[CentOS] Single sign-on for CentOS-6

Wed Jan 29 17:47:40 UTC 2014
James A. Peltier <jpeltier at sfu.ca>

----- Original Message -----
| 
| On Wed, January 29, 2014 01:44, James A. Peltier wrote:
| > ----- Original Message -----
| > | Does anyone here use a Samba4 setup for single sign-on for MS_Win
| > | workstations
| > | and CentOS-6 boxes?   Does anyone here use it for imap and/or
| > | smtp
| > | authentication?   We are experimenting with replacing our
| > | existing
| > | Microsoft
| > | domain controllers with Samba4 based controllers and are
| > | contemplating moving
| > | all authentication for all our systems, Microsoft and CentOS
| > | based,
| > | over to
| > | Samba when, or if, this replacement successfully completes.
| > |
| . . .
| >
| > I would have to ask why you're doing such a thing in the first
| > place?  You
| > have a perfectly good working Active Directory setup, that people
| > are already
| > familiar with, I suspect with existing MS clients which integrate
| > fully (and
| > "properly") and you want to replace it with a Samba based setup.
| >  Unless you
| > have a relatively simple setup, I would say don't change.  However,
| > if you are
| > looking to move to something else, then do that.  Why fix to Samba?
| >  Why not
| > go with a full on Kerberos/LDAP environment?
| >
| > FWIW, we use CentOS 6 with Active Directory Authorization.  Things
| > have worked
| > fine for us for about 1 year.  It took a VERY long time to get
| > setup and
| > working, but it is now.
| 
| The main reason is the age of the equipment and software.  The
| current domain
| controller host is from c.2004 and the software is Microsoft Advanced
| Server
| 2000.  The Windows 7 workstations work with this AD but there are a
| few
| quirks.
| 
| As the equipment is well past its best before date we need to replace
| it. We
| have virtualised just about everything else saving only the desktop
| workstations and this is another candidate for virtualisation.
| 
| As a company we are moving everything we can to FOSS and away from
| proprietary
| interests.  Therefore the combination of moving from MS-AS2000 and a
| dedicated
| host to Samba4 running on a virtualised guest seems an attractive
| option,
| provided that it works.  Thus my question.
| 
| The research I have done seems quite promising.  It is now possible
| to promote
| a Samba4 server to an AD domain controller and to transfer all the
| Flexible
| Single Master Operations (FSMO) roles to it.  It should then be
| possible to
| promote a second virtualised Samba4 server running on a different
| virtualised
| guest running on a second hardware host as a domain controller.  Once
| done
| then the original AD host can be demoted and shutdown.  Providing
| Samba4 works
| as described of course, which is why I am asking if anyone else has
| done it.
| 
| There remains an issue with the SysVol replication, there is not any,
| but this
| can be worked around via rsync and cron.  However, this means that
| all
| directory maintenance has to be performed on just one of the DCs,
| which
| effectively returns us to the days of Primary/Secondary DCs.  Since
| in our
| case we are down to just one AD as it is this is not a hardship.
| 
| Do you have a writeup of what you had to do to get CentOS to
| authenticate
| against AD?
| 
| 
| --
| ***          E-Mail is NOT a SECURE channel          ***
| James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
| Harte & Lyne Limited          http://www.harte-lyne.ca
| 9 Brockley Drive              vox: +1 905 561 1241
| Hamilton, Ontario             fax: +1 905 561 0757
| Canada  L8E 3C3
| 
| _______________________________________________
| CentOS mailing list
| CentOS at centos.org
| http://lists.centos.org/mailman/listinfo/centos
| 

I have to sanitize it.  The project started 3 years ago with SSSD and there were a lot of workarounds/patches that made it into RHEL/CentOS.  I'll clean it up and post it somewhere for you to have a look at.

-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices

"I want to inspire people.  I want someone to say "because of you I didn't give up". - Chanda Kaushik