD DC includes its own LDAP server that can be used much the same as Openldap. All of the info is on the Samba wiki, but if you have any questions, just ask. Rowland