On 11.12.18 15:23, Rowland Penny via samba wrote:> On Tue, 11 Dec 2018 15:09:39 +0100 > tseegerkrb via samba <samba at lists.samba.org> wrote: > >> Hello list, >> >> a quick question. Right now I have a combination of MIT Kerberos, >> OpenLDAP and SSSD for authenticating my users. Is there a way that >> Samba can use this setup to perform user authentication. I only want >> to access the shares of the Samba server from about 8 Windows >> computers. I am aware that I cannot make an Active Directory out of >> this. >> >> At the moment I have stored the users in a local passdb, which works >> but is very unpleasant. >> > > That is why Microsoft came up with domains ;-) > > If you look at Active Directory, it is basically composed of kerberos, > ldap and dns., so you can replace your kerberos and ldap servers with a > Samba AD DC, this also come with winbind which will replace sssd. > > There is just one possible fly in the ointment, you mention MIT & sssd, > is this using a red-hat OS ? > If it is, you cannot use the OS packages to create an AD DC, or if you > can (Fedora), it shouldn't be used in production. > > Rowland > >Hello Rowland, thanks for your answer but I don't want to replace my kerberos & ldap setup with an AD server. Basically I only want to control access to the handful of Samba shares. Thorsten
On Tue, 11 Dec 2018 15:36:23 +0100 tseegerkrb via samba <samba at lists.samba.org> wrote:> On 11.12.18 15:23, Rowland Penny via samba wrote: > > On Tue, 11 Dec 2018 15:09:39 +0100 > > tseegerkrb via samba <samba at lists.samba.org> wrote: > > > >> Hello list, > >> > >> a quick question. Right now I have a combination of MIT Kerberos, > >> OpenLDAP and SSSD for authenticating my users. Is there a way that > >> Samba can use this setup to perform user authentication. I only > >> want to access the shares of the Samba server from about 8 Windows > >> computers. I am aware that I cannot make an Active Directory out of > >> this. > >> > >> At the moment I have stored the users in a local passdb, which > >> works but is very unpleasant. > >> > > > > That is why Microsoft came up with domains ;-) > > > > If you look at Active Directory, it is basically composed of > > kerberos, ldap and dns., so you can replace your kerberos and ldap > > servers with a Samba AD DC, this also come with winbind which will > > replace sssd. > > > > There is just one possible fly in the ointment, you mention MIT & > > sssd, is this using a red-hat OS ? > > If it is, you cannot use the OS packages to create an AD DC, or if > > you can (Fedora), it shouldn't be used in production. > > > > Rowland > > > > > Hello Rowland, > > thanks for your answer but I don't want to replace my kerberos & ldap > setup with an AD server. Basically I only want to control access to > the handful of Samba shares. > > Thorsten >Well, its your setup, but using an AD domain parcels it up into one neat package ;-) There is plenty of info out there on how to do what you want, but it is mostly very old. Rowland
Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:> On 11.12.18 15:23, Rowland Penny via samba wrote: >> On Tue, 11 Dec 2018 15:09:39 +0100 >> tseegerkrb via samba <samba at lists.samba.org> wrote: >> >>> Hello list, >>> >>> a quick question. Right now I have a combination of MIT Kerberos, >>> OpenLDAP and SSSD for authenticating my users. Is there a way that >>> Samba can use this setup to perform user authentication. I only want >>> to access the shares of the Samba server from about 8 Windows >>> computers. I am aware that I cannot make an Active Directory out of >>> this.The samba 3 Code supports openldap as store for users, machines, groups and other things you need.>>> >>> At the moment I have stored the users in a local passdb, which works >>> but is very unpleasant.This is really bad. I asume that you mean your userdb for samba are local tdb files. Switch to ldapsam.>>> >> That is why Microsoft came up with domains ;-) >> >> If you look at Active Directory, it is basically composed of kerberos, >> ldap and dns., so you can replace your kerberos and ldap servers with a >> Samba AD DC, this also come with winbind which will replace sssd. >> >> There is just one possible fly in the ointment, you mention MIT & sssd, >> is this using a red-hat OS ? >> If it is, you cannot use the OS packages to create an AD DC, or if you >> can (Fedora), it shouldn't be used in production. >> >> Rowland >> >> > Hello Rowland, > > thanks for your answer but I don't want to replace my kerberos & ldap > setup with an AD server. Basically I only want to control access to the > handful of Samba shares.Your users should auth against openldap with exop control enabled. Openldap should handover the auth to kerberos. And then install slapo-smbk5pwd on your openldap server. This overlay will sync the samba passwords. Hint: I have never used sssd and i am sure i will never do. For this classic samba setup i prefer nslcd as pam and nss provider. Winbind will also do. If you are interesting i such a setup i am willing to help.> > Thorsten >-- Harry
On 11.12.18 18:19, walk2sun via samba wrote:> Am 11.12.18 um 15:36 schrieb tseegerkrb via samba: >> On 11.12.18 15:23, Rowland Penny via samba wrote: >>> On Tue, 11 Dec 2018 15:09:39 +0100 >>> tseegerkrb via samba <samba at lists.samba.org> wrote: >>> >>>> Hello list, >>>> >>>> a quick question. Right now I have a combination of MIT Kerberos, >>>> OpenLDAP and SSSD for authenticating my users. Is there a way that >>>> Samba can use this setup to perform user authentication. I only want >>>> to access the shares of the Samba server from about 8 Windows >>>> computers. I am aware that I cannot make an Active Directory out of >>>> this. > > The samba 3 Code supports openldap as store for users, machines, groups > and other things you need. > >i think that's not possible, because i use sasl and the userPassword attribute contains something like "{SASL}username at KERBEROS.REALM".>>>> >>>> At the moment I have stored the users in a local passdb, which works >>>> but is very unpleasant. > > This is really bad. I asume that you mean your userdb for samba are > local tdb files.yes> > Switch to ldapsam. > >>>> >>> That is why Microsoft came up with domains ;-) >>> >>> If you look at Active Directory, it is basically composed of kerberos, >>> ldap and dns., so you can replace your kerberos and ldap servers with a >>> Samba AD DC, this also come with winbind which will replace sssd. >>> >>> There is just one possible fly in the ointment, you mention MIT & sssd, >>> is this using a red-hat OS ? >>> If it is, you cannot use the OS packages to create an AD DC, or if you >>> can (Fedora), it shouldn't be used in production. >>> >>> Rowland >>> >>> >> Hello Rowland, >> >> thanks for your answer but I don't want to replace my kerberos & ldap >> setup with an AD server. Basically I only want to control access to the >> handful of Samba shares. > > Your users should auth against openldap with exop control enabled. > Openldap should handover the auth to kerberos. And then install > slapo-smbk5pwd on your openldap server. This overlay will sync the samba > passwords.slapo-smbk5pwd is for heimdal kerberos server only. i use the MIT kerberos server. There was a fork for MIT kerberos but i believe the project is dead.> > > Hint: I have never used sssd and i am sure i will never do. For this > classic samba setup i prefer nslcd as pam and nss provider. Winbind will > also do.everything expect samba is working very nice with sssd.> > If you are interesting i such a setup i am willing to help. > >> >> Thorsten >> > -- > > Harry >Is it possible to create trust between a samba4 AD and a MIT kerberos realm? Thorsten