MI
2016-Jul-07 20:06 UTC
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
I'm confused about how to authenticate users of other Unix services with Samba4 AD. After trying the classic upgrade on a test server, I can use smbclient. However, "getent passwd" doesn't show the users, and I'm not sure what I have to do now. On the live machines, I have openldap, pam-ldapd and nslcd running to authenticate users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki, postgresql, etc. For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and don't quite understand which of these I actually need. The point is to use the Samba4 AD-DC to authenticate users for the other Linux services, including on other machines which may not be running Samba. Particularly for SSH and mail. All the Linux machines run Debian 8.
L.P.H. van Belle
2016-Jul-08 06:46 UTC
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and > don't > quite understand which of these I actually need.Its your party... and,., you forgot pam-ldap ;-) You need to set UID/GIDs on the users and groups. And you need to make sure these users have a home dir. I choose kerberos for my linux auth. Per example for ssh, if you install ssh-krb5 in debian, you can use the AD-AC users to login on the linux systems. Look here : https://wiki.samba.org/index.php/User_Documentation Bit on the bottem there are some examples. Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on If you run pam-auth-update you can see the pam selected things. Hope this helps you a bit. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI > Verzonden: donderdag 7 juli 2016 22:07 > Aan: Samba List > Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux > services (SSH, Mail, etc.) > > I'm confused about how to authenticate users of other Unix services with > Samba4 AD. > > After trying the classic upgrade on a test server, I can use smbclient. > However, > "getent passwd" doesn't show the users, and I'm not sure what I have to do > now. > > On the live machines, I have openldap, pam-ldapd and nslcd running to > authenticate > users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki, > postgresql, etc. > > For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and > don't > quite understand which of these I actually need. > > The point is to use the Samba4 AD-DC to authenticate users for the other > Linux > services, including on other machines which may not be running Samba. > Particularly > for SSH and mail. > > All the Linux machines run Debian 8. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Yvan Masson
2016-Jul-08 08:22 UTC
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
Hi, Please correct me if I am wrong, but here are some possibilities: - as Louis said, use ssh-krb5 to authenticate through AD's Kerberos (never tried that, interesting to know) - install pam-ldap to authenticate through AD's LDAP (never tried) - if you issued "net ads join..." to integrate the box to your domain, you can use pam-winbind to authenticate - you can also use sssd to integrate the domain and then pam-sss to authenticate (maybe the easiest, but then impossible to use samba to share files or printers) Personnaly I use the 2 lasts. Those implies that your Linux box is integrated to the domain (which can be good or not). Regards, Yvan Le vendredi 08 juillet 2016 à 08:46 +0200, L.P.H. van Belle a écrit :> > > > For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, > > kerberos, and > > don't > > quite understand which of these I actually need. > Its your party... and,., you forgot pam-ldap ;-) > > You need to set UID/GIDs on the users and groups. > And you need to make sure these users have a home dir. > > I choose kerberos for my linux auth. > Per example for ssh, if you install ssh-krb5 in debian, > you can use the AD-AC users to login on the linux systems. > Look here : https://wiki.samba.org/index.php/User_Documentation > Bit on the bottem there are some examples. > Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > If you run pam-auth-update you can see the pam selected things. > > Hope this helps you a bit. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI > > Verzonden: donderdag 7 juli 2016 22:07 > > Aan: Samba List > > Onderwerp: [Samba] Using Samba4 AD to authenticate users of other > > Linux > > services (SSH, Mail, etc.) > > > > I'm confused about how to authenticate users of other Unix services > > with > > Samba4 AD. > > > > After trying the classic upgrade on a test server, I can use > > smbclient. > > However, > > "getent passwd" doesn't show the users, and I'm not sure what I > > have to do > > now. > > > > On the live machines, I have openldap, pam-ldapd and nslcd running > > to > > authenticate > > users of Samba 3 as well as ssh, postfix, dovecot, apache, > > mediawiki, > > postgresql, etc. > > > > For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, > > kerberos, and > > don't > > quite understand which of these I actually need. > > > > The point is to use the Samba4 AD-DC to authenticate users for the > > other > > Linux > > services, including on other machines which may not be running > > Samba. > > Particularly > > for SSH and mail. > > > > All the Linux machines run Debian 8. > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20160708/8526d103/signature.sig>
MI
2016-Jul-08 09:03 UTC
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
Thanks.
pam-ldap is what I have now (libpam-ldapd 0.9.4-3+deb8u1) and which worked with
openldap.
I do have UIDs/GIDs, which seem to have been preserved in the classicupgrade:
# ldbsearch -H ldap://localhost -U Administrator -b
"CN=Users,DC=ad,DC=mydomain,DC=tld" ...
# record 75
dn: CN=tobias,CN=Users,DC=ad,DC=mydomain,DC=tld
cn: tobias
name: tobias
sAMAccountName: tobias
displayName: Tobias Xyz
uidNumber: 1038
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/tobias
gidNumber: 513
Maybe I only need some simple settings somewhere to use the Samba4 LDAP instead
of
openldap?
-------- Original Message -------->> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
and
>> don't
>> quite understand which of these I actually need.
> Its your party... and,., you forgot pam-ldap ;-)
>
> You need to set UID/GIDs on the users and groups.
