[opensuse] Samba4 doubt

older
[opensuse] Don't totally rely on...

Amaury Viera Hernández

14 May 2015 14 May '15

18:54

Good afternoon: I work at the University of Computer Sciences in Cuba and I am currently doing an application for adding my computer to an Active Directory Domain Controller using realmd and sssd. This works fine for me. Besides, I need to share file and folders for specific users in the Active Directory Domain Controller of my organization. This could be accomplished using samba4. Could you help me to setup samba4 to share files and folders for specific users in the Active Directory Domain Controller of my organization. Thanks in advance. Best Regards, Amaury. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Show replies by date

buhorojo

15 May 15 May

12:39

...

Good afternoon: I work at the University of Computer Sciences in Cuba and I am currently doing an application for adding my computer to an Active Directory Domain Controller using realmd and sssd. This works fine for me. Besides, I need to share file and folders for specific users in the Active Directory Domain Controller of my organization. This could be accomplished using samba4. Could you help me to setup samba4 to share files and folders for specific users in the Active Directory Domain Controller of my organization. Thanks in advance. Best Regards, Amaury. Hi That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos (who does!) or have blocked it or something. Ubuntu have a package but here, you have to compile it and

On 14/05/15 20:54, Amaury Viera Hernández wrote: the latest version has regressions so it's not worth the hassle. Not my words. My teacher set it up. She still gets loadsa hits. http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html If you want something that just works, use google. If you're a school (or university I think) you get unlimited storage, they help you set it up and it's a great argument to get faster Internet for your school:) HTH -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Andrei Borzenkov

12:47

On Fri, May 15, 2015 at 3:39 PM, buhorojo wrote:

...

...
That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos

I wonder who are "they" you are talking about. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

buhorojo

17:30

On 15/05/15 14:47, Andrei Borzenkov wrote:

...

On Fri, May 15, 2015 at 3:39 PM, buhorojo wrote:

...
...
That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos I wonder who are "they" you are talking about. suse I think. They'll never have an ad dc. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Adam Tauno Williams

17 May 17 May

12:47

On Fri, 2015-05-15 at 19:30 +0200, buhorojo wrote:

...

On 15/05/15 14:47, Andrei Borzenkov wrote:

...
On Fri, May 15, 2015 at 3:39 PM, buhorojo wrote:

...
...
That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos I wonder who are "they" you are talking about. suse I think. They'll never have an ad dc.

You just install a Samba 4 package and configure it as a DC. That's it. How to do that is distribution agnostic. -- Adam Tauno Williams mailto:awilliam@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

13:46

New subject: [opensuse] Samba4 and AD [Was: Samba4 doubt]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-17 14:47, Adam Tauno Williams wrote:

...

On Fri, 2015-05-15 at 19:30 +0200, buhorojo wrote:

...
On 15/05/15 14:47, Andrei Borzenkov wrote:

...
On Fri, May 15, 2015 at 3:39 PM, buhorojo <> wrote:

...

...
...
...
...
That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos I wonder who are "they" you are talking about. suse I think. They'll never have an ad dc.

You just install a Samba 4 package and configure it as a DC. That's it. How to do that is distribution agnostic.

