Re: [Samba] Linux SSO with samba4?

2012-07-19 Thread steve 

On 19/07/12 10:58, Quinn Plattel wrote:

Hi Steve,

No, I haven't given up yet but right now I am trying the Ubuntu
SingleSignOn way without samba4.  I know it doesn't apply to samba4 but
you should be able to use the client setup parts against samba4.
I took a break from samba4 yesterday to clear my head.  I'll get back to
samba4 when I finished playing with the Ubuntu SSO howto.


Hi Quinn

Yeah, I know the feeling.

Whilst windows clients work out of the box, it's a pity that it is such 
a struggle to join a Linux client. Having said that, with the right 
scripts it can be made into a point and click affair a la m$.


Cheers and good luck with the Ubuntu notes,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-19 Thread Quinn Plattel 
Hi Steve,

No, I haven't given up yet but right now I am trying the Ubuntu
SingleSignOn way without samba4.  I know it doesn't apply to samba4 but you
should be able to use the client setup parts against samba4.
I took a break from samba4 yesterday to clear my head.  I'll get back to
samba4 when I finished playing with the Ubuntu SSO howto.

br,
Quinn

On Wed, Jul 18, 2012 at 2:59 PM, steve  wrote:

> On 12/07/12 13:22, Quinn Plattel wrote:
>
>  
> https://help.ubuntu.com/**community/SingleSignOn
>>
>
> I'm afraid it doesn't apply to S4. I don't think you can have S4 LDAP and
> openldap going at the same time unless during the brief time you are doing
> a domain upgrade from NT.
>
> Maybe others know a way. . .
>
> C'mon. Do it:)
> Cheers,
> Steve
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>



-- 
Best regards/Med venlig hilsen,
Quinn Plattel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-18 Thread Sven Geggus 
Quinn Plattel  wrote:

> I think it is great that samba4 has a single sign on solution for Windows
> platforms and it seems to work well too, but I am wondering is it possible
> to do the same for a Linux environment?

I have a working single sign on solution running using Active
Directory, nslcd and pam-krb5, I don't see a reason why this should
not work using samba4 as well.

> On a windows client, you can login as a user though active directory even
> though that user is not defined locally on the client.  Can you do the same
> in a Linux environment?

Yepp. pam_ccreds and pam_mkhomedir are your friends.

http://wiki.debian.org/LDAP/PAM

Sven

-- 
"Every time you use Google, you're using a Linux machine"
 (Chris DiBona, a programs manager for Google)

/me is giggls@ircnet, http://sven.gegg.us/ on the Web
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-18 Thread steve 

On 12/07/12 13:22, Quinn Plattel wrote:


https://help.ubuntu.com/community/SingleSignOn


I'm afraid it doesn't apply to S4. I don't think you can have S4 LDAP 
and openldap going at the same time unless during the brief time you are 
doing a domain upgrade from NT.


Maybe others know a way. . .

C'mon. Do it:)
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-18 Thread mourik jan c heupink 



http://linuxcostablanca.blogspot.com.es/p/samba-4.html

Interesting reading. Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-18 Thread steve 

On 17/07/12 23:49, mourik jan heupink wrote:

What blog would that be..?

On 07/17/2012 08:20 PM, steve wrote:

Offlist or via our blog if you like.





http://linuxcostablanca.blogspot.com.es/p/samba-4.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-17 Thread mourik jan heupink 
What blog would that be..?

On 07/17/2012 08:20 PM, steve wrote:
> Offlist or via our blog if you like.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-17 Thread Bernd Markgraf 
Hi Quinn,

here's short summary what I did to make Linux use S4's LDAP/Kerberos.
I'm running Oracle Enterprise Linux on our boxes, so I'm not sure how
different that is from Ubuntu. I tried Suse before but that was quite a
pain. 
OEL asks where user accounts come from when the setup runs after
installation. I entered all information about the LDAP bits there as
well as the Kerberos server, realm and so forth.
At this point this setup does not yet work. I then used the samba3 bits
from OEL to join the client to the S4 domain. This creates the service
principals for the client on the DC. Once the client has joined the
domain I used 'net ads keytab create' to dump the clients keytab from
the DC into a file. This keytab enables the use of kerberized
authentication. Last thing to do is to set passwd, group and shadow to
use ldap in /etc/nsswitch.conf
After that everything is in place and ready for use. I had no need to
utilize anything not provided by OEL. Packages of interest are nss_ldap,
openldap and openldap-clients (names most likely differ on Ubuntu).

