On Wed, January 29, 2014 01:44, James A. Peltier wrote:
----- Original Message ----- | Does anyone here use a Samba4 setup for single sign-on for MS_Win | workstations | and CentOS-6 boxes? Does anyone here use it for imap and/or smtp | authentication? We are experimenting with replacing our existing | Microsoft | domain controllers with Samba4 based controllers and are | contemplating moving | all authentication for all our systems, Microsoft and CentOS based, | over to | Samba when, or if, this replacement successfully completes. |
. . .
I would have to ask why you're doing such a thing in the first place? You have a perfectly good working Active Directory setup, that people are already familiar with, I suspect with existing MS clients which integrate fully (and "properly") and you want to replace it with a Samba based setup. Unless you have a relatively simple setup, I would say don't change. However, if you are looking to move to something else, then do that. Why fix to Samba? Why not go with a full on Kerberos/LDAP environment?
FWIW, we use CentOS 6 with Active Directory Authorization. Things have worked fine for us for about 1 year. It took a VERY long time to get setup and working, but it is now.
The main reason is the age of the equipment and software. The current domain controller host is from c.2004 and the software is Microsoft Advanced Server 2000. The Windows 7 workstations work with this AD but there are a few quirks.
As the equipment is well past its best before date we need to replace it. We have virtualised just about everything else saving only the desktop workstations and this is another candidate for virtualisation.
As a company we are moving everything we can to FOSS and away from proprietary interests. Therefore the combination of moving from MS-AS2000 and a dedicated host to Samba4 running on a virtualised guest seems an attractive option, provided that it works. Thus my question.
The research I have done seems quite promising. It is now possible to promote a Samba4 server to an AD domain controller and to transfer all the Flexible Single Master Operations (FSMO) roles to it. It should then be possible to promote a second virtualised Samba4 server running on a different virtualised guest running on a second hardware host as a domain controller. Once done then the original AD host can be demoted and shutdown. Providing Samba4 works as described of course, which is why I am asking if anyone else has done it.
There remains an issue with the SysVol replication, there is not any, but this can be worked around via rsync and cron. However, this means that all directory maintenance has to be performed on just one of the DCs, which effectively returns us to the days of Primary/Secondary DCs. Since in our case we are down to just one AD as it is this is not a hardship.
Do you have a writeup of what you had to do to get CentOS to authenticate against AD?
On 01/29/2014 06:51 AM, James B. Byrne wrote:
I would have to ask why you're doing such a thing in the first place? You have a perfectly good working Active Directory setup, that people are already familiar with, I suspect with existing MS clients which integrate fully (and "properly") and you want to replace it with a Samba based setup. Unless you have a relatively simple setup, I would say don't change. However, if you are looking to move to something else, then do that. Why fix to Samba? Why not go with a full on Kerberos/LDAP environment?
FWIW, we use CentOS 6 with Active Directory Authorization. Things have worked fine for us for about 1 year. It took a VERY long time to get setup and working, but it is now.
The main reason is the age of the equipment and software. The current domain controller host is from c.2004 and the software is Microsoft Advanced Server 2000. The Windows 7 workstations work with this AD but there are a few quirks.
As the equipment is well past its best before date we need to replace it. We have virtualised just about everything else saving only the desktop workstations and this is another candidate for virtualisation.
As a company we are moving everything we can to FOSS and away from proprietary interests. Therefore the combination of moving from MS-AS2000 and a dedicated host to Samba4 running on a virtualised guest seems an attractive option, provided that it works. Thus my question.
As a CentOS/Linux shop serving clients who are primarily Windows-based, this is also attractive to us. However, initial research indicates that while it probably can work, it's by no means trivial.
EG: http://news.idg.no/cw/art.cfm?id=07B0DED3-A627-9A9A-C05097D23C5FD44F
Our intentions (round tuit, etc) at this point are probably to work with Windows Live in more of a "client" role for SSO, though we haven't started, it's a second-level priority at this point. Personally, I'd love to see a website/project put together to document the needs and solutions of corporate/enterprise level Samba4 users, but I'm not aware of such already existing.
Ben
----- Original Message ----- | | On Wed, January 29, 2014 01:44, James A. Peltier wrote: | > ----- Original Message ----- | > | Does anyone here use a Samba4 setup for single sign-on for MS_Win | > | workstations | > | and CentOS-6 boxes? Does anyone here use it for imap and/or | > | smtp | > | authentication? We are experimenting with replacing our | > | existing | > | Microsoft | > | domain controllers with Samba4 based controllers and are | > | contemplating moving | > | all authentication for all our systems, Microsoft and CentOS | > | based, | > | over to | > | Samba when, or if, this replacement successfully completes. | > | | . . . | > | > I would have to ask why you're doing such a thing in the first | > place? You | > have a perfectly good working Active Directory setup, that people | > are already | > familiar with, I suspect with existing MS clients which integrate | > fully (and | > "properly") and you want to replace it with a Samba based setup. | > Unless you | > have a relatively simple setup, I would say don't change. However, | > if you are | > looking to move to something else, then do that. Why fix to Samba? | > Why not | > go with a full on Kerberos/LDAP environment? | > | > FWIW, we use CentOS 6 with Active Directory Authorization. Things | > have worked | > fine for us for about 1 year. It took a VERY long time to get | > setup and | > working, but it is now. | | The main reason is the age of the equipment and software. The | current domain | controller host is from c.2004 and the software is Microsoft Advanced | Server | 2000. The Windows 7 workstations work with this AD but there are a | few | quirks. | | As the equipment is well past its best before date we need to replace | it. We | have virtualised just about everything else saving only the desktop | workstations and this is another candidate for virtualisation. | | As a company we are moving everything we can to FOSS and away from | proprietary | interests. Therefore the combination of moving from MS-AS2000 and a | dedicated | host to Samba4 running on a virtualised guest seems an attractive | option, | provided that it works. Thus my question. | | The research I have done seems quite promising. It is now possible | to promote | a Samba4 server to an AD domain controller and to transfer all the | Flexible | Single Master Operations (FSMO) roles to it. It should then be | possible to | promote a second virtualised Samba4 server running on a different | virtualised | guest running on a second hardware host as a domain controller. Once | done | then the original AD host can be demoted and shutdown. Providing | Samba4 works | as described of course, which is why I am asking if anyone else has | done it. | | There remains an issue with the SysVol replication, there is not any, | but this | can be worked around via rsync and cron. However, this means that | all | directory maintenance has to be performed on just one of the DCs, | which | effectively returns us to the days of Primary/Secondary DCs. Since | in our | case we are down to just one AD as it is this is not a hardship. | | Do you have a writeup of what you had to do to get CentOS to | authenticate | against AD? | | | -- | *** E-Mail is NOT a SECURE channel *** | James B. Byrne mailto:ByrneJB@Harte-Lyne.ca | Harte & Lyne Limited http://www.harte-lyne.ca | 9 Brockley Drive vox: +1 905 561 1241 | Hamilton, Ontario fax: +1 905 561 0757 | Canada L8E 3C3 | | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos |
I have to sanitize it. The project started 3 years ago with SSSD and there were a lot of workarounds/patches that made it into RHEL/CentOS. I'll clean it up and post it somewhere for you to have a look at.
-
James A. Peltier -
James B. Byrne -
Lists