Discussion:
[Samba] Using Samba4 AD to authenticate users of other Linux services (SSH, Mail, etc.)
MI
2016-07-07 20:06:31 UTC
Permalink
I'm confused about how to authenticate users of other Unix services with Samba4 AD.

After trying the classic upgrade on a test server, I can use smbclient. However,
"getent passwd" doesn't show the users, and I'm not sure what I have to do now.

On the live machines, I have openldap, pam-ldapd and nslcd running to authenticate
users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki, postgresql, etc.

For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and don't
quite understand which of these I actually need.

The point is to use the Samba4 AD-DC to authenticate users for the other Linux
services, including on other machines which may not be running Samba. Particularly
for SSH and mail.

All the Linux machines run Debian 8.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-08 06:46:09 UTC
Permalink
Post by MI
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and don't
quite understand which of these I actually need.
Its your party... and,., you forgot pam-ldap ;-)

You need to set UID/GIDs on the users and groups.
And you need to make sure these users have a home dir.

I choose kerberos for my linux auth.
Per example for ssh, if you install ssh-krb5 in debian,
you can use the AD-AC users to login on the linux systems.
Look here : https://wiki.samba.org/index.php/User_Documentation
Bit on the bottem there are some examples.
Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
If you run pam-auth-update you can see the pam selected things.

Hope this helps you a bit.

Greetz,

Louis
Post by MI
-----Oorspronkelijk bericht-----
Verzonden: donderdag 7 juli 2016 22:07
Aan: Samba List
Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
services (SSH, Mail, etc.)
I'm confused about how to authenticate users of other Unix services with Samba4 AD.
After trying the classic upgrade on a test server, I can use smbclient. However,
"getent passwd" doesn't show the users, and I'm not sure what I have to do now.
On the live machines, I have openldap, pam-ldapd and nslcd running to authenticate
users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki, postgresql, etc.
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and don't
quite understand which of these I actually need.
The point is to use the Samba4 AD-DC to authenticate users for the other Linux
services, including on other machines which may not be running Samba. Particularly
for SSH and mail.
All the Linux machines run Debian 8.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Yvan Masson
2016-07-08 08:22:06 UTC
Permalink
Hi,

Please correct me if I am wrong, but here are some possibilities:
- as Louis said, use ssh-krb5 to authenticate through AD's Kerberos
(never tried that, interesting to know)
- install pam-ldap to authenticate through AD's LDAP (never tried)
- if you issued "net ads join..." to integrate the box to your domain,
you can use pam-winbind to authenticate
- you can also use sssd to integrate the domain and then pam-sss to
authenticate (maybe the easiest, but then impossible to use samba to
share files or printers)

Personnaly I use the 2 lasts. Those implies that your Linux box is
integrated to the domain (which can be good or not).

Regards,
Yvan
Post by MI
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd,
kerberos, and
don't
quite understand which of these I actually need.
Its your party...   and,., you forgot pam-ldap ;-) 
You need to set UID/GIDs on the users and groups. 
And you need to make sure these users have a home dir. 
I choose kerberos for my linux auth. 
Per example for ssh, if you install ssh-krb5 in debian, 
you can use the AD-AC users to login on the linux systems.
Look here : https://wiki.samba.org/index.php/User_Documentation 
Bit on the bottem there are some examples. 
Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 
If you run pam-auth-update you can see the pam selected things. 
Hope this helps you a bit.
Greetz, 
Louis
Post by MI
-----Oorspronkelijk bericht-----
Verzonden: donderdag 7 juli 2016 22:07
Aan: Samba List
Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
services (SSH, Mail, etc.)
I'm confused about how to authenticate users of other Unix services
with
Samba4 AD.
After trying the classic upgrade on a test server, I can use
smbclient.
However,
"getent passwd" doesn't show the users, and I'm not sure what I
have to do
now.
On the live machines, I have openldap, pam-ldapd and nslcd running
to
authenticate
users of Samba 3 as well as ssh, postfix, dovecot, apache,
mediawiki,
postgresql, etc.
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd,
kerberos, and
don't
quite understand which of these I actually need.
The point is to use the Samba4 AD-DC to authenticate users for the
other
Linux
services, including on other machines which may not be running
Samba.
Particularly
for SSH and mail.
All the Linux machines run Debian 8.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
MI
2016-07-08 09:03:23 UTC
Permalink
Thanks.

pam-ldap is what I have now (libpam-ldapd 0.9.4-3+deb8u1) and which worked with openldap.

I do have UIDs/GIDs, which seem to have been preserved in the classicupgrade:

# ldbsearch -H ldap://localhost -U Administrator -b
"CN=Users,DC=ad,DC=mydomain,DC=tld" ...

# record 75
dn: CN=tobias,CN=Users,DC=ad,DC=mydomain,DC=tld
cn: tobias
name: tobias
sAMAccountName: tobias
displayName: Tobias Xyz
uidNumber: 1038
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/tobias
gidNumber: 513


Maybe I only need some simple settings somewhere to use the Samba4 LDAP instead of
openldap?


