Rowland, Thank you. I read the Oreilly book chapter 10, but I am still unclear on the requirements. If you have an idea for another book/man to read, please let me know and I will read. On Mon, Apr 25, 2016 at 11:48 PM, Rowland penny <rpenny at samba.org> wrote:> You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos > ticket before doing something that requires authentication.Please consider this use case: $ grep -e security -e username\ map /etc/samba/smb.conf username map = /etc/samba/DomainToLocalMapping.txt security = ads $ grep cstankevitz /etc/samba/DomainToLocalMapping.txt cstankevitz = DOMAIN.TLD\cstankevitz DOMAIN\cstankevitz A linux client connects to the samba server and specifies a username of "DOMAIN\cstankevitz" and a password that matches the password stored on a Microsoft Windows AD Server. 12. Does the use case above require someone to run kinit on the samba server before the client attempts a connection? If yes: 12a. Will the ticket supplied by kinit expire? 12b. Does kinit need to be run periodically? e.g. when the ticket expires or when the computer reboots? 12c. Which username should I provide to kinit for this use case? Should it have any particular privilege? 12d. If kinit has not been properly run, what specifically will fail and what specifically will be shown in a verbose samba log?>> 9. What are the consequences of running samba/ads on a machine that >> has not been joined to the domain? > > > About the same as running windows on a computer that isn't joined to the > domain.13. Does my use case above require the samba computer to be joined to the windows domain? If yes: 13a. If the samba computer has not been joined to the domain, what specifically will fail and what specifically will be shown in a verbose samba log?> Find out why you do not have /usr/lib64/samba/ldbThank you. I'm embarrassed that I didn't see that. Thank you again, Chris
On 26/04/16 17:06, Chris Stankevitz wrote:> Rowland, > > Thank you. I read the Oreilly book chapter 10, but I am still unclear > on the requirements. If you have an idea for another book/man to > read, please let me know and I will read. > > On Mon, Apr 25, 2016 at 11:48 PM, Rowland penny <rpenny at samba.org> wrote: >> You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos >> ticket before doing something that requires authentication. > Please consider this use case: > > $ grep -e security -e username\ map /etc/samba/smb.conf > > username map = /etc/samba/DomainToLocalMapping.txt > security = ads > > $ grep cstankevitz /etc/samba/DomainToLocalMapping.txt > cstankevitz = DOMAIN.TLD\cstankevitz DOMAIN\cstankevitz > > A linux client connects to the samba server and specifies a username > of "DOMAIN\cstankevitz" and a password that matches the password > stored on a Microsoft Windows AD Server.I would suggest you stop using the username map for this, if a user exists in AD and the user logins into a Unix machine that is joined to the domain, then the user *shouldn't* exist in /etc/passwd Can I suggest you browse the Samba wiki: https://wiki.samba.org/index.php/Main_Page> > > 12. Does the use case above require someone to run kinit on the samba > server before the client attempts a connection?No, a user doesn't have to 'kinit' before connecting.> > If yes: > > 12a. Will the ticket supplied by kinit expire? > > 12b. Does kinit need to be run periodically? e.g. when the ticket > expires or when the computer reboots? > > 12c. Which username should I provide to kinit for this use case? > Should it have any particular privilege? > > 12d. If kinit has not been properly run, what specifically will fail > and what specifically will be shown in a verbose samba log? > >>> 9. What are the consequences of running samba/ads on a machine that >>> has not been joined to the domain? >> >> About the same as running windows on a computer that isn't joined to the >> domain. > 13. Does my use case above require the samba computer to be joined to > the windows domain?If you want a Unix machine to be part of a domain (and 'security = ads' means you do) it needs to be joined to the domain (it isn't a windows domain, it is an Active Directory domain).> > If yes: > > 13a. If the samba computer has not been joined to the domain, what > specifically will fail and what specifically will be shown in a > verbose samba log?Your users will be unknown to the Unix machine. Not entirely sure what will show up in the logs, but something like 'unknown user' Rowland> >> Find out why you do not have /usr/lib64/samba/ldb > Thank you. I'm embarrassed that I didn't see that. > > Thank you again, > > Chris
On 26/04/16 19:14, Chris Stankevitz wrote:> On Tue, Apr 26, 2016 at 10:33 AM, Rowland penny <rpenny at samba.org> wrote: >> Can I suggest you browse the Samba wiki: >> https://wiki.samba.org/index.php/Main_Page > I will... thank you. > >> I would suggest you stop using the username map for this, if a user exists in >> AD and the user logins into a Unix machine that is joined to the domain, then >> the user *shouldn't* exist in /etc/passwd > I'm not sure how that would work, but I'll read the wiki. For > example, under which user will the smb client processes run? Perhaps > you are suggesting that I use winbind instead of 'username map'.Most definitely, you should be running winbind.> >>> 12. Does the use case above require someone to run kinit on the samba >>> server before the client attempts a connection? >> >> No, a user doesn't have to 'kinit' before connecting. > Thank you. My understanding is that for my use case I never have to > issue issue "kinit" - not even for net ads join. The process is: > > 1. buy computerIf you don't have one :-)> > 2. Install linux/sambaVery good idea.> > 3. configure smb.conf (security=ads, )See Samba wiki for this.> > 4. Start smbdNot yet.> > 5. net ads join -U UserWithSeMachineAccountPrivilege at DOMAIN.TLDYou could always use 'net ads join -U Administrator'> > 6. users connect to samba and use the shares with their AD usernames/passwordsNot yet> > 7. reboot computer from time to time (kernel updates, etc)Not yet> > 8. start smbdYes and nmbd and winbind> 9. goto 6now 6 & 7 Rowland> > Thank you again, > > Chris