Experimenting with Samba 4 AD DC
Hi,
I'm currently experimenting with Samba 4, to use it for central authentication. I'm using the following documentation: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO According to that page, Samba has its own LDAP and Kerberos implementation. Here's what I got so far on a sandbox Slackware server. Interactively provision a new domain: Code:
[root@amandine:~] # samba-tool domain provision --use-rfc2307 --interactive Code:
[root@amandine:~] # samba Code:
[root@amandine:~] # smbclient -L localhost -U% Code:
[root@amandine:~] # smbclient //localhost/netlogon -UAdministrator -c 'ls' Code:
[root@amandine:~] # ls -l /etc/krb5.conf Code:
[root@amandine:~] # which kinit Side note: I've been using Samba 3.x in more or less simple setups for quite some time. But the new functionalities of Samba 4 like integrated LDAP and Kerberos are completely new to me, and I discover this while I try to make sense of the documentation. Cheers, Niki |
kinit is in the krb5 package from SBo (/usr/kerberos/bin/kinit) but that's the end of my knowledge :(
|
I think you don't strictly need a local kerberos client: you can also join the domain with a windows machine (or any linux machine like, for example, debian/ubuntu with kerberos stuff installed) and try to obtain a kerberos ticket from there.
but if you want to build one you can do it: look at krb5 or heimdal (samba4 kerberos implementation is based on this later one). P.S. ops, David beated me! ;) P.P.S. for best results, be sure the time of the server is in sync with the clients. |
Ok Matteo, but quality takes more time, and I might need this stuff soon, so thanks to you and Niki for the discussion -- heimdal looks good.
|
I haven't tried this myself, but would this help?
https://www.archlinux.org/packages/extra/i686/kinit/ You can access the sources and build your own packages for either x86 or x86_64. |
As far as I can tell, the next logical step would be to do a bit of RTFM on Kerberos, since I know nothing at all about this subject. Any good docs to recommend? Caveats?
|
http://www.h5l.org/manual/heimdal-1-.../info/heimdal/
also, suggested on the heimdal homepage http://shop.oreilly.com/product/9780596004033.do |
The Samba 4 documentation is a bit of a treasure hunt. There's a fairly incomplete wiki on the official Samba site, and then some bits of information scattered all over the Internet. Right now I guess I have two more general questions.
1. At the moment I'm using the NFS/NIS couple for setting up central authentication and roaming user profiles in networks with a Slackware server and 100 % Slackware client desktops. I've been using this solution since around 2010 in several networks here. It's robust and never gives me any trouble, though it's not exactly "industrial grade". Can I do the same thing with Samba 4? 2. The main reason I'm investigating Samba 4 is the possibility of setting up central authentication and roaming user profiles for mixed networks, e. g. networks composed of Slackware desktop clients and Windows 7 clients. Again, I wonder if this is possible (without jumping through burning loops). Are there any good books (paper) on this subject? I wonder how it comes that such a central piece of software is so poorly documented. |
From Samba Wiki !
Quote:
Enjoy |
Quote:
The problem you may face, as you probably already know, is that Slackware as provided with its full install is not ready for joining Active Directory domains: you need some stuff that just isn't in it (PAM, ldap, kerberos, etc.) and maintaining it outside of the tree can be done but may also be painful. IMHO, either you got lot of time to dedicate to it (but from what I read in some of your previous posts, you don't), or the only viable solution is to switch to another kind of linux clients to use with AD. Quote:
|
Quote:
You can't expect an OS that hasn't changed since about 1994 to simply work in a modern environment. I admire your enthusiasm in deploying Slackware commercially but something tells me that once you have to setup an industrial grade network with several hundred users on several locations you'll face a tough choice: Abandon Slackware or fork it. The Slackware upstream doesn't seem to care about your user case anyway. Cheers |
Quote:
Quote:
|
Quote:
I like the definition the Slackware maintainer himself gives of his distribution, in another thread in this forum: "Slackware is [...] intended to be Linux for anyone that appreciates the traditional UNIX-like ways of doing things, isn't afraid of the command line, wants the supplied packages to be as unmodified as possible, and likes to be able to expand the system through source code without tossing a wrench into the package manager." As far as I'm concerned, there's only one thing dearly missing: PAM. Currently I'm burying my nose in the LFS/BLFS documentation to learn about this animal. All the other things (Postfix, Dovecot, ...) I can easily add. So yes, Slackware is some sort of lesser evil to me, which I've actually grown quite fond of, even if some things make me want to pull my hair out. Edit: let's take a short look at the alternatives. 1. CentOS. Starting with 7.0 it only comes in 64-bit, which is a showstopper, since I have to deal with a lot of existing 32-bit hardware. I loved CentOS 5.x though and used it almost exclusively for a few years. 2. Debian. This would be my second choice, and I know it very well. What I don't like about Debian is its support cycle (too short) and its Taliban-like community here in France. 3. openSUSE. I actually like openSUSE on the desktop. Unfortunately they cut down the support cycle to 18 months, and I don't know what to think of the Evergreen project. Plus, it's not very good on old hardware. 4. Ubuntu. The LTS releases are OK as far as support time is concerned, but I've recently been bitten by Ubuntu. Too many bugs under the hood, too many unexplainable weird dysfunctions. No sense for the fine details. 5. Gentoo. I like Gentoo, I even used it for some time back in 2002 when it was an adventure. But you can only really use it on powerful hardware, otherwise you go insane. 6. FreeBSD. I'd love to use it, but it supports less hardware than Linux, which is a showstopper for me. Conclusion: Slackware it is. |
Light up the loops :D
Cheers |
Quote:
Slackware is a company. The distribution is not community driven. Cheers |
All times are GMT -5. The time now is 09:05 PM. |