Hi, I think it is great that samba4 has a single sign on solution for Windows platforms and it seems to work well too, but I am wondering is it possible to do the same for a Linux environment? I have been studying how to implement single sign on using the Ubuntu way through this document: https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can do the same with samba4 where the samba4 just replaces openldap and the kerberos server components. On a windows client, you can login as a user though active directory even though that user is not defined locally on the client. Can you do the same in a Linux environment? I have done some testing and the results so far looks as if it is not quite there yet. For example, if I ssh to a machine using kerberos credentials, I cannot ssh to it without have a local account defined on that machine. Does a kerberos/ldap solution solve that kind of problem? br, Quinn
Hi, I am running such a setup for over 2 years now. Samba4 acting as AD for the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All users are stored centrally and no local users on the clients. I'd have to dig for more information on the setup though, as it's been a while since I implemented it. http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=1333390497132#c1731870195842128401 has my notes on setting up the Solaris clients. Linux was mostly similar enough with further information on several other sites. HTH, Bernd
yes, i found your windows/linux setup via google earlier, but the setup was based on OpenSuse which made it a little difficult in some areas when it comes to Ubuntu - particularly the nfs server setup section. But thanks for the info! :-) br, Quinn On Thu, Jul 12, 2012 at 2:23 PM, steve <steve at steve-ss.com> wrote:> On 12/07/12 14:05, Quinn Plattel wrote: > > while since I implemented it. >>> >>> http://phaedrus77.blogspot.de/**2010/04/samba4-ad-domain-** >>> controller-to-serve.html?**showComment=1333390497132#** >>> c1731870195842128401<http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=1333390497132#c1731870195842128401> >>> has my notes on setting up the Solaris clients. Linux was mostly similar >>> enough with further information on several other sites. >>> >>> HTH, >>> Bernd >>> >>> >>> > Hi Quinn, Bernd, everyone > > We converted that same method into Linux. > > A Linux-windows SSO solution usind S4. We called it s4bind. The details > are here: > http://linuxcostablanca.**blogspot.com.es/p/s4bind.html<http://linuxcostablanca.blogspot.com.es/p/s4bind.html> > HTH > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> >-- Best regards/Med venlig hilsen, Quinn Plattel
On Thu, 2012-07-12 at 13:22 +0200, Quinn Plattel wrote:> Hi, > > I think it is great that samba4 has a single sign on solution for Windows > platforms and it seems to work well too, but I am wondering is it possible > to do the same for a Linux environment? I have been studying how to > implement single sign on using the Ubuntu way through this document: > https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can > do the same with samba4 where the samba4 just replaces openldap and the > kerberos server components. > > On a windows client, you can login as a user though active directory even > though that user is not defined locally on the client. Can you do the same > in a Linux environment? I have done some testing and the results so far > looks as if it is not quite there yet. For example, if I ssh to a machine > using kerberos credentials, I cannot ssh to it without have a local account > defined on that machine. Does a kerberos/ldap solution solve that kind of > problem?We recommend and support joining Samba as a domain member to Samba4 for these situations. This will handle doing a login with kerberos, including a local kerberos ticket etc, providing the account via nss and everything else. The server can be Samba4 or Microsoft's AD. You may be interested in idmap_ad as an IDMAP module on the clients. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Hi all, I'm about give up on this Ubuntu SSO setup - I haven't been able to get any solution to work so far. I have looked through Bernd's notes, Steve's notes, and the Ubuntu Community SSO. I think it is because most of the howto's are old and may not work with a Ubuntu 12.04/samba4 + Ubuntu 12.04 client setup. I can only get the windows SSO to work with samba4 which is quite easy compared to getting a Linux SSO to work at all. I feel I am so close to getting it to work after understanding how kerberos works. I think I'll try a dns/kerberos server/openldap sso setup via Ubuntu Community SSO without samba4 and see if I can get that to work. Thanks for all the help so far. br, Quinn On Thu, Jul 12, 2012 at 1:22 PM, Quinn Plattel <qiet72 at gmail.com> wrote:> Hi, > > I think it is great that samba4 has a single sign on solution for Windows > platforms and it seems to work well too, but I am wondering is it possible > to do the same for a Linux environment? I have been studying how to > implement single sign on using the Ubuntu way through this document: > https://help.ubuntu.com/community/SingleSignOn and I am wondering if I > can do the same with samba4 where the samba4 just replaces openldap and the > kerberos server components. > > On a windows client, you can login as a user though active directory even > though that user is not defined locally on the client. Can you do the same > in a Linux environment? I have done some testing and the results so far > looks as if it is not quite there yet. For example, if I ssh to a machine > using kerberos credentials, I cannot ssh to it without have a local account > defined on that machine. Does a kerberos/ldap solution solve that kind of > problem? > > br, > Quinn >-- Best regards/Med venlig hilsen, Quinn Plattel
On 17/07/12 23:49, mourik jan heupink wrote:> What blog would that be..? > > On 07/17/2012 08:20 PM, steve wrote: >> Offlist or via our blog if you like. >http://linuxcostablanca.blogspot.com.es/p/samba-4.html
> http://linuxcostablanca.blogspot.com.es/p/samba-4.htmlInteresting reading. Thanks.
Quinn Plattel <qiet72 at gmail.com> wrote:> I think it is great that samba4 has a single sign on solution for Windows > platforms and it seems to work well too, but I am wondering is it possible > to do the same for a Linux environment?I have a working single sign on solution running using Active Directory, nslcd and pam-krb5, I don't see a reason why this should not work using samba4 as well.> On a windows client, you can login as a user though active directory even > though that user is not defined locally on the client. Can you do the same > in a Linux environment?Yepp. pam_ccreds and pam_mkhomedir are your friends. http://wiki.debian.org/LDAP/PAM Sven -- "Every time you use Google, you're using a Linux machine" (Chris DiBona, a programs manager for Google) /me is giggls at ircnet, http://sven.gegg.us/ on the Web
On 12/07/12 13:22, Quinn Plattel wrote:> https://help.ubuntu.com/community/SingleSignOnI'm afraid it doesn't apply to S4. I don't think you can have S4 LDAP and openldap going at the same time unless during the brief time you are doing a domain upgrade from NT. Maybe others know a way. . . C'mon. Do it:) Cheers, Steve
Possibly Parallel Threads
- Understanding kerberos principals in samba4
- How do I join a samba 3 client to a samba 4 AD server?
- How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
- How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
- [Samba4] modifying attributes: no write access to self