-------- Original Message --------
Post by L.P.H. van Belle
Post by MI
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and don't
quite understand which of these I actually need.
Its your party... and,., you forgot pam-ldap ;-)
You need to set UID/GIDs on the users and groups.
And you need to make sure these users have a home dir.
I choose kerberos for my linux auth.
Per example for ssh, if you install ssh-krb5 in debian,
you can use the AD-AC users to login on the linux systems.
Look here : https://wiki.samba.org/index.php/User_Documentation
Bit on the bottem there are some examples.
Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
If you run pam-auth-update you can see the pam selected things.
Hope this helps you a bit.
Greetz,
Louis
Post by MI
-----Oorspronkelijk bericht-----
Verzonden: donderdag 7 juli 2016 22:07
Aan: Samba List
Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
services (SSH, Mail, etc.)
I'm confused about how to authenticate users of other Unix services with Samba4 AD.
After trying the classic upgrade on a test server, I can use smbclient. However,
"getent passwd" doesn't show the users, and I'm not sure what I have to do now.
On the live machines, I have openldap, pam-ldapd and nslcd running to authenticate
users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki, postgresql, etc.
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos, and don't
quite understand which of these I actually need.
The point is to use the Samba4 AD-DC to authenticate users for the other Linux
services, including on other machines which may not be running Samba. Particularly
for SSH and mail.
All the Linux machines run Debian 8.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-08 09:34:23 UTC
Permalink
This should work also on Samba4 since AD = ldap.

Just keep notice of the last security changes as of 4.4.2+
( or 4.3.8+ or 4.2.10+ )

So few tips for debian/ubuntu.
Read : https://www.spinics.net/lists/samba/msg134098.html
And whats missing there is your CA Root must be in .crt format.


Greetz,

Louis
Post by MI
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 8 juli 2016 11:03
Aan: Samba List
Onderwerp: Re: [Samba] Using Samba4 AD to authenticate users of other
Linux services (SSH, Mail, etc.)
Thanks.
pam-ldap is what I have now (libpam-ldapd 0.9.4-3+deb8u1) and which worked
with openldap.
I do have UIDs/GIDs, which seem to have been preserved in the
# ldbsearch -H ldap://localhost -U Administrator -b
"CN=Users,DC=ad,DC=mydomain,DC=tld" ...
# record 75
dn: CN=tobias,CN=Users,DC=ad,DC=mydomain,DC=tld
cn: tobias
name: tobias
sAMAccountName: tobias
displayName: Tobias Xyz
uidNumber: 1038
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/tobias
gidNumber: 513
Maybe I only need some simple settings somewhere to use the Samba4 LDAP
instead of
openldap?
-------- Original Message --------
Post by L.P.H. van Belle
Post by MI
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
and
Post by L.P.H. van Belle
Post by MI
don't
quite understand which of these I actually need.
Its your party... and,., you forgot pam-ldap ;-)
You need to set UID/GIDs on the users and groups.
And you need to make sure these users have a home dir.
I choose kerberos for my linux auth.
Per example for ssh, if you install ssh-krb5 in debian,
you can use the AD-AC users to login on the linux systems.
Look here : https://wiki.samba.org/index.php/User_Documentation
Bit on the bottem there are some examples.
Like : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
If you run pam-auth-update you can see the pam selected things.
Hope this helps you a bit.
Greetz,
Louis
Post by MI
-----Oorspronkelijk bericht-----
Verzonden: donderdag 7 juli 2016 22:07
Aan: Samba List
Onderwerp: [Samba] Using Samba4 AD to authenticate users of other Linux
services (SSH, Mail, etc.)
I'm confused about how to authenticate users of other Unix services
with
Post by L.P.H. van Belle
Post by MI
Samba4 AD.
After trying the classic upgrade on a test server, I can use smbclient. However,
"getent passwd" doesn't show the users, and I'm not sure what I have to
do
Post by L.P.H. van Belle
Post by MI
now.
On the live machines, I have openldap, pam-ldapd and nslcd running to authenticate
users of Samba 3 as well as ssh, postfix, dovecot, apache, mediawiki,
postgresql, etc.
For Samba4 AD, I see mentions of pam-winbind, pam-sss, sssd, kerberos,
and
Post by L.P.H. van Belle
Post by MI
don't
quite understand which of these I actually need.
The point is to use the Samba4 AD-DC to authenticate users for the
other
Post by L.P.H. van Belle
Post by MI
Linux
services, including on other machines which may not be running Samba. Particularly
for SSH and mail.
All the Linux machines run Debian 8.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...