On Oct 8 2015 09:32 Rowlan Penny wrote:> It might help if you were to explain just what you require from single-sign-on ?Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?>From reading this list over the past couple of months it does not seem thatAuthenticating users on Windows workstations is the main thing people do. But, is not the ability to authenticate user logins from any (Linux or Windows) workstation in the domain the chief purpose of Samab4? If not, please straighten me out. What's it good for? As to what *I* require, scenario: I am sitting at a linux workstation on our office network, any linux workstation, not just the one in *my* office. I have a login prompt. I don't have a specific local account configured in /etc/passwd on this particular workstation. I log in using my ID/PW which is authenticated centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure where I'm logged into yet, but I'll cross that bridge when I come to it. In Windows, using Samba4 AD/DC, this is a snap. I just join the domain via Start > Computer > Properties > Advanced System Settings > Computer Name > Change, and click 'Domain'. I have to fill in the domain name, enter the Domain Administrator credentials and I'm done. Now, any domain user can log into any Windows workstation anywhere on the domain. That's basically what I want to do with Linux workstations. I need to sort this out because we are looking at replacing Windows workstations with Linux workstations. I will investigate the recommendations posted by L.P.H. van Belle and Guilherme Boing and see if I can make some headway.> Date: Thu, 08 Oct 2015 09:32:31 +0100 > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > > On 08/10/15 04:16, Mark Foley wrote: > > I'm very confused. I have a Samba4 AD/DC which works great for Windows > > Authentication with our Windows 7 workstations. > > > > Now, I am trying to implement single-sign-on for our coming-soon Linux workstations. > > It might help if you were to explain just what you require from > single-sign-on ? > > Rowland > > > All web documentation I've so far found on this references OpenLDAP as the server > > and describes server-side commands such as kadmin and slapd-config to get things > > set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn) > > which don't exist on the Samba4 AD/DC. > > > > Samaba4 apparently has it's own LDAP (Heimdal?) implementation. Does this mean > > everything should "just work" with LDAP clients and I need do no further > > server-side configuration? Or does it mean, "sorry, you can't do LDAP > > Authentication with Samba4." > > > > Please clarify so I can make some decisions. > > > > btw - the following command *does* work from a Linux client on the network: > > > > ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local" > > > > --Mark > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 8 Oct 2015, Mark Foley wrote:> On Oct 8 2015 09:32 Rowlan Penny wrote: > >> It might help if you were to explain just what you require from single-sign-on ? > > Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4? > From reading this list over the past couple of months it does not seem that > Authenticating users on Windows workstations is the main thing people do. But, > is not the ability to authenticate user logins from any (Linux or Windows) > workstation in the domain the chief purpose of Samab4? If not, please straighten > me out. What's it good for?Samba 4 is just a version of Samba that is newer than Samba 3. Samba 4 can be a file server, an NT4 PDC, an active directory domain controller, or an NT4 or AD member server. Probably other things I am forgetting too. "Single Sign On" is a term used by many people to mean different things. To some people, it means you can use the same password to log into any system. To some, it means into any resource. To other, it means that once you log into a system, you have passwordless login into any other resource. All of these things are possible (within limitations) with samba.> As to what *I* require, scenario: I am sitting at a linux workstation on our > office network, any linux workstation, not just the one in *my* office. I have > a login prompt. I don't have a specific local account configured in /etc/passwd > on this particular workstation. I log in using my ID/PW which is authenticated > centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure > where I'm logged into yet, but I'll cross that bridge when I come to it. > > In Windows, using Samba4 AD/DC, this is a snap. I just join the domain via > Start > Computer > Properties > Advanced System Settings > Computer Name > > Change, and click 'Domain'. I have to fill in the domain name, enter the Domain > Administrator credentials and I'm done. Now, any domain user can log into any > Windows workstation anywhere on the domain.It's easy in Linux with Samba as well. You basically just need to follow the directions here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> I will investigate the recommendations posted by L.P.H. van Belle and Guilherme > Boing and see if I can make some headway.No offense against L.P.H. van Belle, but his directions are for the hard way to set up kerberos. Creating a domain controller handles all of the server side, and "net ads join" handles all of the client side if you are using winbind. If you prefer not to join your machines to the domain and use LDAP to authenticate, Guilherme's documentation looks like a good start. Also note that some distros have tools to automate some or all of the PAM/NSS stuff (this applies to the member server directions above as well), so you may want to check your distro docs too. Redhat/Fedora in particular has authconfig, and in newer versions realmd.