Prerequisite for this setup is the proper LDAP schema (rfc2307) to
include all the Unix related information. I don't think I had to modify
the default mapping on the clients. 

Again - I don't know much about Ubuntu. But I would guess as a end
user/desktop oriented distribution things might be a little harder. 
I could provide the config files with the LDAP/Kerberos client settings.

Hope that helps,
  Bernd

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-17 Thread steve 

On 17/07/12 15:04, Quinn Plattel wrote:

Hi all,

I'm about give up on this Ubuntu SSO setup - I haven't been able to get any
solution to work so far.  I have looked through Bernd's notes, Steve's
notes, and the Ubuntu Community SSO.  I think it is because most of the
howto's are old and may not work with a Ubuntu 12.04/samba4 + Ubuntu 12.04
client setup.


Hi Quinn

The Samba doco describes SSO as the holy grail for admins (sic)

S4 caters for Windows out of the box. To get it to talk to Linux clients 
on the same terms takes a little longer. We have a 12.4-SSO 
Ubuntu-xp-7-setup working. I know how you feel. It took us the best part 
of 6 months to get it going with s4. When you do, you can set up an 
Ubuntu client in a matter of minutes and wonder what all the fuss was 
about. So don't give up, you are almost there. You are making all the 
right noises, especially with nslcd/nss-ldapd. We work with limited 
resources but are more than willing to help those go down the same road. 
Offlist or via our blog if you like.


Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-17 Thread Quinn Plattel 
Hi all,

I'm about give up on this Ubuntu SSO setup - I haven't been able to get any
solution to work so far.  I have looked through Bernd's notes, Steve's
notes, and the Ubuntu Community SSO.  I think it is because most of the
howto's are old and may not work with a Ubuntu 12.04/samba4 + Ubuntu 12.04
client setup.  I can only get the windows SSO to work with samba4 which is
quite easy compared to getting a Linux SSO to work at all.  I feel I am so
close to getting it to work after understanding how kerberos works.  I
think I'll try a dns/kerberos server/openldap sso setup via Ubuntu
Community SSO without samba4 and see if I can get that to work.

Thanks for all the help so far.

br,
Quinn


On Thu, Jul 12, 2012 at 1:22 PM, Quinn Plattel  wrote:

> Hi,
>
> I think it is great that samba4 has a single sign on solution for Windows
> platforms and it seems to work well too, but I am wondering is it possible
> to do the same for a Linux environment?  I have been studying how to
> implement single sign on using the Ubuntu way through this document:
> https://help.ubuntu.com/community/SingleSignOn and I am wondering if I
> can do the same with samba4 where the samba4 just replaces openldap and the
> kerberos server components.
>
> On a windows client, you can login as a user though active directory even
> though that user is not defined locally on the client.  Can you do the same
> in a Linux environment?  I have done some testing and the results so far
> looks as if it is not quite there yet.  For example, if I ssh to a machine
> using kerberos credentials, I cannot ssh to it without have a local account
> defined on that machine.  Does a kerberos/ldap solution solve that kind of
> problem?
>
> br,
> Quinn
>



-- 
Best regards/Med venlig hilsen,
Quinn Plattel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-13 Thread Andrew Bartlett 
On Thu, 2012-07-12 at 13:22 +0200, Quinn Plattel wrote:
> Hi,
> 
> I think it is great that samba4 has a single sign on solution for Windows
> platforms and it seems to work well too, but I am wondering is it possible
> to do the same for a Linux environment?  I have been studying how to
> implement single sign on using the Ubuntu way through this document:
> https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can
> do the same with samba4 where the samba4 just replaces openldap and the
> kerberos server components.
> 
> On a windows client, you can login as a user though active directory even
> though that user is not defined locally on the client.  Can you do the same
> in a Linux environment?  I have done some testing and the results so far
> looks as if it is not quite there yet.  For example, if I ssh to a machine
> using kerberos credentials, I cannot ssh to it without have a local account
> defined on that machine.  Does a kerberos/ldap solution solve that kind of
> problem?

