Chunduru, Krishnachaithanya
2019-Jul-13 11:49 UTC
[Samba] Need help on Samba authentication with ldap
Hi Team, Hope you are doing great !! We are planning to migrate our Samba shares from Aix to Linux, so that we can use ldap for authentication. Initially we planned the add the server to AD domain for authentication, but is not possible in our case. So we are having only option to authenticate users with ldaps. We have installed openldap-clients, openldap and nss_ldap packages and are stuck from there. Can someone please help us on this. Regards, Krishna This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
On 13/07/2019 12:49, Chunduru, Krishnachaithanya via samba wrote:> Hi Team, > > Hope you are doing great !! > > We are planning to migrate our Samba shares from Aix to Linux, so that we can use ldap for authentication.Why do you have to use ldap for authentication ?> > Initially we planned the add the server to AD domain for authentication, but is not possible in our case.Why not, what was the problem ?> > So we are having only option to authenticate users with ldaps. We have installed openldap-clients, openldap and nss_ldap packages and are stuck from there.Lets start with a view of your smb.conf. Rowland
On 14/07/2019 12:27, Chunduru, Krishnachaithanya wrote:> Hi, > > Thank you for the response. > > Below is the smb.conf. we haven't configured the shares yet. > > # See smb.conf.example for a more detailed config file or > # read the smb.conf manpage. > # Run 'testparm' to verify the config is correct after > # you modified it. > > [global] > workgroup = SAMBA > security = user > passdb backend = tdbsam > printing = cups > printcap name = cups > load printers = yes > cups options = raw > > [homes] > comment = Home Directories > valid users = %S, %D%w%S > browseable = No > read only = No > inherit acls = Yes > > [printers] > comment = All Printers > path = /var/tmp > printable = Yes > create mask = 0600 > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > write list = @printadmin root > force group = @printadmin > create mask = 0664 > directory mask = 0775 >There is no mention of ldap there, so how do you plan to use ldap ?> > -----Original Message----- > > On 13/07/2019 12:49, Chunduru, Krishnachaithanya via samba wrote: >> Hi Team, >> >> Hope you are doing great !! >> >> We are planning to migrate our Samba shares from Aix to Linux, so that we can use ldap for authentication. > Why do you have to use ldap for authentication ?I will ask this again as you chose to ignore this question: Why do you have to use ldap for authentication ?>> Initially we planned the add the server to AD domain for authentication, but is not possible in our case. > Why not, what was the problem ?Again, an ignored question: Why can you not join the AD domain. ?>> So we are having only option to authenticate users with ldaps. We have installed openldap-clients, openldap and nss_ldap packages and are stuck from there.I think you need to explain your set up, it sounds like there is more to this than at first sight. Rowland
On 14/07/2019 18:22, Chunduru, Krishnachaithanya wrote:> Hi, > > We configured the /etc/ldap/ldap.conf to make sure the server checks the correct ldap domain for authentication. > > Can you please let me know what is missing the smb.conf to make sure it goes to ldap.Not until you answer my questions. Why do you have to use ldap for authentication ? Why can you not join this computer to the AD domain ? What is the DC ? Failure to answer these questions will mean I will not reply to any further posts. I am trying to help you here, you really do not want to use ldap unless as a last resort. Rowland
On 23/07/2019 09:50, Chunduru, Krishnachaithanya wrote:> Hi Rowland, > I'm extremely sorry about by. > Due to the mail client issue, I was not able to read the questions > asked inline on the trail mails.I thought it had gone quite ;-)> I'm gathering more information from my AD team, so that it will be > help in understanding the issue. > I tried to answer the below to my knowledge: > 1) Why do you have to use ldap for authentication ? > > * Our AD team told we won't be able to integrate our linux server to > the domain, since both of these servers in different domains all > together and suggested to use ldap. We are in touch with them to > know if we can change the domain of our linux server to that of > the domain. >It gets a bit more involved than that, you will have to use the same DNS domain, workgroup etc and then join your computers to the AD domain.> 2) Why can you not join this computer to the AD domain ? > > * Both the servers (AD & Linux) are in different domains. >See above> c) What is the DC ? > > * This is what I got from AD team, the base > DC=bsg,DC=ad,DC=adp,DC=com, but they told they can't share the AD > server names. >No, What are they, Windows DCs (if so what version ?) or Samba AD DCs ? What info do you require from the AD ? Rowland