Hello, I think I'm starting to understand how Linux client can be integrated into a samba domain. Tell me if I'm wrong : Linux clients don't need Samba for authentication, only the ldap part of samba. sssd through kerberos get information from ldap. If the user is known or get the right, he can log. So why should I need to install winbind and samba4 on the linux client ? Is it only if I have a Windows AD ? Thanks Cyril
Hi, You have 2 possibility : - Use sssd to connect to a AD server (but you need to add service for unix and Unix tab for manage unix information) - or install samba and use winbind for mapping windows AD account information (SID) to linux account (uidNumber). ----------------------------------- St?phane PURNELLE Admin. Syst?mes et R?seaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 samba-bounces at lists.samba.org wrote on 18/12/2013 15:40:37:> De : Cyril <cyril.lalinne at 3d-com.fr> > A : samba at lists.samba.org, > Date : 18/12/2013 15:41 > Objet : [Samba] Linux client of the domain > Envoy? par : samba-bounces at lists.samba.org > > Hello, > > I think I'm starting to understand how Linux client can be integrated > into a samba domain. > > Tell me if I'm wrong : > > Linux clients don't need Samba for authentication, only the ldap part of> samba. > sssd through kerberos get information from ldap. If the user is known or> get the right, he can log. > > So why should I need to install winbind and samba4 on the linux client ? > Is it only if I have a Windows AD ? > > > Thanks > Cyril > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 18/12/13 14:40, Cyril wrote:> Hello, > > I think I'm starting to understand how Linux client can be integrated > into a samba domain. > > Tell me if I'm wrong : > > Linux clients don't need Samba for authentication, only the ldap part > of samba.Linux clients can get their authentication from either a local database or a remote database ( this can be LDAP based or AD based) but if going for remote auth, you really need samba.> sssd through kerberos get information from ldap. If the user is known > or get the right, he can log.If sssd can get extract the users info, then yes, they can login.> > So why should I need to install winbind and samba4 on the linux client ? > Is it only if I have a Windows AD ?You can have Samba without winbind, which version of samba you use is up to you, but 3.6 is now in security fixes mode. Samba 4 can be run just the same as 3.x was, it does not have to be an Active Directory controller. Rowland> > > Thanks > Cyril >
At Wed, 18 Dec 2013 15:40:37 +0100 Cyril <cyril.lalinne at 3d-com.fr> wrote:> > Hello, > > I think I'm starting to understand how Linux client can be integrated > into a samba domain. > > Tell me if I'm wrong : > > Linux clients don't need Samba for authentication, only the ldap part of > samba. > sssd through kerberos get information from ldap. If the user is known or > get the right, he can log. > > So why should I need to install winbind and samba4 on the linux client ? > Is it only if I have a Windows AD ?*IF* the server is Linux and if authentication is via ldap (eg OpenLDAP is running on the server) AND IF NFS is installed and setup on the server, the *Linux* client does not need any of Samba at all. It can authentate via LDAP, share server disks (eg /home/$USER) via NFS (and automount/autofs), and access printers on the server via CUPS (with 'sharing' enabled). The 'native' Linux disk 'sharing' is via NFS, 'native' print sharing is via CUPS, and one of 'native' server authentication methods is LDAP (another is kerberos). A Linux *client* only needs samba if the server is Windows based. (Note: the above *also* can apply to MacOSX or *BSD, with the right software installed. I don't know if NFS is part of the base MacOSX install or not -- it should be for Linux or *BSD, at least the client side, ie nfs_mount and nfsfs kernel modules -- the nfsd daemon might be an optional package, depending on the distro.)> > > Thanks > Cyril >-- Robert Heller -- 978-544-6933 / heller at deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments
Cyril
2013-Dec-19 13:27 UTC
[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Le 18/12/2013 15:40, Cyril a ?crit :> Hello, > > I think I'm starting to understand how Linux client can be integrated > into a samba domain. > > Tell me if I'm wrong : > > Linux clients don't need Samba for authentication, only the ldap part of > samba. > sssd through kerberos get information from ldap. If the user is known or > get the right, he can log. > > So why should I need to install winbind and samba4 on the linux client ? > Is it only if I have a Windows AD ? > > > Thanks > Cyril >I can't get sssd working and I don't know why. On the network, I have a samba4 install on a CentOS6.4. This server is also the DHCP server There's no other server on the domain. A Win7 workstation has already join the domain. I'm following this wiki : https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd to add a Linux workstation (Ubuntu 12.04 LTS) on the domain. The goal is to get users authenticate with the same users/password as windows one. On the workstation : I have install sssd krb5-user package from ubuntu repository. The module libsasl2-modules-gssapi-MIT is already installed I have create a directory security in /lib64 and link file : # ln -s /usr/local/lib/security/pam_sss.so /lib64/security/ Then when I do : ldconfig -v | grep sss libnss_sss.so.2 -> libnss_sss.so.2 On the server : I have extract the keytab. On the workstation : I have configure sssd.conf with LDAP as id_provider ( sssd version < 1.10.0) I check the /etc/nsswitch.conf. sss is already add. If I run : getent passwd I only get local profiles. Any idea of what I missed ? Is there other test I can do to know what's wrong ? Thanks, Cyril