> And you need to make sure these users have a home dir.
>
> I choose kerberos for my linux auth.
> Per example for ssh, if you install ssh-krb5 in debian,
> you can use the AD-AC users to login on the linux systems.
> Look here : https://wiki.samba.org/index.php/User_Documentation
> Bit on the bottem there are some examples.
> Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> If you run pam-auth-update you can see the pam selected things.
>
> Hope this helps you a bit.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI
>> Verzonden: donderdag 7 juli 2016 22:07
>> Aan: Samba List
>> Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
>> services (SSH, Mail, etc.)
>>
>> I'm confused about how to authenticate users of other Unix services
with
>> Samba4 AD.
>>
>> After trying the classic upgrade on a test server, I can use smbclient.
>> However,
>> "getent passwd" doesn't show the users, and I'm not
sure what I have to do
>> now.
>>
>> On the live machines, I have openldap, pam-ldapd and nslcd running to
>> authenticate
>> users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki,
>> postgresql, etc.
>>
>> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
and
>> don't
>> quite understand which of these I actually need.
>>
>> The point is to use the Samba4 AD-DC to authenticate users for the
other
>> Linux
>> services, including on other machines which may not be running Samba.
>> Particularly
>> for SSH and mail.
>>
>> All the Linux machines run Debian 8.
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
L.P.H. van Belle
2016-Jul-08 09:34 UTC
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
This should work also on Samba4 since AD = ldap. Just keep notice of the last security changes as of 4.4.2+ ( or 4.3.8+ or 4.2.10+ ) So few tips for debian/ubuntu. Read : https://www.spinics.net/lists/samba/msg134098.html And whats missing there is your CA Root must be in .crt format. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI > Verzonden: vrijdag 8 juli 2016 11:03 > Aan: Samba List > Onderwerp: Re: [Samba] Using Samba4 AD to authenticate users of other > Linux services (SSH, Mail, etc.) > > > Thanks. > > pam-ldap is what I have now (libpam-ldapd 0.9.4-3+deb8u1) and which worked > with openldap. > > I do have UIDs/GIDs, which seem to have been preserved in the > classicupgrade: > > # ldbsearch -H ldap://localhost -U Administrator -b > "CN=Users,DC=ad,DC=mydomain,DC=tld" ... > > # record 75 > dn: CN=tobias,CN=Users,DC=ad,DC=mydomain,DC=tld > cn: tobias > name: tobias > sAMAccountName: tobias > displayName: Tobias Xyz > uidNumber: 1038 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/tobias > gidNumber: 513 > > > Maybe I only need some simple settings somewhere to use the Samba4 LDAP > instead of > openldap? > > > -------- Original Message -------- > >> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, > and > >> don't > >> quite understand which of these I actually need. > > Its your party... and,., you forgot pam-ldap ;-) > > > > You need to set UID/GIDs on the users and groups. > > And you need to make sure these users have a home dir. > > > > I choose kerberos for my linux auth. > > Per example for ssh, if you install ssh-krb5 in debian, > > you can use the AD-AC users to login on the linux systems. > > Look here : https://wiki.samba.org/index.php/User_Documentation > > Bit on the bottem there are some examples. > > Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > > If you run pam-auth-update you can see the pam selected things. > > > > Hope this helps you a bit. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MI > >> Verzonden: donderdag 7 juli 2016 22:07 > >> Aan: Samba List > >> Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux > >> services (SSH, Mail, etc.) > >> > >> I'm confused about how to authenticate users of other Unix services > with > >> Samba4 AD. > >> > >> After trying the classic upgrade on a test server, I can use smbclient. > >> However, > >> "getent passwd" doesn't show the users, and I'm not sure what I have to > do > >> now. > >> > >> On the live machines, I have openldap, pam-ldapd and nslcd running to > >> authenticate > >> users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki, > >> postgresql, etc. > >> > >> For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, > and > >> don't > >> quite understand which of these I actually need. > >> > >> The point is to use the Samba4 AD-DC to authenticate users for the > other > >> Linux > >> services, including on other machines which may not be running Samba. > >> Particularly > >> for SSH and mail. > >> > >> All the Linux machines run Debian 8. > >> > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Guilherme Boing
2016-Jul-08 11:22 UTC
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
This is how I get my linux servers to authenticate with ad users: http://pastebin.ca/3185321 You should be able to authenticate every server that has ldap support with the samba4 ad. On Thu, Jul 7, 2016 at 5:06 PM, MI <mi.lists at alma.ch> wrote:> I'm confused about how to authenticate users of other Unix services with > Samba4 AD. > > After trying the classic upgrade on a test server, I can use smbclient. > However, "getent passwd" doesn't show the users, and I'm not sure what I > have to do now. > > On the live machines, I have openldap, pam-ldapd and nslcd running to > authenticate users of Samba 3 as well as ssh, postfix, dovecot, apache, > mediawiki, postgresql, etc. > > For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and > don't quite understand which of these I actually need. > > The point is to use the Samba4 AD-DC to authenticate users for the other > Linux services, including on other machines which may not be running Samba. > Particularly for SSH and mail. > > All the Linux machines run Debian 8. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >