Anyone have an update tutorial/howto for samba to authenticate to ldap?
Regards, Al
On Tue, 18 Oct 2011, Al wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
I recommend the smbldap-tools suite of applications for that task:
https://gna.org/projects/smbldap-tools/
Anyone have an update tutorial/howto for samba to authenticate to ldap?
Not so much a Samba issue, make sure you have a known local username and password so you are not locked out if the LDAP server fails to start for whatever reason, especially if you disable network logins as root, as you should!
Brett
Anyone have an update tutorial/howto for samba to authenticate to ldap?
On Oct 18, 2011, at 2:56 PM, Miguel Medalha wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
---- indeed - that is one of the chapters from the 'By Example' to which I referred to earlier
Craig
This isn't what I was talking about ... Let me be a little more specific ... I've got an openldap system configured, just need to setup Samba to use openldap to allow them to access there shells via Windows Explorer. They usually login via SSH, but want to have the ability to copy things over to the Windows without using SFTP.
On Oct 18, 2011, at 6:59 PM, Craig White wrote:
On Oct 18, 2011, at 2:56 PM, Miguel Medalha wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
indeed - that is one of the chapters from the 'By Example' to which I referred to earlier
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Oct 19, 2011, at 8:16 AM, Al wrote:
This isn't what I was talking about ... Let me be a little more specific ... I've got an openldap system configured, just need to setup Samba to use openldap to allow them to access there shells via Windows Explorer. They usually login via SSH, but want to have the ability to copy things over to the Windows without using SFTP.
---- I can't see how that actually matters because you want them to gain access to the samba server using their accounts and samba requires both a POSIX & a SAMBA user and the logical place for a SAMBA user is to have their SAMBA attributes in the same LDAP record.
At that point, they could easily mount a SAMBA share on their Windows box using the same account (though Windows passwords use a Windows compatible hashed password). Basically, the user account in LDAP has both POSIX & SAMBA attributes including userPassword (POSIX) and sambaNTPassword (SAMBA) and group memberships that may be one or both (though I tend to create groups that are both).
The easiest way to demonstrate is to use my own setup...
# ldapsearch -x '(uid=craig)' -D uid=craig,ou=people,dc=azapple,dc=com -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=azapple,dc=com> (default) with scope subtree # filter: (uid=craig) # requesting: ALL #
# craig, people, azapple.com dn: uid=craig,ou=people,dc=azapple,dc=com sambaPwdMustChange: 2147483647 labeledURI: http://linuxserver/horde/kronolith/fb.php?c=craig sambaSID: S-1-5-21-1423820788-2381578139-XXXXXXXXXX-1000 calFBURL: http://srv2.azapple.com/horde/kronolith/fb.php?c=craig sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 displayName: Craig White sambaMungedDial: 1 shadowMax: 99999 sambaLogonScript: logon.bat sambaProfilePath: \SRV2\profiles\craig cn: Craig White uidNumber: 1000 shadowWarning: 7 sambaPrimaryGroupSID: 1423820788-2381578139-XXXXXXXXXX-513 sambaAcctFlags: [U ] gecos: Craig White shadowLastChange: 15199 sambaPwdLastSet: 1313206319 mail: craig@azapple.com userPassword:: REMOVED... sambaLMPassword: REMOVED uid: craig sambaPwdCanChange: 1313206319 sambaHomePath: \SRV2\homes\craig homeDirectory: /home/craig description: Craig is a local user objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: top objectClass: calEntry gidNumber: 100 sambaDomainName: AZAPPLE givenName: Craig sambaHomeDrive: h: sambaNTPassword: REMOVED sn: White loginShell: /bin/bash
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I would just need to add those attributes in openldap? I'm not very experienced, that is why I asked for howto/tutorials... I've been building an openldap and samba environment in a staged virtual system, so I can get a better understanding on how it all works. It seems to me I would have to add additional attributes to all those users and load the samba.schema onto the master server, then go on the samba server and configure it to use ldap? I'm not so sure, I guess it'll take some time for me to figure it all out...
On Oct 19, 2011, at 1:31 PM, Craig White wrote:
On Oct 19, 2011, at 8:16 AM, Al wrote:
This isn't what I was talking about ... Let me be a little more specific ... I've got an openldap system configured, just need to setup Samba to use openldap to allow them to access there shells via Windows Explorer. They usually login via SSH, but want to have the ability to copy things over to the Windows without using SFTP.
I can't see how that actually matters because you want them to gain access to the samba server using their accounts and samba requires both a POSIX & a SAMBA user and the logical place for a SAMBA user is to have their SAMBA attributes in the same LDAP record.
At that point, they could easily mount a SAMBA share on their Windows box using the same account (though Windows passwords use a Windows compatible hashed password). Basically, the user account in LDAP has both POSIX & SAMBA attributes including userPassword (POSIX) and sambaNTPassword (SAMBA) and group memberships that may be one or both (though I tend to create groups that are both).
The easiest way to demonstrate is to use my own setup...