The issue has been commented several times on the lists. For instance: +++—-—-—-—-—-—-—- Date: Tue, 21 Jan 2014 08:30:33 +0100 Subject: [opensuse] AD replacement However, in 13.1 and sp3 i see that samba4 is included, but on the changes-file, it says that full AD-functionality is not possible, because you can not replace the kerberos-component. (afaicr, the samba-team is using Heimdal, instead of MIT-kerberos) —-—-—-—-—-—-—-++- And indeed, at https://www.suse.com/releasenotes/i386/openSUSE/13.1/RELEASE-NOTES.en.html#i... it says +++—-—-—-—-—-—-—- 5.3. Samba Version 4.1 Samba version 4.1 shipped with openSUSE 13.1 does not include support to operate as an Active Directory style domain controller. This functionality is currently disabled, as it lacks integration with system-wide MIT Kerberos. —-—-—-—-—-—-—-++- If the situation has changed in 13.2, I don't know. Ask Lynn ;-) +++—-—-—-—-—-—-—- Date: Mon, 29 Sep 2014 19:09:50 +0200 Subject: Re: [opensuse] Getting rid of systemd and putting sysv back Thanks. No. It's nothing to do with that. That statement is the usual lack of understanding we have come to expect of anything to do with AD, samba and SLES/openSUSE. The Samba4 Heimdal implementation integrates perfectly with Samba4 KDC under the 13.1 MIT packages. What does not integrate is systemd with Kerberos or the SLES developer responsible for it. Hence, Samba4 as an AD package on eithet SLES or openSUSE is never going to happen in even the mid future. —-—-—-—-—-—-—-++- - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVYm8gACgkQja8UbcUWM1z12AD8CeXmPc7uwAfGKKuvxao4mOaz eN/enJXGkfo+RAzS03gA/0GstRkrSKzReseAG3jIpaBfmUMzZFPkXaySCbAEYjqJ =eUQU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Anton Aylward

14:15

New subject: [opensuse] Samba4 and AD [Was: Samba4 doubt]

On 05/17/2015 09:46 AM, Carlos E. R. wrote:

...

Ask Lynn ;-)

: Sorry, I couldn't find any host named steve-ss.com. (#5.1.2) # dig steve-ss.com ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> steve-ss.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30037 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;steve-ss.com. IN A ;; AUTHORITY SECTION: com. 897 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1431872058 1800 900 604800 86400 ;; Query time: 113 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 17 10:14:31 EDT 2015 ;; MSG SIZE rcvd: 114 Similar for "-t mx" Any more recent address? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

14:41

New subject: [opensuse] Samba4 and AD [Was: Samba4 doubt]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-17 16:15, Anton Aylward wrote:

...

On 05/17/2015 09:46 AM, Carlos E. R. wrote:

...
Ask Lynn ;-)

...

Any more recent address?

The last post was made January. :-? Something happened. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVYqK8ACgkQja8UbcUWM1xlogD+OtuMYyq+YDLZtyebYTi0D+wY ZVSUhCQiCnUKLNiUea4A/jvjgBZFx/ehWotjAhaDpVvmpRBZoMvQ1AolGUAfRP1o =41m2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

14:49

New subject: [opensuse] Samba4 and AD [Was: Samba4 doubt]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-17 16:15, Anton Aylward wrote:

...

Sorry, I couldn't find any host named steve-ss.com. (#5.1.2)

# dig steve-ss.com

Look here: http://whois.domaintools.com/steve-ss.com The domain expired by the end of March, and was renewed this month, on the 6th, if I read it correctly. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVYqoQACgkQja8UbcUWM1wujAD/V5hlrayTRGa8VlPeZFF0SlOX poj2ow5ZF3poviZYMEsBAIJ0KGYCMpXw+gjoDphwMHJ27h2rQlqfvsLaFDpCKeq2 =TTz9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

buhorojo

19:25

On 17/05/15 14:47, Adam Tauno Williams wrote:

...

On Fri, 2015-05-15 at 19:30 +0200, buhorojo wrote:

...
On 15/05/15 14:47, Andrei Borzenkov wrote:

...
On Fri, May 15, 2015 at 3:39 PM, buhorojo wrote:

...
...
That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos I wonder who are "they" you are talking about. suse I think. They'll never have an ad dc. You just install a Samba 4 package What samba 4 package? The OP wants AD. opensuse does not have AD. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Lew Wolfgang

19:37

On 05/17/2015 12:25 PM, buhorojo wrote:

...

