Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
Craig White wrote: > On Wed, 2010-02-10 at 09:50 -0500, Ross Walker wrote: >> On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher >> > > wrote: >> If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell. If only nss_ldap had a SID->UID/GID mapping like samba has. >>> How about winbind with a ldap backend? winbind creates the uids/gids >>> and >>> the rest just run nss_ldap? >>> >>> I currently use an ldap directory to store the rids but I don't >>> remember >>> if they have been translated to uids/gids or whether the winbind >>> modules >>> do that... >> I don't know either, but if they do, that would work. >> >> Can samba update uid/gidNumbers of existing LDAP directory CNs? >> >> I still like the RID mapping, but if samba can write back uidNumbers >> based on RID map generated uids that would solve the problem. > > In essence, samba knows nothing about writing anything to LDAP but > normally people would install smbldap-tools (not part of samba) to > provide a toolset to write to LDAP. Impossible. winbind certainly knows all about writing to LDAP otherwise it won't be a backend database for rid maps and especially for maintaining the same rids across boxes (okay, this got solved at a higher level and thus an ldap backend is not needed for maintaining identical rids across boxes) and I cannot imagine how that would be accomplished without knowing anything about writing to ldap. > > If smbldap-tools doesn't do what you want, modify it. > ??? What's that? ??? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Wed, 2010-02-10 at 09:50 -0500, Ross Walker wrote: > On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher > > wrote: > > > > >> If you have hundreds or thousands of users and hundreds of groups, > >> well good luck. It is extremely hard to automate assigning these > >> uids/ > >> gids and making sure they don't collide with each other or other unix > >> systems and doing it by hand is a torture reserved for the ninth > >> circle of hell. > >> > >> If only nss_ldap had a SID->UID/GID mapping like samba has. > >> > > > > How about winbind with a ldap backend? winbind creates the uids/gids > > and > > the rest just run nss_ldap? > > > > I currently use an ldap directory to store the rids but I don't > > remember > > if they have been translated to uids/gids or whether the winbind > > modules > > do that... > > I don't know either, but if they do, that would work. > > Can samba update uid/gidNumbers of existing LDAP directory CNs? > > I still like the RID mapping, but if samba can write back uidNumbers > based on RID map generated uids that would solve the problem. In essence, samba knows nothing about writing anything to LDAP but normally people would install smbldap-tools (not part of samba) to provide a toolset to write to LDAP. If smbldap-tools doesn't do what you want, modify it. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher wrote: > >> If you have hundreds or thousands of users and hundreds of groups, >> well good luck. It is extremely hard to automate assigning these >> uids/ >> gids and making sure they don't collide with each other or other unix >> systems and doing it by hand is a torture reserved for the ninth >> circle of hell. >> >> If only nss_ldap had a SID->UID/GID mapping like samba has. >> > > How about winbind with a ldap backend? winbind creates the uids/gids > and > the rest just run nss_ldap? > > I currently use an ldap directory to store the rids but I don't > remember > if they have been translated to uids/gids or whether the winbind > modules > do that... I don't know either, but if they do, that would work. Can samba update uid/gidNumbers of existing LDAP directory CNs? I still like the RID mapping, but if samba can write back uidNumbers based on RID map generated uids that would solve the problem. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
> If you have hundreds or thousands of users and hundreds of groups, > well good luck. It is extremely hard to automate assigning these uids/ > gids and making sure they don't collide with each other or other unix > systems and doing it by hand is a torture reserved for the ninth > circle of hell. > > If only nss_ldap had a SID->UID/GID mapping like samba has. > How about winbind with a ldap backend? winbind creates the uids/gids and the rest just run nss_ldap? I currently use an ldap directory to store the rids but I don't remember if they have been translated to uids/gids or whether the winbind modules do that... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Feb 9, 2010, at 6:27 PM, Dan Burkland wrote: > From: centos-boun...@centos.org [centos-boun...@centos.org] On > Behalf Of Ross Walker [rswwal...@gmail.com] > Sent: Tuesday, February 09, 2010 4:08 PM > To: CentOS mailing list > Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD > (Server 2008r2) > > On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale > wrote: >>> That RID map feature of samba is great. >> >> Forgot about that, AFAIK, you can do that w/ SFU & pam mods. >> >> I have two Samba servers left that I want to get rid of:) > > You can do it with SFU, but SFU doesn't create UID/GIDs for existing > users, you have to do those manually. > > Then there is the whole issue of maintaining those IDs over a long > period of time. > > Also with RID mapping I can map different domains into different ID > ranges. > > 10 - 19 first domain > 20 - 29 second domain > > And so on. > > You know you don't need the full Samba install to setup a winbind->NIS > server, just the Samba client will do. > > Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs > have a smb.conf and winbind running. > > NIS is only as secure as the network it runs on. If it bumps against > public networks (unsecure wifi so on) use 802.11 authentication. > > -Ross > ___ > > For anybody wanting to know how to go the LDAP Route I found an > interesting article in the linux.com archives > http://www.linux.com/archive/feed/40983 > > Thanks again guys for your input. If it works for you great. If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell. If only nss_ldap had a SID->UID/GID mapping like samba has. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of Ross Walker [rswwal...