samba - Oct 2015 - Workstations are member servers (or domain members) Re: Samba AD PDC , LDAP and Single-Sign-On

On Sat, 10 Oct 2015 08:23 Andrew Bartlett wrote:
> The main difference between use as a file server vs use as a desktop,
> is that pam_winbindd is mandatory for the Samba method (see elsewhere
> for using sssd or other tools), as that will get you you the desktop
> login.
Yes, that does clarify and give me comfort with respect to naming.  I understand
that the office-central Samba4 AD/DC is quite logically a "server",
and I now
understand that my personal linux desktop in my private office is also referred
to as a "member server" (or will be when I get it set up properly),
even though
my brain thinks of it as a "client" of the AD "server".  OK,
not the first time
these terms have gotten scrambled in my mind. 

I'm not deep enough into it yet to grasp what you mean by "pam_winbindd
is
mandatory". So far, Rowland, Sketch and their referenced link
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
are omitting references to PAM, but I'll cross that bridge if/when I get
there.

Thanks, --Mark

-----Original Message-----
> Subject: Workstations are member servers (or domain members) Re: [Samba]
>  Samba AD PDC , LDAP and Single-Sign-On
> From: Andrew Bartlett <abartlet at samba.org>
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> Date: Sat, 10 Oct 2015 08:23:23 +1300
>
> On Thu, 2015-10-08 at 18:08 -0400, Mark Foley wrote:
> > On Thu, 8 Oct 2015 15:46 Sketch wrote:
> > 
> > > It's easy in Linux with Samba as well.  You basically just
need to
> > > follow 
> > > the directions here:
> > > 
> > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> > 
> > Thanks for the feedback.  OK, I'll check out your link ASAP.  The
> > "Server" bit
> > in the link gives me pause.  I *have* a Samba4 AD/DC
"server"
> > already.  I think
> > the linux workstations need to be "clients", but maybe this
is just a
> > matter of
> > semantics.  I'll research. 
>
> In short, workstations are member servers too.  
>
> I do thank you for pointing out the gap in our naming scheme here -
> indeed we deviate a little from the common usage by saying 'member
> server' not 'domain member', but I can confirm that a
linux-installed
> laptop and a windows-installed laptop desiring single-sign-on from the
> login prompt should be configured as 'domain members' or as we put
it
> in that link, 'member servers'.
>
> The main difference between use as a file server vs use as a desktop,
> is that pam_winbindd is mandatory for the Samba method (see elsewhere
> for using sssd or other tools), as that will get you you the desktop
> login.
>
> I hope this clarifies things,
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>

On Fri, 2015-10-09 at 20:37 -0400, Mark Foley wrote:
> On Sat, 10 Oct 2015 08:23 Andrew Bartlett wrote:
> 
> Yes, that does clarify and give me comfort with respect to naming.  I
> understand
> that the office-central Samba4 AD/DC is quite logically a
"server",
> and I now
> understand that my personal linux desktop in my private office is
> also referred
> to as a "member server" (or will be when I get it set up
properly),
> even though
> my brain thinks of it as a "client" of the AD "server".
OK, not the
> first time
> these terms have gotten scrambled in my mind. 
The confusion comes because the other potential device is a 'member
server' acting as a file server, and that is both far more common, and
really a server.  The article is aimed at helping set this up, and
happens to cover your case almost by co-incidence. 
> I'm not deep enough into it yet to grasp what you mean by
> "pam_winbindd is
> mandatory". So far, Rowland, Sketch and their referenced link
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> are omitting references to PAM, but I'll cross that bridge if/when I
> get there.
PAM is what will allow your console login to take the AD password.
Otherwise, you get AD users and groups (via nss_winbind), but you can't
log in with them by typing a password. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sat, 10 Oct 2015 16:01 Andre Bartlett wrote:
> PAM is what will allow your console login to take the AD password.
> Otherwise, you get AD users and groups (via nss_winbind), but you can't
> log in with them by typing a password. 
Well then, I suppose I'll have to deal with that eventually. The
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server page warns me to
know what I'm doing before messing with PAM. I guess I'll have to ignore
that
advice for now!

--Mark

-----Original Message-----
> Subject: Re: [Samba] Workstations are member servers (or domain members)
Re:
>  Samba AD PDC , LDAP and Single-Sign-On
> From: Andrew Bartlett <abartlet at samba.org>
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> Date: Sat, 10 Oct 2015 16:01:03 +1300
>
> On Fri, 2015-10-09 at 20:37 -0400, Mark Foley wrote:
> > On Sat, 10 Oct 2015 08:23 Andrew Bartlett wrote:
>
> > 
> > Yes, that does clarify and give me comfort with respect to naming.  I
> > understand
> > that the office-central Samba4 AD/DC is quite logically a
"server",
> > and I now
> > understand that my personal linux desktop in my private office is
> > also referred
> > to as a "member server" (or will be when I get it set up
properly),
> > even though
> > my brain thinks of it as a "client" of the AD
"server".  OK, not the
> > first time
> > these terms have gotten scrambled in my mind. 
>
> The confusion comes because the other potential device is a 'member
> server' acting as a file server, and that is both far more common, and
> really a server.  The article is aimed at helping set this up, and
> happens to cover your case almost by co-incidence. 
>
> > I'm not deep enough into it yet to grasp what you mean by
> > "pam_winbindd is
> > mandatory". So far, Rowland, Sketch and their referenced link
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> > are omitting references to PAM, but I'll cross that bridge if/when
I
> > get there.
>
> PAM is what will allow your console login to take the AD password.
> Otherwise, you get AD users and groups (via nss_winbind), but you can't
> log in with them by typing a password. 
>
> Thanks,
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>