[Klug-general] Samba....

Peter Childs pchilds at bcs.org
Fri Apr 29 19:18:46 UTC 2011 

On 29 April 2011 19:52, David Halliday <david.halliday at gmail.com> wrote:
> Using my method you get pam to point to AD and let it manage everything for
> you. This results in the box acting like any other client machine on an AD
> network but still providing all the functionality (services and
> applications) of a Linux box.
> Unless you need more domain servers to handle authentication requests then I
> wouldn't worry to implement that part of Samba.

I don't disagree, The only reason for getting Samba to be do the
authentication is if you don't have an AD but loads of Windows Clients
who would like one.

Peter

> Some interesting reading for heterogeneous networking is this book
> (published bu Oreilly) Linux in a Windows World:
> Book page: http://oreilly.com/catalog/9780596007584
> Commons (Free Online
> Reading): http://commons.oreilly.com/wiki/index.php/Linux_in_a_Windows_World
> This book was a big launchpad for me in the Linux/MS world. Some of it is
> out of date (but some reading of documentation can bring you back up to
> speed) but it gives a good overview of things. I do have a print copy
> somewhere but I can't seem to find it in my shelf at this moment in time. If
> you or anyone else is interested in (and will use) this book then I can have
> a hunt for it. Since it is only gathering dust I'm happy to give it to a
> good home.
>
> On 29 April 2011 19:42, Peter Childs <PChilds at bcs.org.uk> wrote:
>>
>> On 29 April 2011 18:52, David Halliday <david.halliday at gmail.com> wrote:
>> > I did (a few years ago when still in Rochester) spend quite some time
>> > working with samba and authentication.
>> > I wanted to achieve a number of goals:
>> >
>> > Users access a FTP, SSH and other services on a Linux server using AD
>> > usernames/passwords.
>> > Users authenticate to Linux workstations using their AD credentials.
>> >
>> > Since I wanted to provide a number (and provide many more) services to
>> > users
>> > I found that the solution was to configure pam (which is one of the main
>> > central authentication engines) to allow authentication against the AD
>> > server. This might be overkill or it might prove to be the simple
>> > solution
>> > to all your problems, but once you get one service working through pam,
>> > you
>> > can have any other authenticating against the same method.
>> > My notes are here: http://david-halliday.co.uk/?Linux:AD_Authentication
>> > They are a little old but reference a more in depth guide. I recently
>> > helped
>> > implement a similar configuration (with in the past 6 months on a
>> > centos installation) at work and little had changed.
>> > The most important thing to check (and maintain) is that the Linux box
>> > and
>> > the Microsoft server that it is authenticating against have the same
>> > time.
>> > Where possible make them sync against the same server regularly (or
>> > one against the other) as the time being out (and it doesn't have to be
>> > much) can be a confusing hurdle.
>> >
>> > For anyone who is interested in playing with authentication pam is
>> > interesting as it is modular and you can fairly quickly build and
>> > implement
>> > your own methods including authentication against something like a MySQL
>> > server database if you particularly wanted.
>> >
>> > I have not used any of the purpose built NAS on a CD distros (but many
>> > look
>> > good).
>> > We use CentOS at work and they seem good, I have used Cent OS in other
>> > places too.  CentOS looked good a few years ago as Red Hat (from which
>> > its
>> > derived) was the "solid business choice" and
>> > many proprietary applications
>> > that were targeted at businesses were predominantly tested (and
>> > supported)
>> > on Red Hat, so having a Red Hat based distribution makes life easier
>> > there.
>> > I have wanted to use Debian in production servers but have always been
>> > out
>> > voted by people who have a red hat background.
>> > With the rise of Ubuntu and now Ubuntu Server... Things could shift in
>> > support/consensus.
>> >
>> >
>> > On 28 April 2011 12:38, Peter Childs <pchilds at bcs.org> wrote:
>> >>
>> >> Samba need good book, any ideas.....
>> >>
>> >> Peter.
>> >>
>> >> On 26 April 2011 20:07, Laurence Southon <laurence at southon.uk.net>
>> >> wrote:
>> >> > On 26/04/11 18:27, Peter Childs wrote:
>> >> >> I've been asked to set up a File Server for a network of windows
>> >> >> based
>> >> >> machines, So I'm guessing Samba here..... I guess I need to set up
>> >> >> Samba to run as a Windows PDC to sort out security and get all the
>> >> >> Windows XP Pro (I think thats what they have) to join the "Network"
>> >> >> Unless I can get the Samba server look like AD, but I'm not sure how
>> >> >> to go about this... They want passwords and some "Security" over the
>> >> >> files on the file server.....
>> >> >>
>> >> > You can have username:passwd security without a PDC, and unless the
>> >> > workstations definitely are XP Pro they won't be able to join a
>> >> > domain.
>> >> >
>> >> > It's a lot of work to set up the domain and then join each machine to
>> >> > it. Personally I would avoid it, and another downside is that by
>> >> > default
>> >> > Samba will use roaming profiles which will likely lead to trouble in
>> >> > the
>> >> > long run. You can disable that but it's yet another setting to get
>> >> > dead
>> >> > right.
>> >> >
>> >> >> While doing a bit of reading up on doing this I worked out it should
>> >> >> be possible to use Samba to do shared home directories on Linux and
>> >> >> it
>> >> >> should work *better* than NFS.
>> >> >
>> >> > Yes, homes are easy to set up in Samba. Be careful where you place
>> >> > them,
>> >> > and consider user quotas to stop disc usage getting out of control.
>> >> >>
>> >> >> Also can I join the Wins bit of the SMB to my DNS and not have so
>> >> >> much
>> >> >> duplication of service.
>> >> > Samba will become a WINS server, just put 'wins support = yes' in the
>> >> > [global] part of smb.conf. Job done.
>> >> >
>> >> > Samba is a leviathan, there are literally hundreds of possible
>> >> > settings,
>> >> > any of which can trip you up. Good place to start is the official
>> >> > documentation:
>> >> >
>> >> > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
>> >> >
>> >> > Feel free to fire questions, but a couple of tips on things that are
>> >> > guaranteed to drive you up the wall at some point:
>> >> >
>> >> > You can grant whatever permissions you like in Samba, but if the
>> >> > appropriate Unix permissions are not in place, then they won't work,
>> >> > and
>> >> > you won't know why.
>> >> >
>> >> > Some config changes in Samba take effect straightaway, others require
>> >> > a
>> >> > Windows logon/logoff or even reboot to take effect, so always worth
>> >> > trying that before giving up.
>> >> >
>>
>>
>> Interesting. I'll have to do some playing, and see what I can get working.
>>
>> I've used most of the building blocks before but not together....
>>
>> From what I can see so far,
>>
>> Samba can be used with LDAP and Kerbros to emulate an AD but you can't
>> mix it with Winodows AD servers.
>>
>> I can't stand LDAP I've always found it a beast and can't find a good
>> tool to administrate it correctly.
>>
>> You still need to keep multiple databases in sync ie Kerbros, LDAP and
>> I guess your file permissions too.
>>
>> Peter.
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>

More information about the Kent mailing list