On 17/05/15 14:47, Adam Tauno Williams wrote:

...
On Fri, 2015-05-15 at 19:30 +0200, buhorojo wrote:

...
On 15/05/15 14:47, Andrei Borzenkov wrote:

...
On Fri, May 15, 2015 at 3:39 PM, buhorojo wrote:

...
...
That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos I wonder who are "they" you are talking about. suse I think. They'll never have an ad dc. You just install a Samba 4 package What samba 4 package? The OP wants AD. opensuse does not have AD.

Doesn't Samba 4 have a Domain Controller that is compatiable with Microsoft's Active Directory? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott

19:48

On 05/17/2015 03:37 PM, Lew Wolfgang wrote:

...

Doesn't Samba 4 have a Domain Controller that is compatiable with Microsoft's Active Directory?

I thought it was just compatible with the old domain controller. IIRC, Active Directory is proprietary. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

buhorojo

20:41

On 17/05/15 21:48, James Knott wrote:

...

On 05/17/2015 03:37 PM, Lew Wolfgang wrote:

...
Doesn't Samba 4 have a Domain Controller that is compatiable with Microsoft's Active Directory? I thought it was just compatible with the old domain controller. IIRC, Active Directory is proprietary.

No, it does a subset of active directory too these days. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Adam Tauno Williams

23:11

On Sun, 2015-05-17 at 15:48 -0400, James Knott wrote:

...

On 05/17/2015 03:37 PM, Lew Wolfgang wrote:

...
Doesn't Samba 4 have a Domain Controller that is compatiable with Microsoft's Active Directory? I thought it was just compatible with the old domain controller. IIRC, Active Directory is proprietary.

Samba 3.x [discontinued and obsolete] can function as an NT4.0 domain controller, aka a PDC. Samba 4.x can function as an Active Directory domain controller. I have four Samba 4 domain controllers in production serving both LINUX and Windows clients. They are not on openSUSE, as we do not use openSUSE as a server in the shop [we use it as a desktop OS], but the functionality is a feature of Samba 4 and is essentially distribution agnostic. SerNET provides current Samba 4 packages for CentOS/RHEL - the most widely used corporate server platform by far. As a domain controller should be just a domain controller and nothing else I would generally recommend someone just create a CentOS VM, subscribe to the SerNET repository - FOLLOW THE DOCUMENTATION IN THE SAMBA WIKI [and ***NOT*** whatever trash you find via some search engine(*1)] - and be on your way. it will 'just work'. (*1) Google is NOT your friend, it is a gateway to blind alleys, incorrect answers, and obsolete BLOG posts. Whatever package you are using go *FIRST* to the package's documentation; that is why it is there. And do not run other services on your domain controller, just let it be a domain controller. -- Adam Tauno Williams mailto:awilliam@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

buhorojo

20:08

On 17/05/15 21:37, Lew Wolfgang wrote:

...

On 05/17/2015 12:25 PM, buhorojo wrote:

...
On 17/05/15 14:47, Adam Tauno Williams wrote:

...
On Fri, 2015-05-15 at 19:30 +0200, buhorojo wrote:

...
On 15/05/15 14:47, Andrei Borzenkov wrote:

...
On Fri, May 15, 2015 at 3:39 PM, buhorojo wrote:

...
> That's what we used to do at school but you'll get no help > from opensuse as they don't understand Kerberos I wonder who are "they" you are talking about. suse I think. They'll never have an ad dc. You just install a Samba 4 package What samba 4 package? The OP wants AD. opensuse does not have AD.

...

Doesn't Samba 4 have a Domain Controller that is compatiable with Microsoft's Active Directory?

Regards, Lew

Samba 4, yes. opensuse, no. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Anton Aylward

20:31

On 05/17/2015 03:37 PM, Lew Wolfgang wrote:

...

Doesn't Samba 4 have a Domain Controller that is compatiable with Microsoft's Active Directory?