@gmail.com] Sent: Tuesday, February 09, 2010 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale wrote: >>That RID map feature of samba is great. > > Forgot about that, AFAIK, you can do that w/ SFU & pam mods. > > I have two Samba servers left that I want to get rid of:) You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually. Then there is the whole issue of maintaining those IDs over a long period of time. Also with RID mapping I can map different domains into different ID ranges. 10 - 19 first domain 20 - 29 second domain And so on. You know you don't need the full Samba install to setup a winbind->NIS server, just the Samba client will do. Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running. NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication. -Ross ___ For anybody wanting to know how to go the LDAP Route I found an interesting article in the linux.com archives http://www.linux.com/archive/feed/40983 Thanks again guys for your input. Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale wrote: >>That RID map feature of samba is great. > > Forgot about that, AFAIK, you can do that w/ SFU & pam mods. > > I have two Samba servers left that I want to get rid of:) You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually. Then there is the whole issue of maintaining those IDs over a long period of time. Also with RID mapping I can map different domains into different ID ranges. 10 - 19 first domain 20 - 29 second domain And so on. You know you don't need the full Samba install to setup a winbind->NIS server, just the Samba client will do. Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running. NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
>That RID map feature of samba is great. Forgot about that, AFAIK, you can do that w/ SFU & pam mods. I have two Samba servers left that I want to get rid of:) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Sun, Feb 7, 2010 at 8:29 PM, Christopher Chan wrote: > >>> Take my advice: >>> yum erase samba == uber happiness >>> >>> Get ldap working, no interop issues with the old samba version in rhel and >>> newer ms servers. Plus you will be using something forward compatible that >>> a txt edit could likely fix in the event something drastic changed in the >>> schema and search filters for example had to change. >> >> +1 >> >> We've been using nss_ldap against AD for years. It's never a problem. >> >> >> Version 3.4.5 of Samba did end up resolving the issue I was having and now >> AD users can login to the box. I am however interested in going the LDAP >> route mainly for the forward compatability reason stated by Jeff. Is there >> anything special I need to do on the DC for the LDAP authentication to work? >> > > Do we lose kerberos security if one switches from samba + winbind to ldap? No, but you'll have to generate UIDs and GIDs for all AD users and groups That is the one thing that has stopped me from using AD LDAP for user/group management. You could use winbind to create a NIS map (sans passwords) and have Linux/Mac clients authenticate with NIS+Kerberos. That RID map feature of samba is great. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
>> Take my advice: >> yum erase samba == uber happiness >> >> Get ldap working, no interop issues with the old samba version in rhel and >> newer ms servers. Plus you will be using something forward compatible that >> a txt edit could likely fix in the event something drastic changed in the >> schema and search filters for example had to change. > > +1 > > We've been using nss_ldap against AD for years. It's never a problem. > > Jeff > ___ > > Version 3.4.5 of Samba did end up resolving the issue I was having and now AD > users can login to the box. I am however interested in going the LDAP route > mainly for the forward compatability reason stated by Jeff. Is there anything > special I need to do on the DC for the LDAP authentication to work? > Do we lose kerberos security if one switches from samba + winbind to ldap? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of Jeff [jlar...@gmail.com] Sent: Sunday, February 07, 2010 9:20 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Fri, Feb 5, 2010 at 6:25 PM, Joseph L. Casale wrote: >>Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent >>group returns no AD users or groups. I have winbind entries in nsswitch for >>both the passwd & >group entries. Josepeh, I will try a newer RPM from a >>different repository and see if that resolves my issues. Did my smb.conf look >>ok? > > getent doesn't need to return data for this to work, just wbinfo. > It's likely the issue I spoke of, aside from the winbind entries > in smb.conf that allow local logon. > > Take my advice: > yum erase samba == uber happiness > > Get ldap working, no interop issues with the old samba version in rhel and > newer ms servers. Plus you will be using something forward compatible that > a txt edit could likely fix in the event something drastic changed in the > schema and search filters for example had to change. +1 We've been using nss_ldap against AD for years. It's never a problem. Jeff ___ Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work? Thanks, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Fri, Feb 5, 2010 at 6:25 PM, Joseph L. Casale wrote: >>Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent >>group returns no AD users or groups. I have winbind entries in nsswitch for >>both the passwd & >group entries. Josepeh, I will try a newer RPM from a >>different repository and see if that resolves my issues. Did my smb.conf look >>ok? > > getent doesn't need to return data for this to work, just wbinfo. > It's likely the issue I spoke of, aside from the winbind entries > in smb.conf that allow local logon. > > Take my advice: > yum erase samba == uber happiness > > Get ldap working, no interop issues with the old samba version in rhel and > newer ms servers. Plus you will be using something forward compatible that > a txt edit could likely fix in the event something drastic changed in the > schema and search filters for example had to change. +1 We've been using nss_ldap against AD for years. It's never a problem. Jeff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
