FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-05-2010, 11:39 AM
"Joseph L. Casale"
 
Default CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

>Just wondering if any of you have been able to setup CentOS 5.4 to authenticate
>against AD on a Server 2008r2 Domain Controller. I am trying to complete this
>particular setup however I have run into some difficulties such as not being able
>to lookup domain users via getent passwd.

W2k8r2 introduced some changes over w2k3 that make the need for a newer Samba a must
iirc when I did this. Otherwise you can lower the security requirements on the w2k8r2
server.

FWIW, I don't like Samba and would suggest using ldap
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-07-2010, 02:20 PM
Jeff
 
Default CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

On Fri, Feb 5, 2010 at 6:25 PM, Joseph L. Casale
<jcasale@activenetwerx.com> wrote:
>>Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & >group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
>
> getent doesn't need to return data for this to work, just wbinfo.
> It's likely the issue I spoke of, aside from the winbind entries
> in smb.conf that allow local logon.
>
> Take my advice:
> yum erase samba == uber happiness
>
> Get ldap working, no interop issues with the old samba version in rhel and
> newer ms servers. Plus you will be using something forward compatible that
> a txt edit could likely fix in the event something drastic changed in the
> schema and search filters for example had to change.

+1

We've been using nss_ldap against AD for years. It's never a problem.

Jeff
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-09-2010, 06:19 PM
Ross Walker
 
Default CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

On Sun, Feb 7, 2010 at 8:29 PM, Christopher Chan
<christopher.chan@bradbury.edu.hk> wrote:
>
>>> Take my advice:
>>> yum erase samba == uber happiness
>>>
>>> Get ldap working, no interop issues with the old samba version in rhel and
>>> newer ms servers. Plus you will be using something forward compatible that
>>> a txt edit could likely fix in the event something drastic changed in the
>>> schema and search filters for example had to change.
>>
>> +1
>>
>> We've been using nss_ldap against AD for years. It's never a problem.
>>
>>
>> Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work?
>>
>
> Do we lose kerberos security if one switches from samba + winbind to ldap?

No, but you'll have to generate UIDs and GIDs for all AD users and groups....

That is the one thing that has stopped me from using AD LDAP for
user/group management.

You could use winbind to create a NIS map (sans passwords) and have
Linux/Mac clients authenticate with NIS+Kerberos.

That RID map feature of samba is great.

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-09-2010, 09:08 PM
Ross Walker
 
Default CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale
<jcasale@activenetwerx.com> wrote:
>>That RID map feature of samba is great.
>
> Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
>
> I have two Samba servers left that I want to get rid of

You can do it with SFU, but SFU doesn't create UID/GIDs for existing
users, you have to do those manually.

Then there is the whole issue of maintaining those IDs over a long
period of time.

Also with RID mapping I can map different domains into different ID ranges.

100000 - 199999 first domain
200000 - 299999 second domain

And so on.

You know you don't need the full Samba install to setup a winbind->NIS
server, just the Samba client will do.

Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs
have a smb.conf and winbind running.

NIS is only as secure as the network it runs on. If it bumps against
public networks (unsecure wifi so on) use 802.11 authentication.

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 12:09 AM
Ross Walker
 
Default CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

On Feb 9, 2010, at 6:27 PM, Dan Burkland <dburklan@NMDP.ORG> wrote:

> From: centos-bounces@centos.org [centos-bounces@centos.org] On
> Behalf Of Ross Walker [rswwalker@gmail.com]
> Sent: Tuesday, February 09, 2010 4:08 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD
> (Server 2008r2)
>
> On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale
> <jcasale@activenetwerx.com> wrote:
>>> That RID map feature of samba is great.
>>
>> Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
>>
>> I have two Samba servers left that I want to get rid of
>
> You can do it with SFU, but SFU doesn't create UID/GIDs for existing
> users, you have to do those manually.
>
> Then there is the whole issue of maintaining those IDs over a long
> period of time.
>
> Also with RID mapping I can map different domains into different ID
> ranges.
>
> 100000 - 199999 first domain
> 200000 - 299999 second domain
>
> And so on.
>
> You know you don't need the full Samba install to setup a winbind->NIS
> server, just the Samba client will do.
>
> Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs
> have a smb.conf and winbind running.
>
> NIS is only as secure as the network it runs on. If it bumps against
> public networks (unsecure wifi so on) use 802.11 authentication.
>
> -Ross
> _______________________________________________
>
> For anybody wanting to know how to go the LDAP Route I found an
> interesting article in the linux.com archives
> http://www.linux.com/archive/feed/40983
>
> Thanks again guys for your input.

If it works for you great.

If you have hundreds or thousands of users and hundreds of groups,
well good luck. It is extremely hard to automate assigning these uids/
gids and making sure they don't collide with each other or other unix
systems and doing it by hand is a torture reserved for the ninth
circle of hell.

If only nss_ldap had a SID->UID/GID mapping like samba has.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 01:50 PM
Ross Walker
 
Default CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher <christopher.chan@bradbury.edu.hk
> wrote:

>
>> If you have hundreds or thousands of users and hundreds of groups,
>> well good luck. It is extremely hard to automate assigning these
>> uids/
>> gids and making sure they don't collide with each other or other unix
>> systems and doing it by hand is a torture reserved for the ninth
>> circle of hell.
>>
>> If only nss_ldap had a SID->UID/GID mapping like samba has.
>>
>
> How about winbind with a ldap backend? winbind creates the uids/gids
> and
> the rest just run nss_ldap?
>
> I currently use an ldap directory to store the rids but I don't
> remember
> if they have been translated to uids/gids or whether the winbind
> modules
> do that...

I don't know either, but if they do, that would work.

Can samba update uid/gidNumbers of existing LDAP directory CNs?

I still like the RID mapping, but if samba can write back uidNumbers
based on RID map generated uids that would solve the problem.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org