About the last question, I'll be reading up on samba-tool. Apologies. A better question is: can I run the DC without an attached DNS server? How little can I get away with running? In my imagination, I should be able to run just the LDAP+Kerberos parts, AIUI that's all I need, skipping DNS, fileserving, winbind, etc; blame this on my view of AD as a quirky LDAP. Again, scoped for my use cases, which are essentially LDAP-connection-and-lookup against the AD-flavored LDAP that AD contains. thank you, m On Tue, Dec 19, 2017 at 11:01 AM, Martin Langhoff <martin.langhoff at gmail.com> wrote:> Thank you Louis! > > I had https://wiki.samba.org/index.php/Setting_up_Samba_as_an_ > Active_Directory_Domain_Controller in my bag of tricks, now from your > link I found https://github.com/thctlo/samba4/blob/master/ > howtos/stretch-base-2.0-samba-minimal-ad.txt which looks good. > > Our Linux platform is CentOS at this time (but I've been a DD and long > time debianista). I'll go through both. > > How do you create, query user/group records? I'm used to ldapadd, > ldapsearch, etc. > > thank you, > > > > martin > > On Tue, Dec 19, 2017 at 10:41 AM, Martin Langhoff < > martin.langhoff at gmail.com> wrote: > >> Hi Samba List, >> >> I am developing software which should interop with AD/LDAP, I am >> looking at using the Samba DC and loading it with some example user >> accounts. >> >> "Interop with AD" means use and AD backend for authentication, >> retrieval of basic user record and membership info. Simple enough/ >> >> In the past, I've implemented similar functionality using OpenLDAP as >> the reference backend (ie, I wrote much of >> https://docs.moodle.org/33/en/LDAP_authentication ) . >> >> Are there any guides on how to install and configure Samba's DC >> _standalone_? Any hints or guidance for me? Does Samba's DC component >> support this mode of operation? >> >> For further info, we are developing and testing on a Linux which >> carries Samba 4.6.x. Also, I'm an old linux hand, and there's a chance >> you're using software I contributed to :-) >> >> thank you! >> >> >> >> martin >> (please CC me as I've subscribed 'no-mail') >> -- >> martin.langhoff at gmail.com >> - ask interesting questions ~ http://linkedin.com/in/martinlanghoff >> - don't be distracted ~ http://github.com/martin-langhoff >> by shiny stuff >> > > > > -- > martin.langhoff at gmail.com > - ask interesting questions ~ http://linkedin.com/in/martinlanghoff > - don't be distracted ~ http://github.com/martin-langhoff > by shiny stuff >-- martin.langhoff at gmail.com - ask interesting questions ~ http://linkedin.com/in/martinlanghoff - don't be distracted ~ http://github.com/martin-langhoff by shiny stuff
Re-sending, this one got stuck. Gmail automagically switched away from plain text :-/ ~martin On Tue, Dec 19, 2017 at 11:07 AM, Martin Langhoff <martin.langhoff at gmail.com> wrote:> > About the last question, I'll be reading up on samba-tool. Apologies. > > A better question is: can I run the DC without an attached DNS server? How little can I get away with running? > > In my imagination, I should be able to run just the LDAP+Kerberos parts, AIUI that's all I need, skipping DNS, fileserving, winbind, etc; blame this on my view of AD as a quirky LDAP. Again, scoped for my use cases, which are essentially LDAP-connection-and-lookup against the AD-flavored LDAP that AD contains. > > thank you, > > > > m >-- martin.langhoff at gmail.com - ask interesting questions ~ http://linkedin.com/in/martinlanghoff - don't be distracted ~ http://github.com/martin-langhoff by shiny stuff
On Tue, 19 Dec 2017 11:07:12 -0500 Martin Langhoff via samba <samba at lists.samba.org> wrote:> About the last question, I'll be reading up on samba-tool. Apologies. > > A better question is: can I run the DC without an attached DNS > server? How little can I get away with running? > > In my imagination, I should be able to run just the LDAP+Kerberos > parts, AIUI that's all I need, skipping DNS, fileserving, winbind, > etc; blame this on my view of AD as a quirky LDAP. Again, scoped for > my use cases, which are essentially LDAP-connection-and-lookup > against the AD-flavored LDAP that AD contains. >There is a term for running a Samba AD DC without dns, it is called 'broken' ;-) AD isn't ldap, it contains its own version of ldap, if you want to use it for authentication by external tools, read up on using AD with the relevant tool. Rowland
On Tue, Dec 19, 2017 at 11:20 AM, Rowland Penny <rpenny at samba.org> wrote:> There is a term for running a Samba AD DC without dns, it is called > 'broken' ;-)Fair enough.> AD isn't ldap, it contains its own version of ldap, if you want to use > it for authentication by external tools, read up on using AD with the > relevant tool.We are in fully agreement in that "AD isn't ldap, it contains its own version of ldap", and by implication it has quite a few more things than "Just LDAP". I have implemented, debugged, maintained and supported LDAP authentication plugins for web-based software (most notably Moodle), for some years. Developed and tested against OpenLDAP, then debugged it a bit against actual AD servers because the Samba DC didn't exist. Now it exists! Woohoo! "What's the simplest Samba DC I could reasonably use? to dev/test against? All I want is to throw a dozen users and three groups in there". For example, I would love a simple enough setup that I can run in a throwaway VM/container for unit+e2e tests in integration. cheers, m -- martin.langhoff at gmail.com - ask interesting questions ~ http://linkedin.com/in/martinlanghoff - don't be distracted ~ http://github.com/martin-langhoff by shiny stuff
On Tue, 2017-12-19 at 11:07 -0500, Martin Langhoff via samba wrote:> About the last question, I'll be reading up on samba-tool. Apologies. > > A better question is: can I run the DC without an attached DNS server? How > little can I get away with running? > > In my imagination, I should be able to run just the LDAP+Kerberos parts, > AIUI that's all I need, skipping DNS, fileserving, winbind, etc; blame this > on my view of AD as a quirky LDAP. Again, scoped for my use cases, which > are essentially LDAP-connection-and-lookup against the AD-flavored LDAP > that AD contains.Yes. You can set 'server services = ldap' and just run LDAP. If you are just doing simple binds you won't even need the KDC. That should be enough to keep a web app happy. Be aware that this configuration isn't tested by the Samba Team, so watch out on upgrades as we may add a dependency on other services, but give it a go. This certainly should help you test your work against 'AD' without all that fiddling about with Windows, which I guess is your goal. :-) All the best, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Tue, Dec 19, 2017 at 1:07 PM, Rowland Penny <rpenny at samba.org> wrote:> Use the internal dns server when you provision, this will get you the > simplest DC ;-)Noted, thanks! On Tue, Dec 19, 2017 at 1:09 PM, Andrew Bartlett <abartlet at samba.org> wrote:> Yes. You can set 'server services = ldap' and just run LDAP. If you > are just doing simple binds you won't even need the KDC. That should > be enough to keep a web app happy. > > Be aware that this configuration isn't tested by the Samba Team, so...Noted, that's roughly what I expected, suspected.> This certainly should help you test your work against 'AD' without all > that fiddling about with Windows, which I guess is your goal. :-)You guessed squarely right!> Samba Developer, Catalyst IT http://catalyst.net.nz/services/sambaWait, What!? Catalyst has a Samba team? Cheers to the crowd over there. Keep rocking the shaky isles. cheers, m -- martin.langhoff at gmail.com - ask interesting questions ~ http://linkedin.com/in/martinlanghoff - don't be distracted ~ http://github.com/martin-langhoff by shiny stuff