[CentOS] Single sign-on for CentOS-6
James A. Peltier
jpeltier at sfu.ca
Wed Jan 29 17:47:40 UTC 2014
----- Original Message -----
|
| On Wed, January 29, 2014 01:44, James A. Peltier wrote:
| > ----- Original Message -----
| > | Does anyone here use a Samba4 setup for single sign-on for MS_Win
| > | workstations
| > | and CentOS-6 boxes? Does anyone here use it for imap and/or
| > | smtp
| > | authentication? We are experimenting with replacing our
| > | existing
| > | Microsoft
| > | domain controllers with Samba4 based controllers and are
| > | contemplating moving
| > | all authentication for all our systems, Microsoft and CentOS
| > | based,
| > | over to
| > | Samba when, or if, this replacement successfully completes.
| > |
| . . .
| >
| > I would have to ask why you're doing such a thing in the first
| > place? You
| > have a perfectly good working Active Directory setup, that people
| > are already
| > familiar with, I suspect with existing MS clients which integrate
| > fully (and
| > "properly") and you want to replace it with a Samba based setup.
| > Unless you
| > have a relatively simple setup, I would say don't change. However,
| > if you are
| > looking to move to something else, then do that. Why fix to Samba?
| > Why not
| > go with a full on Kerberos/LDAP environment?
| >
| > FWIW, we use CentOS 6 with Active Directory Authorization. Things
| > have worked
| > fine for us for about 1 year. It took a VERY long time to get
| > setup and
| > working, but it is now.
|
| The main reason is the age of the equipment and software. The
| current domain
| controller host is from c.2004 and the software is Microsoft Advanced
| Server
| 2000. The Windows 7 workstations work with this AD but there are a
| few
| quirks.
|
| As the equipment is well past its best before date we need to replace
| it. We
| have virtualised just about everything else saving only the desktop
| workstations and this is another candidate for virtualisation.
|
| As a company we are moving everything we can to FOSS and away from
| proprietary
| interests. Therefore the combination of moving from MS-AS2000 and a
| dedicated
| host to Samba4 running on a virtualised guest seems an attractive
| option,
| provided that it works. Thus my question.
|
| The research I have done seems quite promising. It is now possible
| to promote
| a Samba4 server to an AD domain controller and to transfer all the
| Flexible
| Single Master Operations (FSMO) roles to it. It should then be
| possible to
| promote a second virtualised Samba4 server running on a different
| virtualised
| guest running on a second hardware host as a domain controller. Once
| done
| then the original AD host can be demoted and shutdown. Providing
| Samba4 works
| as described of course, which is why I am asking if anyone else has
| done it.
|
| There remains an issue with the SysVol replication, there is not any,
| but this
| can be worked around via rsync and cron. However, this means that
| all
| directory maintenance has to be performed on just one of the DCs,
| which
| effectively returns us to the days of Primary/Secondary DCs. Since
| in our
| case we are down to just one AD as it is this is not a hardship.
|
| Do you have a writeup of what you had to do to get CentOS to
| authenticate
| against AD?
|
|
| --
| *** E-Mail is NOT a SECURE channel ***
| James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
| Harte & Lyne Limited http://www.harte-lyne.ca
| 9 Brockley Drive vox: +1 905 561 1241
| Hamilton, Ontario fax: +1 905 561 0757
| Canada L8E 3C3
|
| _______________________________________________
| CentOS mailing list
| CentOS at centos.org
| http://lists.centos.org/mailman/listinfo/centos
|
I have to sanitize it. The project started 3 years ago with SSSD and there were a lot of workarounds/patches that made it into RHEL/CentOS. I'll clean it up and post it somewhere for you to have a look at.
--
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices
"I want to inspire people. I want someone to say "because of you I didn't give up". - Chanda Kaushik
More information about the CentOS
mailing list