Steven Fu
2016-May-20 00:06 UTC
[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?
We have a environment that the we cannot(don't want to) use winbind to join samba server to the win2003 AD(with LDAP RFC2307bis Schema and uid/gid setup for users). We managed to get the linux (CentOS) to accept windows domain user ssh to it(with nss/nslcd/kerberos settings). But couldn't make samba server to use the same way to serve windows domain users. Found this page: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607771 But couldn't get it working. Also found this page: https://wiki.samba.org/index.php/Nslcd which had information that is quite similar to what we are trying to do, but was deleted saying "After internal discussions, we only provide support for winbind" So now the questions are: 1. Does Samba has a way to support using LDAP/Kerberos without winbind. 2. If yes, where I can find a step-by-step guide on how to do it. (ps: please don't suggest using sssd or realm join, we know those maybe the right way to go in the future, but its not for this environment right now.) Thanks! Regards, Steven
Rowland penny
2016-May-20 07:23 UTC
[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?
On 20/05/16 01:06, Steven Fu wrote:> We have a environment that the we cannot(don't want to) use winbind to join > samba server to the win2003 AD(with LDAP RFC2307bis Schema and uid/gid > setup for users).Samba provides winbind to do what you need, what have you got against winbind ???> We managed to get the linux (CentOS) to accept windows domain user ssh to > it(with nss/nslcd/kerberos settings). > But couldn't make samba server to use the same way to serve windows domain > users.Again, this should work with winbind.> > Found this page: > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607771 > But couldn't get it working.Not surprised, it is an extremely old page.> > Also found this page: > https://wiki.samba.org/index.php/Nslcd > which had information that is quite similar to what we are trying to do, > but was deleted saying "After internal discussions, we only provide support > for winbind"It was decided that because Samba only produces winbind, it would only support the use of winbind. Samba has no control over sssd and nlscd etc, so it was decided to leave the support of the use of these with Samba to the distros.> > So now the questions are: > 1. Does Samba has a way to support using LDAP/Kerberos without winbind.No> 2. If yes, where I can find a step-by-step guide on how to do it.Nowhere> > (ps: please don't suggest using sssd or realm join, we know those maybe the > right way to go in the future, but its not for this environment right now.)You do know that the latest sssd uses a version of a winbind lib ? Rowland
Sketch
2016-May-20 14:04 UTC
[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?
On Thu, 19 May 2016, Steven Fu wrote:> So now the questions are: > 1. Does Samba has a way to support using LDAP/Kerberos without winbind. > 2. If yes, where I can find a step-by-step guide on how to do it. > > (ps: please don't suggest using sssd or realm join, we know those maybe the > right way to go in the future, but its not for this environment right now.)I have no experience with nslcd, but just wanted to point out that you can use sssd in pure ldap mode without using the ad provider or realmd. This is what I do, and it works just fine. Potential caveats: my shares are on CentOS 6 with Samba 3.6, and don't use windows ACLs, only unix uid/gids. Samba used to have better and more concise documentation on configuration, but unfortunately they appear to have removed it recently, so the fedora SSSD wiki directions are probably the best, if you choose to go that route: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server A couple of notes which may possibly help you with nslcd... You need to run "net ads join" to join the domain if you want functioning kerberos, as this is what causes the DC to create the required principals on the server side. You don't need winbind for the join. You need to set "kerberos method = system keytab" in your smb.conf _before_ you run "net ads join" (there's no harm in re-joining if you've already done it), or you won't have a working system keytab on the client (running the smbd server) which can be used by other services like ssh. I'm not sure if this is really necessary if you only want kerbros working in Samba. sssd also handles things like automated kerberos ticket renewals. I am not sure if nslcd does, you may possibly have issues with clients that stay connected for long periods of time if it doesn't.
Rowland penny
2016-May-22 08:43 UTC
[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?
On 22/05/16 05:01, Dewayne Geraghty wrote:> > > Rowland, I'm in a similar situation. We use virtual machines on one > physical host that calls upon AD (mail, squid, ...). nslcd is less > complex to install/maintain due to lower number of additional > libraries/packages required, as well as less resource impact. > > Name RSS VSZ No of shared libs > winbindd 46.9M 84.3M 120 > nslcd 6.8M 35.8M 19 > taken from FreeBSD 10.3 >Whilst nslcd appears to use less libs, over 98% of the libs used by winbindd are also used by smbd (you are using smbd, aren't you? ), so you may be installing more libs than needed. As for complexity of install, winbindd uses smb.conf and you will have set this up anyway. To put it bluntly, if you use nlscd, you are installing and setting it up to do something that winbind will do very easily. Rowland
mathias dufresne
2016-May-23 11:51 UTC
[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?
The attributes chosen to produce users from AD is important too. Windows users (users accessing a Samba share from a Windows platform) use primaryGroupID as main group ID when generally UNIX users are based on RFC2307 attributes (gibNumber for main group). If my understanding is correct this is to be taken in account too to get right ACLs on files on Samba shares. 2016-05-22 10:43 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 22/05/16 05:01, Dewayne Geraghty wrote: > >> >> >> Rowland, I'm in a similar situation. We use virtual machines on one >> physical host that calls upon AD (mail, squid, ...). nslcd is less complex >> to install/maintain due to lower number of additional libraries/packages >> required, as well as less resource impact. >> >> Name RSS VSZ No of shared libs >> winbindd 46.9M 84.3M 120 >> nslcd 6.8M 35.8M 19 >> taken from FreeBSD 10.3 >> >> > Whilst nslcd appears to use less libs, over 98% of the libs used by > winbindd are also used by smbd (you are using smbd, aren't you? ), so you > may be installing more libs than needed. As for complexity of install, > winbindd uses smb.conf and you will have set this up anyway. To put it > bluntly, if you use nlscd, you are installing and setting it up to do > something that winbind will do very easily. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- How to configure samba to use LDAP/Kerberos authentication without using winbind?
- Still confused about kerberos password expiry
- Remote linux auth vs samba4: winbind or nslcd + openldap.
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?