On 08/10/15 21:17, Mark Foley wrote:> On Oct 8 2015 09:32 Rowlan Penny wrote: > >> It might help if you were to explain just what you require from single-sign-on ? > Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4? > From reading this list over the past couple of months it does not seem that > Authenticating users on Windows workstations is the main thing people do. But, > is not the ability to authenticate user logins from any (Linux or Windows) > workstation in the domain the chief purpose of Samab4? If not, please straighten > me out. What's it good for? > > As to what *I* require, scenario: I am sitting at a linux workstation on our > office network, any linux workstation, not just the one in *my* office. I have > a login prompt. I don't have a specific local account configured in /etc/passwd > on this particular workstation. I log in using my ID/PW which is authenticated > centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure > where I'm logged into yet, but I'll cross that bridge when I come to it. > > In Windows, using Samba4 AD/DC, this is a snap. I just join the domain via > Start > Computer > Properties > Advanced System Settings > Computer Name > > Change, and click 'Domain'. I have to fill in the domain name, enter the Domain > Administrator credentials and I'm done. Now, any domain user can log into any > Windows workstation anywhere on the domain. > > That's basically what I want to do with Linux workstations. I need to sort this > out because we are looking at replacing Windows workstations with Linux > workstations. > > I will investigate the recommendations posted by L.P.H. van Belle and Guilherme > Boing and see if I can make some headway. > >> Date: Thu, 08 Oct 2015 09:32:31 +0100 >> From: Rowland Penny <rowlandpenny241155 at gmail.com> >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On >> >> On 08/10/15 04:16, Mark Foley wrote: >>> I'm very confused. I have a Samba4 AD/DC which works great for Windows >>> Authentication with our Windows 7 workstations. >>> >>> Now, I am trying to implement single-sign-on for our coming-soon Linux workstations. >> It might help if you were to explain just what you require from >> single-sign-on ? >> >> Rowland >> >>> All web documentation I've so far found on this references OpenLDAP as the server >>> and describes server-side commands such as kadmin and slapd-config to get things >>> set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn) >>> which don't exist on the Samba4 AD/DC. >>> >>> Samaba4 apparently has it's own LDAP (Heimdal?) implementation. Does this mean >>> everything should "just work" with LDAP clients and I need do no further >>> server-side configuration? Or does it mean, "sorry, you can't do LDAP >>> Authentication with Samba4." >>> >>> Please clarify so I can make some decisions. >>> >>> btw - the following command *does* work from a Linux client on the network: >>> >>> ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local" >>> >>> --Mark >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>So, you want to use a Linux computer just like a windows computer, well you can and you can't :-) What you cannot do is use GPO's like windows does, everything else is possible, you just need to setup the clients correctly. The first thing you need to understand is there is only one basic way to setup Samba in an AD domain, it is what you do with Samba after this that defines what it will be used for. There is a page on the Samba wiki that purports to be for a member server, well, in my opinion, it is just the basic setup and you would need to extend it to make it a proper member server, you can also use this basic setup for a workstation. Most, if not all, of the information you require is on the wiki and you only have to ask here about any gaps you find. Rowland
On Thu, 8 Oct 2015 15:46 Sketch wrote:> It's easy in Linux with Samba as well. You basically just need to follow > the directions here: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_ServerThanks for the feedback. OK, I'll check out your link ASAP. The "Server" bit in the link gives me pause. I *have* a Samba4 AD/DC "server" already. I think the linux workstations need to be "clients", but maybe this is just a matter of semantics. I'll research.> If you prefer not to join your machines to the domain and use LDAP to > authenticate, Guilherme's documentation looks like a good start.I prefer the simplest approach. If there is some way I can get this to work without adding LDAP, PAM, kerberos, NSS, etc. I'm all for it. Note that in my Windows example the workstation is joined to the domain. That's fine I have no problem with that versus not joining. I'm looking for the easiest, simplest way for workstation users to log into any (linux) workstation in the LAN with ONE SET of credentials. So far I haven't found this "magic bullet" after months of surfing.