# ldapsearch -x '(uid=craig)' -D uid=craig,ou=people,dc=azapple,dc=com -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=azapple,dc=com> (default) with scope subtree # filter: (uid=craig) # requesting: ALL #
# craig, people, azapple.com dn: uid=craig,ou=people,dc=azapple,dc=com sambaPwdMustChange: 2147483647 labeledURI: http://linuxserver/horde/kronolith/fb.php?c=craig sambaSID: S-1-5-21-1423820788-2381578139-XXXXXXXXXX-1000 calFBURL: http://srv2.azapple.com/horde/kronolith/fb.php?c=craig sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 displayName: Craig White sambaMungedDial: 1 shadowMax: 99999 sambaLogonScript: logon.bat sambaProfilePath: \SRV2\profiles\craig cn: Craig White uidNumber: 1000 shadowWarning: 7 sambaPrimaryGroupSID: 1423820788-2381578139-XXXXXXXXXX-513 sambaAcctFlags: [U ] gecos: Craig White shadowLastChange: 15199 sambaPwdLastSet: 1313206319 mail: craig@azapple.com userPassword:: REMOVED... sambaLMPassword: REMOVED uid: craig sambaPwdCanChange: 1313206319 sambaHomePath: \SRV2\homes\craig homeDirectory: /home/craig description: Craig is a local user objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: top objectClass: calEntry gidNumber: 100 sambaDomainName: AZAPPLE givenName: Craig sambaHomeDrive: h: sambaNTPassword: REMOVED sn: White loginShell: /bin/bash
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Oct 20, 2011 at 8:02 PM, Al mailinglist@theflux.net wrote:
I would just need to add those attributes in openldap? I'm not very experienced, that is why I asked for howto/tutorials... I've been building an openldap and samba environment in a staged virtual system, so I can get a better understanding on how it all works. It seems to me I would have to add additional attributes to all those users and load the samba.schema onto the master server, then go on the samba server and configure it to use ldap? I'm not so sure, I guess it'll take some time for me to figure it all out...
Yes, you have to add the samba.schema to your openLDAP setup. The schema automatically brings in the user attributes. You will need to populate them for the Samba specific attributes. Indeed, doing it in a virtual machine is a good way to learn about the LDAP+Samba integration.
As some one else has suggested, smb-ldap tools does the user management work for both Unix and Samba. LAM is a PHP based web app to manage your LDAP setup, it does support the SAMBA extensions.
HTH,
-- Arun Khan
Thanks for the information, I'll refer to it ...
On Oct 18, 2011, at 5:56 PM, Miguel Medalha wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
On Tue, 2011-10-18 at 16:43 -0400, Al wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
This are lots of docs.
But DO NOT DO IT.
A Samba 3.x DC is very very *obsolete*. The Windows world has moved on to Active Directory. If you want to do that you need Samba 4 - and no OpenLDAP.
On Fri, October 21, 2011 12:14, Adam Tauno Williams wrote:
On Tue, 2011-10-18 at 16:43 -0400, Al wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
This are lots of docs.
But DO NOT DO IT.
A Samba 3.x DC is very very *obsolete*. The Windows world has moved on to Active Directory. If you want to do that you need Samba 4 - and no OpenLDAP.
From the samba Wiki:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1]
We're a linux mostly enviroment, some of the users have windows. It sounds to me, maybe I should start over instead of trying to implement it in our current openldap enviroment. We're running openldap 2.3.43 and Samba 3.x..
On Oct 21, 2011, at 6:18 AM, Giles Coochey wrote:
On Fri, October 21, 2011 12:14, Adam Tauno Williams wrote:
On Tue, 2011-10-18 at 16:43 -0400, Al wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
This are lots of docs.
But DO NOT DO IT.
A Samba 3.x DC is very very *obsolete*. The Windows world has moved on to Active Directory. If you want to do that you need Samba 4 - and no OpenLDAP.
From the samba Wiki:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1]
[1] http://wiki.samba.org/index.php/Samba4#Current_Status
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 10/21/11 2:30 PM, Al wrote:
We're a linux mostly enviroment, some of the users have windows. It sounds to me, maybe I should start over instead of trying to implement it in our current openldap enviroment. We're running openldap 2.3.43 and Samba 3.x..
what do the windows users authenticate with now? presumably, Samba is to provide file services to these Windows users?
Openldap, I've been able to get it to work in a staging environment, I'm going to try implementing it on one of our dev servers that has the exact openldap setup as productions. It looks to me, I'll be asking more questions if I run into any road blocks, but the information everyone has been providing me on this thread has helped me a lot. Thank you!
On Oct 21, 2011, at 7:29 PM, John R Pierce wrote:
On 10/21/11 2:30 PM, Al wrote:
We're a linux mostly enviroment, some of the users have windows. It sounds to me, maybe I should start over instead of trying to implement it in our current openldap enviroment. We're running openldap 2.3.43 and Samba 3.x..
what do the windows users authenticate with now? presumably, Samba is to provide file services to these Windows users?