Am Freitag, den 05.02.2010, 14:38 +0100 schrieb Dan Burkland: > > Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or > getent group returns no AD users or groups. I have winbind entries in > nsswitch for both the passwd & group entries. Josepeh, I will try a > newer RPM from a different repository and see if that resolves my > issues. Did my smb.conf look ok? > > Thanks again guys, > > Dan Why don't you try the way i proposed it automatically sets up smb.conf, krb5.conf, pam and nss correctly. And its the way the upstream vendor itended to use. Chris financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
>Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent >group returns no AD users or groups. I have winbind entries in nsswitch for >both the passwd & >group entries. Josepeh, I will try a newer RPM from a >different repository and see if that resolves my issues. Did my smb.conf look >ok? getent doesn't need to return data for this to work, just wbinfo. It's likely the issue I spoke of, aside from the winbind entries in smb.conf that allow local logon. Take my advice: yum erase samba == uber happiness Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
> Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent > group returns no AD users or groups. I have winbind entries in nsswitch for > both the passwd & group entries. Josepeh, I will try a newer RPM from a > different repository and see if that resolves my issues. Did my smb.conf look > ok? > It did...which is why I asked whether wbinfo -u/g worked... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
> -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of Christopher Chan > Sent: Thursday, February 04, 2010 10:59 PM > To: centos@centos.org > Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server > 2008r2) > > > On Friday, February 05, 2010 12:45 PM, Dan Burkland wrote: > > I am indeed using winbind. While I am not new to CentOS I am a greenhorn > when it comes to Winbind. What log is considered the main Winbind log? > (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on > pastebin: http://centos.pastebin.com/f5b4406a7 > > > > Does either 'wbinfo -u' or 'wbinfo -g' work for you? > > If they do, do you have entries in nsswitch.conf for winbind? > > >> Hey All, > >> > >> Just wondering if any of you have been able to setup CentOS 5.4 to > authenticate against AD on a Server 2008r2 Domain Controller. I am trying > to complete this particular setup however I have run into some > difficulties such as not being able to lookup domain users via getent > passwd. > >> > > > > > > Are you using winbind? What do the logs for winbind say? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok? Thanks again guys, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
>Just wondering if any of you have been able to setup CentOS 5.4 to authenticate >against AD on a Server 2008r2 Domain Controller. I am trying to complete this >particular setup however I have run into some difficulties such as not being >able >to lookup domain users via getent passwd. W2k8r2 introduced some changes over w2k3 that make the need for a newer Samba a must iirc when I did this. Otherwise you can lower the security requirements on the w2k8r2 server. FWIW, I don't like Samba and would suggest using ldap:) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
Am Freitag, den 05.02.2010, 05:20 +0100 schrieb Dan Burkland: > Hey All, > > Just wondering if any of you have been able to setup CentOS 5.4 to > authenticate against AD on a Server 2008r2 Domain Controller. I am trying to > complete this particular setup however I have run into some difficulties such > as not being able to lookup domain users via getent passwd. > > Thanks for your input, > > Dan You can find a documentation how to do that here: http://wiki.centos.org/TipsAndTricks/WinbindADS Chris financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Friday, February 05, 2010 12:45 PM, Dan Burkland wrote: > I am indeed using winbind. While I am not new to CentOS I am a greenhorn when > it comes to Winbind. What log is considered the main Winbind log? (perhaps > /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: > http://centos.pastebin.com/f5b4406a7 > Does either 'wbinfo -u' or 'wbinfo -g' work for you? If they do, do you have entries in nsswitch.conf for winbind? >> Hey All, >> >> Just wondering if any of you have been able to setup CentOS 5.4 to >> authenticate against AD on a Server 2008r2 Domain Controller. I am trying to >> complete this particular setup however I have run into some difficulties >> such as not being able to lookup domain users via getent passwd. >> > > > Are you using winbind? What do the logs for winbind say? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
I am indeed using winbind. While I am not new to CentOS I am a greenhorn when it comes to Winbind. What log is considered the main Winbind log? (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: http://centos.pastebin.com/f5b4406a7 Thanks again for your help, Dan From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of Christopher Chan [christopher.c...@bradbury.edu.hk] Sent: Thursday, February 04, 2010 10:30 PM To: centos@centos.org Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Friday, February 05, 2010 12:20 PM, Dan Burkland wrote: > Hey All, > > Just wondering if any of you have been able to setup CentOS 5.4 to > authenticate against AD on a Server 2008r2 Domain Controller. I am trying to > complete this particular setup however I have run into some difficulties such > as not being able to lookup domain users via getent passwd. > Are you using winbind? What do the logs for winbind say? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Friday, February 05, 2010 12:20 PM, Dan Burkland wrote: > Hey All, > > Just wondering if any of you have been able to setup CentOS 5.4 to > authenticate against AD on a Server 2008r2 Domain Controller. I am trying to > complete this particular setup however I have run into some difficulties such > as not being able to lookup domain users via getent passwd. > Are you using winbind? What do the logs for winbind say? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
Hey All, Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd. Thanks for your input, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