> you may want to check your distro docs tooI'm using Ubuntu as the client workstations. Apparently, Ubuntu knowns nothing about Samba4 AD/DC and the docs have lots of instruction on setting up OpenLDAP, Kerberos, etc. Things that aren't going to work (at least on the server side) with Samba4 since it has its own built-in versions of these things. --Mark -----Original Message-----> Date: Thu, 8 Oct 2015 15:46:50 -0500 (CDT) > From: Sketch <smblist at rednsx.org> > To: Mark Foley <mfoley at ohprs.org> > cc: samba at lists.samba.org > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > > On Thu, 8 Oct 2015, Mark Foley wrote: > > > On Oct 8 2015 09:32 Rowlan Penny wrote: > > > >> It might help if you were to explain just what you require from single-sign-on ? > > > > Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4? > > From reading this list over the past couple of months it does not seem that > > Authenticating users on Windows workstations is the main thing people do. But, > > is not the ability to authenticate user logins from any (Linux or Windows) > > workstation in the domain the chief purpose of Samab4? If not, please straighten > > me out. What's it good for? > > Samba 4 is just a version of Samba that is newer than Samba 3. Samba 4 > can be a file server, an NT4 PDC, an active directory domain controller, > or an NT4 or AD member server. Probably other things I am forgetting too. > > "Single Sign On" is a term used by many people to mean different things. > To some people, it means you can use the same password to log into any > system. To some, it means into any resource. To other, it means that > once you log into a system, you have passwordless login into any other > resource. All of these things are possible (within limitations) with > samba. > > > As to what *I* require, scenario: I am sitting at a linux workstation on our > > office network, any linux workstation, not just the one in *my* office. I have > > a login prompt. I don't have a specific local account configured in /etc/passwd > > on this particular workstation. I log in using my ID/PW which is authenticated > > centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure > > where I'm logged into yet, but I'll cross that bridge when I come to it. > > > > In Windows, using Samba4 AD/DC, this is a snap. I just join the domain via > > Start > Computer > Properties > Advanced System Settings > Computer Name > > > Change, and click 'Domain'. I have to fill in the domain name, enter the Domain > > Administrator credentials and I'm done. Now, any domain user can log into any > > Windows workstation anywhere on the domain. > > It's easy in Linux with Samba as well. You basically just need to follow > the directions here: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > > I will investigate the recommendations posted by L.P.H. van Belle and Guilherme > > Boing and see if I can make some headway. > > No offense against L.P.H. van Belle, but his directions are for the hard > way to set up kerberos. Creating a domain controller handles all of the > server side, and "net ads join" handles all of the client side if you are > using winbind. > > If you prefer not to join your machines to the domain and use LDAP to > authenticate, Guilherme's documentation looks like a good start. > > Also note that some distros have tools to automate some or all of the > PAM/NSS stuff (this applies to the member server directions above as > well), so you may want to check your distro docs too. Redhat/Fedora in > particular has authconfig, and in newer versions realmd. > >
On Thu, 08 Oct 2015 21:52 Rowland Penny wrote:> What you cannot do is use GPO's like windows does, everything else is > possible, you just need to setup the clients correctly.Excellent! I've been messing around with GPOs on Windows AD domains for years, more extensively this past year with Samba4 AD/DC and I absolutely hate them. In my opinion they are yet another attempt by Microsoft to shore up a fundamentally insecure OS. I have yet to find a GPO that would be worthwhile in Linux. "Trust Center"? Gee, can't execute macros in Linux that run as root - don't need that. "Remote Desktop GPO"? How about VNC. I've got more, lots more, but I'll stop. If you can give me an example of one GPO that would be useful in Linux I'll moderate my position. Sorry to get on a rant, but if we do manage to convert away from Windows, I say "good riddance" to GPOs!