[CentOS] Single sign-on for CentOS-6

Wed Jan 29 14:51:04 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Wed, January 29, 2014 01:44, James A. Peltier wrote:
> ----- Original Message -----
> | Does anyone here use a Samba4 setup for single sign-on for MS_Win
> | workstations
> | and CentOS-6 boxes?   Does anyone here use it for imap and/or smtp
> | authentication?   We are experimenting with replacing our existing
> | Microsoft
> | domain controllers with Samba4 based controllers and are
> | contemplating moving
> | all authentication for all our systems, Microsoft and CentOS based,
> | over to
> | Samba when, or if, this replacement successfully completes.
> |
. . .
>
> I would have to ask why you're doing such a thing in the first place?  You
> have a perfectly good working Active Directory setup, that people are already
> familiar with, I suspect with existing MS clients which integrate fully (and
> "properly") and you want to replace it with a Samba based setup.  Unless you
> have a relatively simple setup, I would say don't change.  However, if you are
> looking to move to something else, then do that.  Why fix to Samba?  Why not
> go with a full on Kerberos/LDAP environment?
>
> FWIW, we use CentOS 6 with Active Directory Authorization.  Things have worked
> fine for us for about 1 year.  It took a VERY long time to get setup and
> working, but it is now.

The main reason is the age of the equipment and software.  The current domain
controller host is from c.2004 and the software is Microsoft Advanced Server
2000.  The Windows 7 workstations work with this AD but there are a few
quirks.

As the equipment is well past its best before date we need to replace it. We
have virtualised just about everything else saving only the desktop
workstations and this is another candidate for virtualisation.

As a company we are moving everything we can to FOSS and away from proprietary
interests.  Therefore the combination of moving from MS-AS2000 and a dedicated
host to Samba4 running on a virtualised guest seems an attractive option,
provided that it works.  Thus my question.

The research I have done seems quite promising.  It is now possible to promote
a Samba4 server to an AD domain controller and to transfer all the Flexible
Single Master Operations (FSMO) roles to it.  It should then be possible to
promote a second virtualised Samba4 server running on a different virtualised
guest running on a second hardware host as a domain controller.  Once done
then the original AD host can be demoted and shutdown.  Providing Samba4 works
as described of course, which is why I am asking if anyone else has done it.

There remains an issue with the SysVol replication, there is not any, but this
can be worked around via rsync and cron.  However, this means that all
directory maintenance has to be performed on just one of the DCs, which
effectively returns us to the days of Primary/Secondary DCs.  Since in our
case we are down to just one AD as it is this is not a hardship.

Do you have a writeup of what you had to do to get CentOS to authenticate
against AD?


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3