We recommend and support joining Samba as a domain member to Samba4 for
these situations.

This will handle doing a login with kerberos, including a local kerberos
ticket etc, providing the account via nss and everything else.  The
server can be Samba4 or Microsoft's AD.

You may be interested in idmap_ad as an IDMAP module on the clients. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-13 Thread steve 

On 13/07/12 14:20, Quinn Plattel wrote:
 Does this mean that nslcd must be configured for kerberos on both

the client and the server side?



Yes. nss-ldapd/nslcd must be running at both client and server ends.

To save time, we made a usb memory stick with a script to copy the 
keytab, nslcd.conf and nsswitch.conf for new Linux clients.


Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-13 Thread Bernd Markgraf 
On Fri, 2012-07-13 at 14:40 +0200, Quinn Plattel wrote:
> Hi Bernd,
> 
> I looked through your solaris sso setup and I noticed that you use
> autofs for auto-mounting /home.  Will this not give problems with
> mobile platforms when they don't have access to there home
> directories?
It sure would, but since there are no mobile devices running a Unix
flavour around here, I'm ok with that. For the Windows notebooks - they
keep a cached copy of the profile (unfortunately). All data are to be
kept on site, at least that's the plan ;-)

 Bernd

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-13 Thread Quinn Plattel 
Hi Bernd,

I looked through your solaris sso setup and I noticed that you use autofs
for auto-mounting /home.  Will this not give problems with mobile platforms
when they don't have access to there home directories?
There is some interesting info on SSO and cached credentials here:
https://help.ubuntu.com/community/SingleSignOn

br,
Quinn

On Thu, Jul 12, 2012 at 1:46 PM, Bernd Markgraf
wrote:

> Hi,
>
> I am running such a setup for over 2 years now. Samba4 acting as AD for
> the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All
> users are stored centrally and no local users on the clients.
> I'd have to dig for more information on the setup though, as it's been a
> while since I implemented it.
>
> http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401
> has my notes on setting up the Solaris clients. Linux was mostly similar
> enough with further information on several other sites.
>
> HTH,
>   Bernd
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-13 Thread Quinn Plattel 
Hi Steve,

I have looked through your Ubuntu SSO howto and there seems to a bit of
confusion when it comes to the nslcd service.  According to Ubuntu's
official SSO howto at https://help.ubuntu.com/community/SingleSignOn , one
configures nslcd for kerberos on the client side, but according to your
howto, nslcd is configured on the kerberos server side.  Also, you
mentioned how to configure nslcd on the client side on this mailing list.
Does this mean that nslcd must be configured for kerberos on both the
client and the server side?

br,
Quinn

On Thu, Jul 12, 2012 at 5:33 PM, steve  wrote:

> On 12/07/12 17:07, Quinn Plattel wrote:
>
>> yes, i found your windows/linux setup via google earlier, but the setup
>> was based on OpenSuse which made it a little difficult in some areas
>> when it comes to Ubuntu - particularly the nfs server setup section.
>>
>> But thanks for the info! :-)
>>
>
> There's an Ubuntu howto on the same site which includes the NFS.
> http://linuxcostablanca.**blogspot.com.es/2012/01/samba-**4-ubuntu.html
> Cheers,
> Steve
>



-- 
Best regards/Med venlig hilsen,
Quinn Plattel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-12 Thread steve 

On 12/07/12 17:07, Quinn Plattel wrote:

yes, i found your windows/linux setup via google earlier, but the setup
was based on OpenSuse which made it a little difficult in some areas
when it comes to Ubuntu - particularly the nfs server setup section.

