samba - May 2016 - How to configure samba to use LDAP/Kerberos authentication without using winbind?

We have a environment that the we cannot(don't want to) use winbind to join
samba server to the win2003 AD(with LDAP RFC2307bis Schema and uid/gid
setup for users).
We managed to get the linux (CentOS) to accept windows domain user ssh to
it(with nss/nslcd/kerberos settings).
But couldn't make samba server to use the same way to serve windows domain
users.

Found this page:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607771
But couldn't get it working.

Also found this page:
https://wiki.samba.org/index.php/Nslcd
which had information that is quite similar to what we are trying to do,
but was deleted saying "After internal discussions, we only provide support
for winbind"

So now the questions are:
1. Does Samba has a way to support using LDAP/Kerberos without winbind.
2. If yes, where I can find a step-by-step guide on how to do it.

(ps: please don't suggest using sssd or realm join, we know those maybe the
right way to go in the future, but its not for this environment right now.)

Thanks!
Regards,
Steven

On 20/05/16 01:06, Steven Fu wrote:
> We have a environment that the we cannot(don't want to) use winbind to
join
> samba server to the win2003 AD(with LDAP RFC2307bis Schema and uid/gid
> setup for users).
Samba provides winbind to do what you need, what have you got against 
winbind ???
> We managed to get the linux (CentOS) to accept windows domain user ssh to
> it(with nss/nslcd/kerberos settings).
> But couldn't make samba server to use the same way to serve windows
domain
> users.
Again, this should work with winbind.
>
> Found this page:
>
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607771
> But couldn't get it working.
Not surprised, it is an extremely old page.
>
> Also found this page:
> https://wiki.samba.org/index.php/Nslcd
> which had information that is quite similar to what we are trying to do,
> but was deleted saying "After internal discussions, we only provide
support
> for winbind"
It was decided that because Samba only produces winbind, it would only 
support the use of winbind. Samba has no control over sssd and nlscd 
etc, so it was decided to leave the support of the use of these with 
Samba to the distros.
>
> So now the questions are:
> 1. Does Samba has a way to support using LDAP/Kerberos without winbind.
No
> 2. If yes, where I can find a step-by-step guide on how to do it.
Nowhere
>
> (ps: please don't suggest using sssd or realm join, we know those maybe
the
> right way to go in the future, but its not for this environment right now.)
You do know that the latest sssd uses a version of a winbind lib ?

Rowland

On Thu, 19 May 2016, Steven Fu wrote:
> So now the questions are:
> 1. Does Samba has a way to support using LDAP/Kerberos without winbind.
> 2. If yes, where I can find a step-by-step guide on how to do it.
>
> (ps: please don't suggest using sssd or realm join, we know those maybe
the
> right way to go in the future, but its not for this environment right now.)
I have no experience with nslcd, but just wanted to point out that you can 
use sssd in pure ldap mode without using the ad provider or realmd.  This 
is what I do, and it works just fine.  Potential caveats: my shares are on 
CentOS 6 with Samba 3.6, and don't use windows ACLs, only unix uid/gids.

Samba used to have better and more concise documentation on configuration, 
but unfortunately they appear to have removed it recently, so the fedora 
SSSD wiki directions are probably the best, if you choose to go that 
route:

https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

A couple of notes which may possibly help you with nslcd...

You need to run "net ads join" to join the domain if you want
functioning
kerberos, as this is what causes the DC to create the required principals 
on the server side.  You don't need winbind for the join.

You need to set "kerberos method = system keytab" in your smb.conf 
_before_ you run "net ads join" (there's no harm in re-joining if
you've
already done it), or you won't have a working system keytab on the client 
(running the smbd server) which can be used by other services like ssh. 
I'm not sure if this is really necessary if you only want kerbros working 
in Samba.

sssd also handles things like automated kerberos ticket renewals.  I am 
not sure if nslcd does, you may possibly have issues with clients that 
stay connected for long periods of time if it doesn't.

On 22/05/16 05:01, Dewayne Geraghty wrote:
>
>
> Rowland, I'm in a similar situation.  We use virtual machines on one 
> physical host that calls upon AD (mail, squid, ...). nslcd is less 
> complex to install/maintain due to lower number of additional 
> libraries/packages required, as well as less resource impact.
>
> Name      RSS     VSZ      No of shared libs
> winbindd  46.9M   84.3M    120
> nslcd          6.8M   35.8M     19
> taken from FreeBSD 10.3
>
Whilst nslcd appears to use less libs, over 98% of the libs used by 
winbindd are also used by smbd (you are using smbd, aren't you? ), so 
you may be installing more libs than needed. As for complexity of 
install, winbindd uses smb.conf and you will have set this up anyway. To 
put it bluntly, if you use nlscd, you are installing and setting it up 
to do something that winbind will do very easily.

Rowland

The attributes chosen to produce users from AD is important too. Windows
users (users accessing a Samba share from a Windows platform) use
primaryGroupID as main group ID when generally UNIX users are based on
RFC2307 attributes (gibNumber for main group).

If my understanding is correct this is to be taken in account too to get
right ACLs on files on Samba shares.

2016-05-22 10:43 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 22/05/16 05:01, Dewayne Geraghty wrote:
>
>>
>>
>> Rowland, I'm in a similar situation.  We use virtual machines on
one
>> physical host that calls upon AD (mail, squid, ...). nslcd is less
complex
>> to install/maintain due to lower number of additional
libraries/packages
>> required, as well as less resource impact.
>>
>> Name      RSS     VSZ      No of shared libs
>> winbindd  46.9M   84.3M    120
>> nslcd          6.8M   35.8M     19
>> taken from FreeBSD 10.3
>>
>>
> Whilst nslcd appears to use less libs, over 98% of the libs used by
> winbindd are also used by smbd (you are using smbd, aren't you? ), so
you
> may be installing more libs than needed. As for complexity of install,
> winbindd uses smb.conf and you will have set this up anyway. To put it
> bluntly, if you use nlscd, you are installing and setting it up to do
> something that winbind will do very easily.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>