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 2011-10-21 at 12:18 +0200, Giles Coochey wrote:
On Fri, October 21, 2011 12:14, Adam Tauno Williams wrote:
On Tue, 2011-10-18 at 16:43 -0400, Al wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
This are lots of docs. But DO NOT DO T. A Samba 3.x DC is very very *obsolete*. The Windows world has moved on to Active Directory. If you want to do that you need Samba 4 - and no OpenLDAP. From the samba Wiki:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1] [1] http://wiki.samba.org/index.php/Samba4#Current_Status
That is the official story - but try it - it works *BETTER* than an NT4 Samba 3.x domain. Seriously, really. Recent Samba 4 builds *are* in production at several sites. It works.
http://wiki.samba.org/index.php/Samba4/HOWTO
Note that Samba 4 is best discussed on the technical list, not yet on the users list. https://lists.samba.org/mailman/listinfo/samba-technical
On Tuesday, October 25, 2011 11:38 PM, Adam Tauno Williams wrote:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1] [1] http://wiki.samba.org/index.php/Samba4#Current_Status
That is the official story - but try it - it works *BETTER* than an NT4 Samba 3.x domain. Seriously, really. Recent Samba 4 builds *are* in production at several sites. It works.
http://wiki.samba.org/index.php/Samba4/HOWTO
Note that Samba 4 is best discussed on the technical list, not yet on the users list.
/me salutes the white mice that will make samba4 better and completely ready to take over the Windows AD service.
On Wed, 2011-10-26 at 07:57 +0800, Christopher Chan wrote:
On Tuesday, October 25, 2011 11:38 PM, Adam Tauno Williams wrote:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1] [1] http://wiki.samba.org/index.php/Samba4#Current_Status
That is the official story - but try it - it works *BETTER* than an NT4 Samba 3.x domain. Seriously, really. Recent Samba 4 builds *are* in production at several sites. It works. http://wiki.samba.org/index.php/Samba4/HOWTO Note that Samba 4 is best discussed on the technical list, not yet on the users list.
/me salutes the white mice that will make samba4 better and completely ready to take over the Windows AD service.
You can already have a mix of Samba 4 and Windows 2008R2 domain controllers in the same domain.
If you create an S3 domain you face the grisly prospects of having to upgrade that domain to an S4/AD domain someday. Which is *not* fun.
On Wednesday, October 26, 2011 10:16 AM, Adam Tauno Williams wrote:
On Wed, 2011-10-26 at 07:57 +0800, Christopher Chan wrote:
On Tuesday, October 25, 2011 11:38 PM, Adam Tauno Williams wrote:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1] [1] http://wiki.samba.org/index.php/Samba4#Current_Status
That is the official story - but try it - it works *BETTER* than an NT4 Samba 3.x domain. Seriously, really. Recent Samba 4 builds *are* in production at several sites. It works. http://wiki.samba.org/index.php/Samba4/HOWTO Note that Samba 4 is best discussed on the technical list, not yet on the users list.
/me salutes the white mice that will make samba4 better and completely ready to take over the Windows AD service.
You can already have a mix of Samba 4 and Windows 2008R2 domain controllers in the same domain.
I know...but I wanna not have to have any Windows AD.
If you create an S3 domain you face the grisly prospects of having to upgrade that domain to an S4/AD domain someday. Which is *not* fun.
Thanks. I'll stick with the current Windows 2000 AD until samba4 is ready!
I'm still going to stick to trying to get Samba3 and try and get openldap to work. I've got it going in my test environment with a clean install of samba and openldap. I'm currently making the modifications to a dev. version of the production ldap database to see if I can get it working with Samba3. I'm not worried about Active Directory, openldap works with our environment. Thanks for the suggestions!
On Oct 25, 2011, at 11:38 AM, Adam Tauno Williams wrote:
On Fri, 2011-10-21 at 12:18 +0200, Giles Coochey wrote:
On Fri, October 21, 2011 12:14, Adam Tauno Williams wrote:
On Tue, 2011-10-18 at 16:43 -0400, Al wrote:
Anyone have an update tutorial/howto for samba to authenticate to ldap?
This are lots of docs. But DO NOT DO T. A Samba 3.x DC is very very *obsolete*. The Windows world has moved on to Active Directory. If you want to do that you need Samba 4 - and no OpenLDAP. From the samba Wiki:
Samba 4 is currently not yet in a state where it can replace existing production deployments. [1] [1] http://wiki.samba.org/index.php/Samba4#Current_Status
That is the official story - but try it - it works *BETTER* than an NT4 Samba 3.x domain. Seriously, really. Recent Samba 4 builds *are* in production at several sites. It works.
http://wiki.samba.org/index.php/Samba4/HOWTO
Note that Samba 4 is best discussed on the technical list, not yet on the users list. https://lists.samba.org/mailman/listinfo/samba-technical
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Adam Tauno Williams -
Al -
Arun Khan -
Brett Serkez -
Christopher Chan -
Craig White -
Giles Coochey -
John R Pierce -
Miguel Medalha -
Paul Heinlein