samba - Jan 2021 - Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network

Hi All,

I have a small network at home of mostly Linux hosts.  I have OpenLDAP
set up for user information, MIT Kerberos for authentication and BIND
for DNS.  I've also aquired a handful of Windows hosts.  I've finally
got around to setting up a shared filesystem (NFS / Samba) to share
files between hosts.  At this point (feature creap) it occured to me
that it might be nice to have central authentication for the Windows
machines and even nicer to actually syncronise / intergrate that with
Linux hosts.

I've had a look at Samba AD and it looks like there may be many ways to
approach this, so I was hoping to get some input from the comminity as
to the best approach to go with.  It looks like it makes sense to use
Samba as an AD server.  The first thoughts that spring into my mind are:

* LDAP: Does it make more sense to allow Samba to handle the AD parts of
LDAP with its own LDAP stuff or should I try to use my existing OpenLDAP
system?  Is it possible to have Linux and Windows read the same user
object in LDAP (this would be marginally neater) or would one have to
defined a Linux user and a Windows user as two objects?

* BIND: Again, should one attempt to use one's existing BIND zones for
AD or let Samba handle it internally in its own subdomain?

* Kerberos: This is probably the big one.  One would expect a user to be
able to log into either a Linux or Windows box.  Is there a neat way to
use the same accounts?  Can Samba use the existing Kerberos
infrastructure and indeed should it?  I've read that MIT kerberos
support in Samba is experimental, does this mean "it works but we
wouldn't want to stake our reputations on it" or "it doesn't
work"?
Would a better approach be to allow Samba to manage its own Kerberos and
create the users in MIT kerberos and use cross-realm authentication to
make the users available to Linux and AD (does this work)?

I guess this boils down to two questions:

1) Should one just install Samba AD and let it handle its own stuff or
should one aim to backend it all with my existing BIND/LDAP/Kerberos?

2) How should one set it up so that one can create a user that can
seamlessly log into both Linux and Windows hosts?

Thanks in advance for any advice,
Regards,
Mike.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210129/ba2efc38/signature.sig>

On 29/01/2021 13:15, Mike via samba wrote:
> * Kerberos: This is probably the big one.  One would expect a user to be
> able to log into either a Linux or Windows box.  Is there a neat way to
> use the same accounts?  Can Samba use the existing Kerberos
> infrastructure and indeed should it?

Samba could use an existing KDC, but it wouldn't be AD

>    I've read that MIT kerberos
> support in Samba is experimental, does this mean "it works but we
> wouldn't want to stake our reputations on it" or "it
doesn't work"?

It does work, but not as fully as the built in Heimdal kerberos, there 
are several big problems, hence 'experimental'.

> Would a better approach be to allow Samba to manage its own Kerberos and
> create the users in MIT kerberos and use cross-realm authentication to
> make the users available to Linux and AD (does this work)?

I would just let Samba be the KDC, there really is no point to two KDC's 
in a home network.

>
> I guess this boils down to two questions:
>
> 1) Should one just install Samba AD and let it handle its own stuff or
> should one aim to backend it all with my existing BIND/LDAP/Kerberos?

Oh yes, just install Samba, after that you don't need the separate servers.

>
> 2) How should one set it up so that one can create a user that can
> seamlessly log into both Linux and Windows hosts?
>
Windows will just use the users & groups in AD (after you join to the 
domain) and you just install Samba on the Linux hosts and configure it 
as a Unix domain member.

Any questions, just ask ?

Rowland