But thanks for the info! :-)


There's an Ubuntu howto on the same site which includes the NFS.
http://linuxcostablanca.blogspot.com.es/2012/01/samba-4-ubuntu.html
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-12 Thread Quinn Plattel 
yes, i found your windows/linux setup via google earlier, but the setup was
based on OpenSuse which made it a little difficult in some areas when it
comes to Ubuntu - particularly the nfs server setup section.

But thanks for the info! :-)

br,
Quinn

On Thu, Jul 12, 2012 at 2:23 PM, steve  wrote:

> On 12/07/12 14:05, Quinn Plattel wrote:
>
>  while since I implemented it.
>>>
>>> http://phaedrus77.blogspot.de/**2010/04/samba4-ad-domain-**
>>> controller-to-serve.html?**showComment=190497132#**
>>> c1731870195842128401
>>> has my notes on setting up the Solaris clients. Linux was mostly similar
>>> enough with further information on several other sites.
>>>
>>> HTH,
>>>Bernd
>>>
>>>
>>>
> Hi Quinn, Bernd, everyone
>
> We converted that same method into Linux.
>
> A Linux-windows SSO solution usind S4. We called it s4bind. The details
> are here:
> http://linuxcostablanca.**blogspot.com.es/p/s4bind.html
> HTH
> Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>



-- 
Best regards/Med venlig hilsen,
Quinn Plattel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-12 Thread steve 

On 12/07/12 14:05, Quinn Plattel wrote:


while since I implemented it.

http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401
has my notes on setting up the Solaris clients. Linux was mostly similar
enough with further information on several other sites.

HTH,
   Bernd




Hi Quinn, Bernd, everyone

We converted that same method into Linux.

A Linux-windows SSO solution usind S4. We called it s4bind. The details 
are here:

http://linuxcostablanca.blogspot.com.es/p/s4bind.html
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-12 Thread Quinn Plattel 
That sounds great!  I think the Ubuntu SSO will work too but I am still
trying to implement it - I have run into some hiccups such as nslcd
complaining about "Client not found in Kerberos database" but I think it is
because samba4 is running in a multi-homed environment and someone on the
Kerberos mailing list said that KDC's don't like multi-homed environments -
I don't know if that is also the case with samba4 kerberos but I am testing
that theory by running a new samba4 machine with only one netcard in it.

I look forward to your Linux implementation notes.

br,
Quinn

On Thu, Jul 12, 2012 at 1:46 PM, Bernd Markgraf
wrote:

> Hi,
>
> I am running such a setup for over 2 years now. Samba4 acting as AD for
> the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All
> users are stored centrally and no local users on the clients.
> I'd have to dig for more information on the setup though, as it's been a
> while since I implemented it.
>
> http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401
> has my notes on setting up the Solaris clients. Linux was mostly similar
> enough with further information on several other sites.
>
> HTH,
>   Bernd
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux SSO with samba4?

2012-07-12 Thread Bernd Markgraf 
Hi,

I am running such a setup for over 2 years now. Samba4 acting as AD for
the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All
users are stored centrally and no local users on the clients.
I'd have to dig for more information on the setup though, as it's been a
while since I implemented it.
http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401
has my notes on setting up the Solaris clients. Linux was mostly similar
enough with further information on several other sites.

HTH,
  Bernd

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Linux SSO with samba4?

2012-07-12 Thread Quinn Plattel 
Hi,

I think it is great that samba4 has a single sign on solution for Windows
platforms and it seems to work well too, but I am wondering is it possible
to do the same for a Linux environment?  I have been studying how to
implement single sign on using the Ubuntu way through this document:
https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can
do the same with samba4 where the samba4 just replaces openldap and the
kerberos server components.

On a windows client, you can login as a user though active directory even
though that user is not defined locally on the client.  Can you do the same
in a Linux environment?  I have done some testing and the results so far
looks as if it is not quite there yet.  For example, if I ssh to a machine
using kerberos credentials, I cannot ssh to it without have a local account
defined on that machine.  Does a kerberos/ldap solution solve that kind of
problem?

br,
Quinn
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba