samba - Mar 2016 - use linux user account information on samba

Dear list,
I am having real trouble using the linux authentication system with samba. I
have a configured kerberos and ldap server and authenticate in linux using
nslcd. nfs4 works fine in the linux world. Unfortunately, I am forced :( to have
some windows machines which are supposed to connect to linux fileservers.  If I
understand correctly, I can use sssd on the samba ad domain controller to
"glue"
the authentication between samba and the POSIX system. I used principally the
ubuntu single sssd configuration (
https://help.ubuntu.com/community/SingleSignOn) but tried many many other
configurations. I also tried winbind to no avail. If I create a user in the
local samba database I can access shares via smbclient:

smbclient //server/netlogon -Uusername -c 'ls' 

A few questiosn:

1) is it actually possible to authenticate a user with the linux authentication
system to access samba shares? 
2) If so can someone give me general directions and any good howtos's or
wiki
pages
3) Is the authentication for a smba share happening on the server or the DC? 
4) I was wondering if my ldap setup has anything to do with this? I am not
terribly keen on changing ldap since I cannot say I understand ldap well.

Hope someone can give me directions.
Cheers
Michael

On 11/03/16 22:21, michaels wrote:
> Dear list,
> I am having real trouble using the linux authentication system with samba.
I
> have a configured kerberos and ldap server and authenticate in linux using
> nslcd. nfs4 works fine in the linux world. Unfortunately, I am forced :( to
have
> some windows machines which are supposed to connect to linux fileservers. 
If I
> understand correctly, I can use sssd on the samba ad domain controller to
"glue"
> the authentication between samba and the POSIX system. I used principally
the
> ubuntu single sssd configuration (
> https://help.ubuntu.com/community/SingleSignOn) but tried many many other
> configurations. I also tried winbind to no avail. If I create a user in the
> local samba database I can access shares via smbclient:
>
> smbclient //server/netlogon -Uusername -c 'ls'
>
> A few questiosn:
>
> 1) is it actually possible to authenticate a user with the linux
authentication
> system to access samba shares?
Yes
> 2) If so can someone give me general directions and any good howtos's
or wiki
> pages
Well, I suppose a good place to start would be the Samba wiki : 
https://wiki.samba.org/index.php/Main_Page
> 3) Is the authentication for a smba share happening on the server or the
DC?
Well both, you connect to the share and then authenticate to the DC.
> 4) I was wondering if my ldap setup has anything to do with this? I am not
> terribly keen on changing ldap since I cannot say I understand ldap well.
When you say ldap, do you mean a separate ldap server, or the ldap built 
into your samba AD DC ?

Rowland
>
> Hope someone can give me directions.
> Cheers
> Michael
>

On 12/03/16 11:22, Michael Stockenhuber wrote:
> Hi,
> Thank you for the eply. I have a separate ldap server. Of course I have
been on
> the samba wiki, but I am struggling to find how to integrate samba
> authentication with the unix authentication.
If you have set up Samba4 as an AD DC and you are now running an AD 
domain, you don't integrate samba authentication with the Unix 
authentication, you do it the other way round :-) .
You should have all your users, groups etc in AD and then set up your 
domain members to get their data from AD, see here: 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>   Now the problem I (probably) have
> is how to integrate nslcd with samba.
You do not need to use nslcd or sssd, you can just use winbind, the only 
problem is when you try to use the DC as a fileserver (which is not 
recommended), but this can be worked around.

Rowland
> Cheers
> michaels
>
>

Hi,
Thank you for the quick reply. I have gone through the samba wiki in particular
the section on nslcd with kerberos, all the setup of dc and member server to no
avail.  Nothing is obviously wrong for example "getent passwd" gives
me all the
linux users nd also the Samba users with "DOMAIN\username" names.
Now if I do:
smbclient //server/netlogon -U"linux_user" -c 'ls'
Enter Linux_user's password: 
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.17-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED

If I do

smbclient //server/netlogon -U"samba_user" -c 'ls'
Enter samba_user's password: 
Domain=[Domain] OS=[Unix] Server=[Samba 4.1.17-Debian]
  .                                   D        0  Mon Jul 13 21:40:02 2015
  ..                                  D        0  Sat Mar 12 14:05:28 2016

		46672 blocks of size 524288. 20658 blocks available

On question 4, I use a separate ldap server which also serves nfs4.
Any ides?
Thanks for the help
Cheers
Michael 

> On March 12, 2016 at 7:51 PM Rowland penny <rpenny at samba.org>
wrote:
> 
> 
> On 11/03/16 22:21, michaels wrote:
> > Dear list,
> > I am having real trouble using the linux authentication system with
samba. I
> > have a configured kerberos and ldap server and authenticate in linux
using
> > nslcd. nfs4 works fine in the linux world. Unfortunately, I am forced
:( to
> > have
> > some windows machines which are supposed to connect to linux
fileservers.
> >  If I
> > understand correctly, I can use sssd on the samba ad domain controller
to
> > "glue"
> > the authentication between samba and the POSIX system. I used
principally
> > the
> > ubuntu single sssd configuration (
> > https://help.ubuntu.com/community/SingleSignOn) but tried many many
other
> > configurations. I also tried winbind to no avail. If I create a user
in the
> > local samba database I can access shares via smbclient:
> >
> > smbclient //server/netlogon -Uusername -c 'ls'
> >
> > A few questiosn:
> >
> > 1) is it actually possible to authenticate a user with the linux
> > authentication
> > system to access samba shares?
> 
> Yes
> 
> > 2) If so can someone give me general directions and any good
howtos's or
> > wiki
> > pages
> 
> Well, I suppose a good place to start would be the Samba wiki : 
> https://wiki.samba.org/index.php/Main_Page
> 
> > 3) Is the authentication for a smba share happening on the server or
the DC?
> 
> Well both, you connect to the share and then authenticate to the DC.
> 
> > 4) I was wondering if my ldap setup has anything to do with this? I am
not
> > terribly keen on changing ldap since I cannot say I understand ldap
well.
> 
> When you say ldap, do you mean a separate ldap server, or the ldap built 
> into your samba AD DC ?
> 
> Rowland
> 
> >
> > Hope someone can give me directions.
> > Cheers
> > Michael
> >
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba