> The problem is, the OP doesn't want to join the domain with all their > computers. Now you and I know that, to get the best results, it is > better to join a domain, somehow we have to convince people of this.I am convinced but do not understand everything yet:) If I understand this correct, I join the domain with all our client access machines and our servers. I limit the direct authentication to our servers via group policies. Now I have as example a guacamole instance running on one of our servers. Only the domain-administrator and the server-auth-group has login access. For the guacamole service I want that my users can connect to guacamole via ldap (or in this case via ldaps?). For my test scenario I would use my self signed certificates but later in a real scenario we have access to real ones. So with this example it sounds like the easiest and best approach with kinit and not ldaps. Am I right? Matti Kaupenjohann Fachhochschule Dortmund University of Applied Sciences and Arts *Kaupenjohann, Matti* FB Informationstechnik, Sonnenstra?e 96 - 44139 Dortmund Raum SON-A A615 Tel???? 0231 9112 9371 matti.kaupenjohann at fh-dortmund.de www.fh-dortmund.de Think before you print!
On 11/05/2023 09:51, matti.kaupenjohann via samba wrote:> >> The problem is, the OP doesn't want to join the domain with all their >> computers. Now you and I know that, to get the best results, it is >> better to join a domain, somehow we have to convince people of this. > > I am convinced but do not understand everything yet:) > > If I understand this correct, I join the domain with all our client > access machines and our servers. I limit the direct authentication to > our servers via group policies. Now I have as example a guacamole > instance running on one of our servers. Only the domain-administrator > and the server-auth-group has login access. For the guacamole service I > want that my users can connect to guacamole via ldap (or in this case > via ldaps?). For my test scenario I would use my self signed > certificates but later in a real scenario we have access to real ones. > So with this example it sounds like the easiest and best approach with > kinit and not ldaps. Am I right? >I am no longer sure, Andrew has said previously that using kerberos instead of ldaps is more secure because it is encrypted 'end-to-end', but now he seems to be saying something different. He has also previously said that ldaps doesn't work fully on Samba AD and to use kerberos instead, but again, he now seems to be saying the opposite. However, if Apache Guacamole can use kerberos (and it should be able to), then it will be easier to use, but only from a domain joined machine. On a non joined machine, it should be able to make it work, but will require much more configuration and maintenance. The reason that domains came about was that admins had to duplicate work on numerous machines and then keep them in sync. With domains, you only have one point of major maintenance. Rowland
On Thu, 2023-05-11 at 10:51 +0200, matti.kaupenjohann via samba wrote:> > The problem is, the OP doesn't want to join the domain with all > > their > > computers. Now you and I know that, to get the best results, it is > > better to join a domain, somehow we have to convince people of > > this. > > I am convinced but do not understand everything yet:) > > If I understand this correct, I join the domain with all our client > access machines and our servers. I limit the direct authentication to > our servers via group policies. Now I have as example a guacamole > instance running on one of our servers. Only the domain-administrator > and the server-auth-group has login access. For the guacamole service > I > want that my users can connect to guacamole via ldap (or in this case > via ldaps?). For my test scenario I would use my self signed > certificates but later in a real scenario we have access to real > ones. > So with this example it sounds like the easiest and best approach > with > kinit and not ldaps. Am I right?As long as you supply and check your TLS certificates, the standard guides for AD LDAP look good to me: This one is using plaintext: https://stackoverflow.com/questions/56136686/how-to-authenticate-to- apache-guacamole-using-active-directory-authentication-by This one is using SSL: https://www.mogilowski.net/2020/05/06/setup-ldap-ad-authentication-for- guacamole-1-1-0-part-3/ I wish you all the best and am sorry if there has been any confusion. ?The guacamole web application should probably just bind to AD via LDAPS and simple binds. Any end servers that this provides access to should probably be domain joined (Samba or sssd) for the best experience, as this will be able to use Kerberos and maintain the machine account etc for you. ?Otherwise you get into a pickle as, just as?guacamole needs that 'search account', every other server needs one two, and you may as well just be standard and use a machine account for those. Andrew Bartlett --? Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba