Web lists-archives.com

Re: [Samba] RHEL7/Centos7 with Samba AD




Pretty much the same (CentOS7), including using sssd to join linux domain
members, as I don't have many and it was easier for me to understand (and
find documentation for) than winbind at the time.

As noted, the key to it is either building Samba4 from sources, or finding
somebody to do it for us (Thanks to the Tranquil.IT team) -- in both cases,
using Heimdal instead of MIT Kerberos.

And lastly, the Wing repo is down permanently.  I found a note from the
site maintainer that he was discontinuing it a while back (it's in Japanese
and the link is in the archives somewhere).



Kris Lou
klou@xxxxxxxxxxxxxxxx


On Thu, Dec 6, 2018 at 11:35 AM Vincent S. Cojot via samba <
samba@xxxxxxxxxxxxxxx> wrote:

>
> Hi All,
>
> I know RHEL has bad press here but I'd like to share a different opinion
> (works for me) and maybe share some of my settings.
> BTW, Those views are my own, not those of my employer.
>
> I run a small AD at home. The setup is as follows:
> - two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based on
> SPECs from TranquilIT/Fedora).
> - several Win10 laptops joined to the domain.
> - several RHEL7.6 clients/Machines running 'realmd' and joined to the
> domain. The AD users can log into those machines and their Linux account
> gets mapped appropriately.
>
> I set policies from a Win10 VM using RSAT and since there is a lot of
> litterature on the excellent Samba wiki and on the net, this wasn't too
> difficult for the Win* noob in me.
>
> It's been running great so far but because I'm rebuilding the rpms myself
> and actually using 'realmd' I feel a little like I am in uncharted
> territory. At least, the RHEL7 part is familiar to me. :)
>
> First, I needed to make a few changes to the client Linux systems:
> a slightly modified krb5 client config and a custom sssd config once they
> were joined ('realm join ...') to the AD domain.
>
> The most important part was that the RHEL7 hosts wouldn't be heavily
> modified, except for the two AD DCs which run a custom build of Samba, of
> course.
>
> For sssd, I used the following (customized file):
> ------------------------------------------------------
> [sssd]
> domains = ad.lasthome.solace.krynn
> config_file_version = 2
> services = nss, pam, pac
>
> [domain/ad.lasthome.solace.krynn]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> ad_gpo_access_control = disabled
> override_gid = 100
>
> ad_domain = ad.lasthome.solace.krynn
> krb5_realm = AD.LASTHOME.SOLACE.KRYNN
> realmd_tags = manages-system joined-with-samba
>
> #
> cache_credentials = True
> krb5_store_password_if_offline = True
> ldap_id_mapping = False
> use_fully_qualified_names = False
> default_shell = /bin/bash
> fallback_homedir = /export/home/%u@%d
> ldap_referrals = False
> ignore_group_members = True
>
> [nss]
>
> [pam]
> ------------------------------------------------------
>
> For realmd, it was only a matter of following the documentation, which
> resulted in
> # realm join --automatic-id-mapping=no ad.lasthome.solace.krynn -U
> administrator
> [...]
> # realm list
> ad.lasthome.solace.krynn
>    type: kerberos
>    realm-name: AD.LASTHOME.SOLACE.KRYNN
>    domain-name: ad.lasthome.solace.krynn
>    configured: kerberos-member
>    server-software: active-directory
>    client-software: sssd
>    required-package: oddjob
>    required-package: oddjob-mkhomedir
>    required-package: sssd
>    required-package: adcli
>    required-package: samba-common-tools
>    login-formats: %U
>    login-policy: allow-realm-logins
>
> So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> clients or DCs. I still have a few details to work out (how to move the
> Samba servers from local auth to AD auth, etc.. mostly because it's not
> my area of expertise) but it's been working fine for me so far.
>
> The only area of concern on el7 is to find a -reliable- Samba RPM builder
> for el7. So far, I've tried:
>
> - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> source rpms unless you complain a lot.
>
> - http://azzurro.ezplanet.net : Seems pretty much out of updates
>
> - http://wing-net.ddo.jp/wing : Web page still up but I've been unable to
> pull down rpms from them for months.
>
> Any non-inflamatory comments are welcome! :)
>
> Vincent
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba