samba - Sep 2018 - design question for small environment

As the unix servers  running linux (I know some people wouldn't call 
that real unix) or a "real" unix like Solaris ?

Linux has sssd which can make things simpler.

In either case you probably need a proxy account for the unix system to 
retrieve user and group info (not passwords) via LDAP.

On 09/11/18 03:56, Rowland Penny via samba wrote:
> On Tue, 11 Sep 2018 08:56:35 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
>
>> Am 10.09.18 um 11:12 schrieb Rowland Penny via samba:
>>
>>> Hi Stefan, I would set up a small AD domain, one DC, and turn the
>>> two original servers into Unix domain members and then use
kerberos.
>> How would "use kerberos" look like from the client's
view?
>>
> Just like using a password as long as the server is setup correctly.
>
> Rowland
>
>
>

On Wed, 12 Sep 2018 13:33:15 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> As the unix servers  running linux (I know some people wouldn't call 
> that real unix) or a "real" unix like Solaris ?
> 
> Linux has sssd which can make things simpler.
Just how does sssd make thing simpler ?
Properly set up, winbind can do the same authentication that sssd can.
Or are you thinking of sudo ?, well sudo itself can talk to AD, or what
about autofs ? again this can talk to AD. No, you do not need the
red-hat tools at all.
> 
> In either case you probably need a proxy account for the unix system
> to retrieve user and group info (not passwords) via LDAP.
No, you just need to set up pam correctly, which is easy on debian,
just install libpam_krb5

Rowland

Presumably the unix servers are sharing network shares via samba but not 
NFS.      If you aren't using NFS and if regular users don't need to ssh
or sftp into the server then winbind is probably sufficient.    My 
environment has a mix of unix and windows clients and servers so getting 
uidNumbers and gidNumbers consistent across machines and OS's is 
critical so winbind alone was not sufficient.



If you look at /etc/nsswitch.conf on linux systems you will see entries 
like


passwd:         compat sss
group:          compat sss




sss (sssd ) is the preferred solution for most network authentication.  
sssd can be configured to work with ad, ldap, kerberos, and (i think) 
winbind.

I think the major advantage of sssd is that if you are looking thru 
linux documentation and help forums the examples will assume 
sssd.conf.     sssd allows for password caching which is really more 
useful on a workstation than a server.  And you have a lot of 
flexibility with configuring AD parameters (search paths, proxy accounts.)


I don't think samba uses pam so nsswitch.conf will need to point to 
winbind (either directly or via sssd.)    SSH server has several 
authentication mechanisms -  it checks for kerberos credentials, then it 
checks pam, and then pam would check unix authentication (ie. 
nsswitch.conf.)




On 09/12/18 14:01, Rowland Penny via samba wrote:
> On Wed, 12 Sep 2018 13:33:15 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> As the unix servers  running linux (I know some people wouldn't
call
>> that real unix) or a "real" unix like Solaris ?
>>
>> Linux has sssd which can make things simpler.
> Just how does sssd make thing simpler ?
> Properly set up, winbind can do the same authentication that sssd can.
> Or are you thinking of sudo ?, well sudo itself can talk to AD, or what
> about autofs ? again this can talk to AD. No, you do not need the
> red-hat tools at all.
>
>> In either case you probably need a proxy account for the unix system
>> to retrieve user and group info (not passwords) via LDAP.
> No, you just need to set up pam correctly, which is easy on debian,
> just install libpam_krb5
>
> Rowland
>   
>
>