When I google for "opensuse samba4 active directory" the very first item that comes up tells me <quote src="https://susestudio.com/a/veav1Y/excellent-samba4-appliance"> Excellent Samba4 Appliance 1.1.11 based on SLES 11 SP3 64 bit with Samba4 Stable 4.1.11. Samba4 is a massive reworking of the Samba 3 implementation, with a goal of providing full Active Directory, domain controller and file server support for all current Windows clients. </quote> Since it is bases on SLES 11/SP3 those who say "not opensuse" are, strictly speaking, correct. However you can download the VMImage and run that under openSuse. Also relevant https://conradjonesit.wordpress.com/2013/06/24/building-a-samba4-domain-cont... What some people might be picking up on is that <quote src="https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO"> We do not recommend using the Domain Controller as a file Server. This is due to issues with the winbind internal to the Domain Controller. The recommendation is to run separate file or Member Servers. Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other. It is also suggested that medium-sized sites should run more than one DC. It also makes sense to have the DC's distinct from any file servers that may use the Domain Controllers. Also using distinct file Servers avoids the many issues with the winbind internal to the Active Directory Domain Controller. </quote> -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

22:15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-17 22:31, Anton Aylward wrote:

...

Since it is bases on SLES 11/SP3 those who say "not opensuse" are, strictly speaking, correct.

It is on the release notes of that and 13.1, so the statement is absolutely correct. Maybe 13.2 can act as an AD server, I don't know. 13.1 out of the box can not, unless you jump through certain loops. I think that in some repos there is support for it. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVZExcACgkQja8UbcUWM1zUQAD+KRWJZfAv6nLnhVLYd1Xkv1Ct Ki6mTydkHTNECDfvCpMA/2q1FrsYZXtUlyQHhZ3vKP3DEV6ZqtH2RJnvxrtFyG07 =iqyI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Adam Tauno Williams

23:42

On Sun, 2015-05-17 at 16:31 -0400, Anton Aylward wrote:

...

On 05/17/2015 03:37 PM, Lew Wolfgang wrote: What some people might be picking up on is that <quote src="https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO">; We do not recommend using the Domain Controller as a file Server. This is due to issues with the winbind internal to the Domain Controller. The recommendation is to run separate file or Member Servers.

UPDATE: this is true up until Samba 4.2. In Samba 4.0 and Samba 4.1 the operation of winbind on DCs and on member servers was distinct. This is no longer true on Samba 4.2. Samba 4.2 makes changes to identity management - users should read the release notes.

...

Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server t

The distinction between domain controllers and file servers should be preserved for many reasons - even if you are using only Windows servers. -- Adam Tauno Williams mailto:awilliam@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Adam Tauno Williams

12:46

On Fri, 2015-05-15 at 14:39 +0200, buhorojo wrote:

...

On 14/05/15 20:54, Amaury Viera Hernández wrote:

...
Good afternoon: I work at the University of Computer Sciences in Cuba and I am currently doing an application for adding my computer to an Active Directory Domain Controller using realmd and sssd. This works fine for me. Besides, I need to share file and folders for specific users in the Active Directory Domain Controller of my organization. This could be accomplished using samba4. Could you help me to setup samba4 to share files and folders for specific users in the Active Directory Domain Controller of my organization. Thanks in advance. Best Regards, Amaury. That's what we used to do at school but you'll get no help from opensuse as they don't understand Kerberos (who does!)

Who understands Kerberos? Anyone who has bothered to read the documentation. Kerberos is not that complicated, and with or without Active Directory, it is a rather straight forward service to configure and use. There is essentially nothing distributions specific about Kerberos.

...

or have blocked it or something.

What on earth does this statement mean? I use Kerberos on numerous openSUSE hosts, have for years, every day. -- Adam Tauno Williams mailto:awilliam@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

3269

Age (days ago)

3272

Last active (days ago)

List overview

Download

18 comments

8 participants

participants (8)

Adam Tauno Williams
Amaury Viera Hernández
Andrei Borzenkov
Anton Aylward
buhorojo
Carlos E. R.
James Knott
Lew Wolfgang