> There is a page on the Samba wiki that purports to be for a member > server, well, in my opinion, it is just the basic setup and you would > need to extend it to make it a proper member server, you can also use > this basic setup for a workstation. > > Most, if not all, of the information you require is on the wiki and you > only have to ask here about any gaps you find.That's great!!! I've been searching for that particular wiki for a couple of months now without success. Can you point me to it? Are you referring to Sketch's link? https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server --Mark -----Original Message-----> Date: Thu, 08 Oct 2015 21:52:04 +0100 > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > > On 08/10/15 21:17, Mark Foley wrote: > > On Oct 8 2015 09:32 Rowlan Penny wrote: > > > >> It might help if you were to explain just what you require from single-sign-on ? > > Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4? > > From reading this list over the past couple of months it does not seem that > > Authenticating users on Windows workstations is the main thing people do. But, > > is not the ability to authenticate user logins from any (Linux or Windows) > > workstation in the domain the chief purpose of Samab4? If not, please straighten > > me out. What's it good for? > > > > As to what *I* require, scenario: I am sitting at a linux workstation on our > > office network, any linux workstation, not just the one in *my* office. I have > > a login prompt. I don't have a specific local account configured in /etc/passwd > > on this particular workstation. I log in using my ID/PW which is authenticated > > centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure > > where I'm logged into yet, but I'll cross that bridge when I come to it. > > > > In Windows, using Samba4 AD/DC, this is a snap. I just join the domain via > > Start > Computer > Properties > Advanced System Settings > Computer Name > > > Change, and click 'Domain'. I have to fill in the domain name, enter the Domain > > Administrator credentials and I'm done. Now, any domain user can log into any > > Windows workstation anywhere on the domain. > > > > That's basically what I want to do with Linux workstations. I need to sort this > > out because we are looking at replacing Windows workstations with Linux > > workstations. > > > > I will investigate the recommendations posted by L.P.H. van Belle and Guilherme > > Boing and see if I can make some headway. > > > >> Date: Thu, 08 Oct 2015 09:32:31 +0100 > >> From: Rowland Penny <rowlandpenny241155 at gmail.com> > >> To: samba at lists.samba.org > >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > >> > >> On 08/10/15 04:16, Mark Foley wrote: > >>> I'm very confused. I have a Samba4 AD/DC which works great for Windows > >>> Authentication with our Windows 7 workstations. > >>> > >>> Now, I am trying to implement single-sign-on for our coming-soon Linux workstations. > >> It might help if you were to explain just what you require from > >> single-sign-on ? > >> > >> Rowland > >> > >>> All web documentation I've so far found on this references OpenLDAP as the server > >>> and describes server-side commands such as kadmin and slapd-config to get things > >>> set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn) > >>> which don't exist on the Samba4 AD/DC. > >>> > >>> Samaba4 apparently has it's own LDAP (Heimdal?) implementation. Does this mean > >>> everything should "just work" with LDAP clients and I need do no further > >>> server-side configuration? Or does it mean, "sorry, you can't do LDAP > >>> Authentication with Samba4." > >>> > >>> Please clarify so I can make some decisions. > >>> > >>> btw - the following command *does* work from a Linux client on the network: > >>> > >>> ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local" > >>> > >>> --Mark > >>> > >>> > >>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > So, you want to use a Linux computer just like a windows computer, well > you can and you can't :-) > > What you cannot do is use GPO's like windows does, everything else is > possible, you just need to setup the clients correctly. > > The first thing you need to understand is there is only one basic way to > setup Samba in an AD domain, it is what you do with Samba after this > that defines what it will be used for. > There is a page on the Samba wiki that purports to be for a member > server, well, in my opinion, it is just the basic setup and you would > need to extend it to make it a proper member server, you can also use > this basic setup for a workstation. > > Most, if not all, of the information you require is on the wiki and you > only have to ask here about any gaps you find. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >