samba - Jul 2017 - integrating samba with pam

On Sat, 1 Jul 2017 16:30:25 +0100, Rowland Penny via samba wrote:

> On Sat, 01 Jul 2017 11:48:21 -0300
> Guido Lorenzutti via samba
wrote:
> 
>> Hi there! I been using samba3 with ldap for years, and now
im about to move to samba4 to leave the slapd.
> 
> I take it you mean
that you use Samba as an AD DC

Exactly.
>> I didnt try yet to migrate
the directory from samba3 to samba4. But i did setup a new domain and
everything looks ok. My doubt is related to the configuration of the
computers with linux so that they can take advantage of the users and
passwords of ldap. But also, groups that are unix
exclusive.
> 
> It
doesn't work that way, you create groups in AD and then make
them
> Unix
groups as well.
> 
>> I didnt find a way to create groups that in samba3
where only unix: smbgroupadd group (withouth the -a) Is this
possible?
>
> No, not unless you create a new NT4-style domain and I strongly
urge
> you not go down this path, they are things of the past and
Microsoft
> seems to be trying to make it harder and harder to use
them.

We used to hide some information from our windows group, to make
acls only in unix groups. But well.. i think we can start sharing that
info with the domain groups.

  Also, i dont want to install winbind in
every workstation to authenticate against samba4. How ca
> ok. 
> 
>
Why do you want to do this ?
> The way the Samba code is now written, it
needs winbind installed, so
> you might as well use it.
> 
> See here
for more info on setting up a Unix domain member:
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
[2]
> 
> Rowland
> 
> I read that to join a squid proxy to the domain.
But its a pain to have to install winbind on every unix I have just to
be able to use the same credentials that the samba domain. Before
samba4, i was able to use ldap. Samba4 has a ldap like service. There
should be a way to use that
 an ldapsearch, for example. And of course,
pam_ldap. 

  

Links:
------
[1] mailto:samba at lists.samba.org
[2]
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

On Sat, 01 Jul 2017 14:19:13 -0300
Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
> We used to hide some information from our windows group, to make
> acls only in unix groups. But well.. i think we can start sharing that
> info with the domain groups.
You can do something very similar by using ACLs, create groups in AD,
add RFC2307 attributes and add your Unix users to the groups. You can
then make only members of these Unix groups be allowed access to a
share.
> > 
> > I read that to join a squid proxy to the domain.
> But its a pain to have to install winbind on every unix I have just to
> be able to use the same credentials that the samba domain. Before
> samba4, i was able to use ldap. Samba4 has a ldap like service. There
> should be a way to use that
>  an ldapsearch, for example. And of course,
> pam_ldap. 
You need to speak to Louis van Belle about squid, he is the expert.

I don't understand your problem with winbind, if you do use nslcd, you
will have to configure smb.conf, the nslcd conf file and run k5start to
ensure that kerberos refreshes tickets. If you use winbind, you will
just have to configure smb.conf.
You have to configure smb.conf anyway, so why bother with nslcd ? Just
what does nslcd give you that winbind doesn't ?
I should also point out that nslcd isn't supported by Samba.

What do you want to authenticate to Samba ?

Rowland

On Sat, 1 Jul 2017 19:27:09 +0100, Rowland Penny via samba wrote:

> On Sat, 01 Jul 2017 14:19:13 -0300
> Guido Lorenzutti wrote:
> 
>>
We used to hide some information from our windows group, to make acls
only in unix groups. But well.. i think we can start sharing that info
with the domain groups.
> 
> You can do something very similar by using
ACLs, create groups in AD,
> add RFC2307 attributes and add your Unix
users to the groups. You can
> then make only members of these Unix
groups be allowed access to a
> share.
Great.
>>> I read that to join
a squid proxy to the domain.
>> But its a pain to have to install
winbind on every unix I have just to be able to use the same credentials
that the samba domain. Before samba4, i was able to use ldap. Samba4 has
a ldap like service. There should be a way to use that an ldapsearch,
for example. And of course, pam_ldap.
> 
> You need to speak to Louis
van Belle about squid, he is the expert.

Everything its ok with the
squid for the time being... im using kerberos only.

I don't understand
your problem with winbind, if you do use nslcd, you
will have to
configure smb.conf, the nslcd conf file and run k5start to
ensure that
kerberos refreshes tickets. If yo> er with nslcd ? Just what does nslcd
give you that winbind doesn't ? I should also point out that nslcd isn't
supported by Samba. 
> 
> I have several barebone systems with the
minimum of hardrive, ram, and utilities on the SO. Everything works
great only with nslcd and pam_ldap and I have the same users and
passwords that the Samba3+OpenLDAP DC.
> 
> Now in Samba4 it seems that
its required to have winbind runnin
ient and obviously a lot of
dependencies... 

The nslcd uses ldap queries to have all the users,
groups, etc, talking directly to the ldap server. If samba4 has a ldap
like server, he has to had a way to query the service, to avoid using
winbind on eeevery client. 

Well, for what you said, I must start to
try to give it a go to winbind and hope it dosent need too much ram to
run. 

What do you want to authenticate to Samba ?

Rowland 
>


Links:
------
[1] mailto:guido at lorenzutti.com.ar

Hai, 
See below. 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Guido Lorenzutti via samba
> Verzonden: zaterdag 1 juli 2017 23:21
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] integrating samba with pam
> 
.....
> 
> >> I read that to join a squid proxy to the domain.
> >> But its a pain to have to install winbind on every unix I have
just to be able to use the same credentials
> >> that the samba domain. Before samba4, i was able to use ldap. 
> Samba4 has a ldap like service. There should be a way to use that an
ldapsearch, for example. And of course, pam_ldap.
> > 
> > You need to speak to Louis
> van Belle about squid, he is the expert.
Im no expert, but maybe I can help. ;-) 
> 
> Everything its ok with the squid for the time being... im using kerberos
only.
Great, you using kerberos already, so whats the problem? I dont get it, sorry. 

...
>> 
>> I have several barebone systems with the minimum of hardrive, ram, and
utilities on the SO.
>> Everything works great only with nslcd and pam_ldap and I have the same
users and passwords that the Samba3+OpenLDAP DC.
>> 
>> Now in Samba4 it seems that its required to have winbind runnin ient
and obviously a lot of dependencies...
Not its not required, but very usefull for you keytab refresh.
And you can use exact the same setup (squid+ldap) against samba AD, 
you only need to make sure your setup has everything for ldaps or you need to
lower your AD DC security.
Once thats done, life is much more easy. 
> 
> The nslcd uses ldap queries to have all the users,
> groups, etc, talking directly to the ldap server. If samba4 has a ldap
> like server, he has to had a way to query the service, to avoid using
> winbind on eeevery client. 
Thats a choice, i use winbind for my keytab refresh not for auth users, i dont
use nslcd anywhere.
There i use kerberos with ldaps fallback auth. 
I just followed most of : http://wiki.squid-cache.org/ConfigExamples

> 
> Well, for what you said, I must start to
> try to give it a go to winbind and hope it dosent need too much ram to
> run. 
My usage, System1 8GB ram, debian jessie, winbind 4.6.5, squid 3.5.24 ( own
build )
cat /proc/$(ps x| grep winbind | head -n1| awk {'print $1'})/status  |
grep Vm
VmPeak:   266608 kB
VmSize:   266548 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     10220 kB
VmRSS:     10160 kB
VmData:      792 kB
VmStk:       132 kB
VmExe:      1092 kB
VmLib:     22376 kB
VmPTE:       528 kB
VmSwap:        0 kB

My usage, System2 8GB ram, debian stretch, winbind 4.6.5-3, squid 3.5.24 ( own
build )
cat /proc/$(ps x| grep winbind | head -n1| awk {'print $1'})/status  |
grep Vm
VmPeak:   274744 kB
VmSize:   274744 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     10088 kB
VmRSS:     10028 kB
VmData:      780 kB
VmStk:       132 kB
VmExe:      1088 kB
VmLib:     24232 kB
VmPTE:       520 kB
VmSwap:        0 kB
> 
> What do you want to authenticate to Samba ?
> 
> Rowland 
> 
> >
> 
> 
> 
> Links:
> ------
> [1] mailto:guido at lorenzutti.com.ar
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Greetz, 

Louis