[Klug-general] Samba....

David Halliday david.halliday at gmail.com
Fri Apr 29 19:02:34 UTC 2011


Using my method you get pam to point to AD and let it manage everything for
you. This results in the box acting like any other client machine on an AD
network but still providing all the functionality (services and
applications) of a Linux box.

Unless you need more domain servers to handle authentication requests then I
wouldn't worry to implement that part of Samba.

Some interesting reading for heterogeneous networking is this book
(published bu Oreilly) Linux in a Windows
World<http://commons.oreilly.com/wiki/index.php/Linux_in_a_Windows_World>
:
Book page: http://oreilly.com/catalog/9780596007584
<http://oreilly.com/catalog/9780596007584>Commons (Free Online Reading):
http://commons.oreilly.com/wiki/index.php/Linux_in_a_Windows_World

<http://commons.oreilly.com/wiki/index.php/Linux_in_a_Windows_World>This
book was a big launchpad for me in the Linux/MS world. Some of it is out of
date (but some reading of documentation can bring you back up to speed) but
it gives a good overview of things. I do have a print copy somewhere but I
can't seem to find it in my shelf at this moment in time. If you
or anyone else is interested in (and will use) this book then I can have a
hunt for it. Since it is only gathering dust I'm happy to give it to a good
home.

On 29 April 2011 19:42, Peter Childs <PChilds at bcs.org.uk> wrote:

> On 29 April 2011 18:52, David Halliday <david.halliday at gmail.com> wrote:
> > I did (a few years ago when still in Rochester) spend quite some time
> > working with samba and authentication.
> > I wanted to achieve a number of goals:
> >
> > Users access a FTP, SSH and other services on a Linux server using AD
> > usernames/passwords.
> > Users authenticate to Linux workstations using their AD credentials.
> >
> > Since I wanted to provide a number (and provide many more) services to
> users
> > I found that the solution was to configure pam (which is one of the main
> > central authentication engines) to allow authentication against the AD
> > server. This might be overkill or it might prove to be the simple
> solution
> > to all your problems, but once you get one service working through pam,
> you
> > can have any other authenticating against the same method.
> > My notes are here: http://david-halliday.co.uk/?Linux:AD_Authentication
> > They are a little old but reference a more in depth guide. I recently
> helped
> > implement a similar configuration (with in the past 6 months on a
> > centos installation) at work and little had changed.
> > The most important thing to check (and maintain) is that the Linux box
> and
> > the Microsoft server that it is authenticating against have the same
> time.
> > Where possible make them sync against the same server regularly (or
> > one against the other) as the time being out (and it doesn't have to be
> > much) can be a confusing hurdle.
> >
> > For anyone who is interested in playing with authentication pam is
> > interesting as it is modular and you can fairly quickly build and
> implement
> > your own methods including authentication against something like a MySQL
> > server database if you particularly wanted.
> >
> > I have not used any of the purpose built NAS on a CD distros (but many
> look
> > good).
> > We use CentOS at work and they seem good, I have used Cent OS in other
> > places too.  CentOS looked good a few years ago as Red Hat (from which
> its
> > derived) was the "solid business choice" and
> many proprietary applications
> > that were targeted at businesses were predominantly tested (and
> supported)
> > on Red Hat, so having a Red Hat based distribution makes life easier
> there.
> > I have wanted to use Debian in production servers but have always been
> out
> > voted by people who have a red hat background.
> > With the rise of Ubuntu and now Ubuntu Server... Things could shift in
> > support/consensus.
> >
> >
> > On 28 April 2011 12:38, Peter Childs <pchilds at bcs.org> wrote:
> >>
> >> Samba need good book, any ideas.....
> >>
> >> Peter.
> >>
> >> On 26 April 2011 20:07, Laurence Southon <laurence at southon.uk.net>
> wrote:
> >> > On 26/04/11 18:27, Peter Childs wrote:
> >> >> I've been asked to set up a File Server for a network of windows
> based
> >> >> machines, So I'm guessing Samba here..... I guess I need to set up
> >> >> Samba to run as a Windows PDC to sort out security and get all the
> >> >> Windows XP Pro (I think thats what they have) to join the "Network"
> >> >> Unless I can get the Samba server look like AD, but I'm not sure how
> >> >> to go about this... They want passwords and some "Security" over the
> >> >> files on the file server.....
> >> >>
> >> > You can have username:passwd security without a PDC, and unless the
> >> > workstations definitely are XP Pro they won't be able to join a
> domain.
> >> >
> >> > It's a lot of work to set up the domain and then join each machine to
> >> > it. Personally I would avoid it, and another downside is that by
> default
> >> > Samba will use roaming profiles which will likely lead to trouble in
> the
> >> > long run. You can disable that but it's yet another setting to get
> dead
> >> > right.
> >> >
> >> >> While doing a bit of reading up on doing this I worked out it should
> >> >> be possible to use Samba to do shared home directories on Linux and
> it
> >> >> should work *better* than NFS.
> >> >
> >> > Yes, homes are easy to set up in Samba. Be careful where you place
> them,
> >> > and consider user quotas to stop disc usage getting out of control.
> >> >>
> >> >> Also can I join the Wins bit of the SMB to my DNS and not have so
> much
> >> >> duplication of service.
> >> > Samba will become a WINS server, just put 'wins support = yes' in the
> >> > [global] part of smb.conf. Job done.
> >> >
> >> > Samba is a leviathan, there are literally hundreds of possible
> settings,
> >> > any of which can trip you up. Good place to start is the official
> >> > documentation:
> >> >
> >> > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
> >> >
> >> > Feel free to fire questions, but a couple of tips on things that are
> >> > guaranteed to drive you up the wall at some point:
> >> >
> >> > You can grant whatever permissions you like in Samba, but if the
> >> > appropriate Unix permissions are not in place, then they won't work,
> and
> >> > you won't know why.
> >> >
> >> > Some config changes in Samba take effect straightaway, others require
> a
> >> > Windows logon/logoff or even reboot to take effect, so always worth
> >> > trying that before giving up.
> >> >
>
>
> Interesting. I'll have to do some playing, and see what I can get working.
>
> I've used most of the building blocks before but not together....
>
> From what I can see so far,
>
> Samba can be used with LDAP and Kerbros to emulate an AD but you can't
> mix it with Winodows AD servers.
>
> I can't stand LDAP I've always found it a beast and can't find a good
> tool to administrate it correctly.
>
> You still need to keep multiple databases in sync ie Kerbros, LDAP and
> I guess your file permissions too.
>
> Peter.
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20110429/21b08c78/attachment.htm>


More information about the Kent mailing list