Re: Authenticating users against AD *without* joining the domain?

2013-02-12 Thread Ben Scott
On Tue, Feb 12, 2013 at 8:55 PM, Ken D'Ambrosio  wrote:
> I'd be just plain happy if I could use an AD server to let
> users authenticate against LDAP, and then log in.

  Can you explain what you're after in a little more details, please?

  E.g., are you wanting users to be able to SSH in, type a username
and password for an AD account, and have those checked against a
Domain Controller?

  Or... what?  :)

-- Ben
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: Authenticating users against AD *without* joining the domain?

2013-02-13 Thread Ken D'Ambrosio
Ben said:
>   Can you explain what you're after in a little more details, please?
>
>   E.g., are you wanting users to be able to SSH in, type a username
> and password for an AD account, and have those checked against a
> Domain Controller?

*sigh*  Yeah, I realized (much) later that I wasn't descriptive enough. 
That's *exactly* what I'm looking to do -- basically, I see it like 
this: if they can bind to the AD server with the credentials (via LDAP, 
which is woo feasible), then I want to let them in.  And, yes, all via 
ssh.

-Ken

>
>   Or... what?  :)
>
> -- Ben
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


-- 
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com/links/en/frams.html


___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


RE: Authenticating users against AD *without* joining the domain?

2013-02-13 Thread Rudolph, Frank
I have struggled with this problem for years.

We came to a solution a long time ago that works 100% of the time but keeps the 
Linux servers somewhat on the sidelines.
The solution is very simple, really.
We have all our Linux boxes (we have about 50 of them connected together under 
the umbrella of a MS Exchange Server) using a really stripped down Samba 
(excUUUse me, I mean CIFS) configuration.

I have attached the smb.conf file. It provides a completely open share. We rely 
on the firewall of the Exchange Server and have the Linux firewall turned 
completely off. Put the smb.conf file in /etc/samba and do this: 
'service smb restart' or whatever your distro requires equivalent to that.

Here was the most important piece: We DO NOT REFER TO THE LINUX SERVERS BY 
THEIR NETWORK NAMES.
For some reason, using the workgroup name and the Linux netbios name causes 
Active Directory to get really constipated.
It works but sometime it just doesn't and other times it takes minutes or hours 
to resolve the Linux netbios names.

Instead, we simply refer to the Linux CIFS server by its Ethernet address and 
it always works and works very efficiently with no complaints from the Windows 
domain server.

It works in both directions. We can access file shares through Windows 
explorers and we can mount Windows shares on our Linux boxes.

Let's say I want to get at /var/log/messages on Linux Server XYZ1 at IP address 
192.168.101.195

I simply refer to it as \\192.168.101.195\sysroot\var\log\messages from Windows 
and all is well
(sysroot is the name of the Linux share that gives me access to "/")

We use the "porta putty" SSH client and simply use the IP address to login to 
Linux and the whole package is rather seamless.

On the rare occasions we need to get at the Xwindows desktop, we use VNC and it 
simply works and we have no issues as long as we do not make the mistake of 
trying to access a Linux box as , e.g., \\XYZ1\sysroot\var\ instead 
of \\192.168.101.195\sysroot\var\

Later - Frank


-Original Message-
From: gnhlug-discuss-boun...@mail.gnhlug.org 
[mailto:gnhlug-discuss-boun...@mail.gnhlug.org] On Behalf Of Ken D'Ambrosio
Sent: Tuesday, February 12, 2013 8:55 PM
To: GNHLUG
Subject: Authenticating users against AD *without* joining the domain?

Hey, all.  At my new employer, it basically takes an act of God to get a Linux 
box to join the domain.  I'd be just plain happy if I could use an AD server to 
let users authenticate against LDAP, and then log in.

Any idea how to make that happen?  Worst-case, I'm thinking of doing some sort 
of Apache/LDAP thing, but if anyone's got any bright ideas, I'm all ears.

Thanks,

-Ken

--
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com/links/en/frams.html


___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


smb.conf
Description: smb.conf
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: Authenticating users against AD *without* joining the domain?

2013-02-13 Thread Ben Scott
On Wed, Feb 13, 2013 at 11:03 AM, Rudolph, Frank
 wrote:
> We have all our Linux boxes (we have about 50 of them connected
> together under the umbrella of a MS Exchange Server)

  Uh... just FYI, Exchange has nothing to do with
SMB/CIFS/NetBIOS/etc.  That might be your problem right there.  :-)

> We rely on the firewall of the Exchange Server ...

  Nor is Exchange a firewall.  Exchange is a mail server.  :-)

> Here was the most important piece: We DO NOT REFER TO
> THE LINUX SERVERS BY THEIR NETWORK NAMES.

  You have no name resolution configured in the provided Samba config
file; I suspect that's part of your problem.  The defaults use
broadcasts, which are unreliable at best, and often don't work at all.

  If you're in a good-sized Microsoft shop, and there is a need or
desire to support NetBIOS (very common), the Windows admins very
likely using WINS (NBNS), and you're going to need to configure that.
The Windows people may also have disabled broadcast name resolution
entirely.

  Alternatively, the Windows admins may have gone entirely to using
DNS names, and you're going to need to configure Samba to know that.

-- Ben
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


RE: Authenticating users against AD *without* joining the domain?

2013-02-13 Thread Rudolph, Frank
Sorry, you are correct. Not being a Windows expert, I tend to oversimplify.
I keep referring to our Windows Server as an Exchange server. I realize that is 
incorrect.
We are an engineering house with negligible IT support and I touch Windows only 
when I have to.
Let me clarify... We have a Windows Server 2008 or 2010, not sure which)
On that server, we have all our umbrella of security running for the entire 
domain, firewalls included.
On that server we have an Exchange server running to support email.

We also have Active Directory running there and the entire enterprise uses that 
as our in-house support. 
Our IT manage is quite knowledgeable about Windows ONLY and knows nothing about 
Linux.

I on the other hand try to stay entirely in the Linux world and use Windows 
only as a way to edit documents send email, etc.

What I discovered is that, since we have limited support for the interface 
between Windows and Linux and no time at all to figure out why, I learned from 
another Linux user back in 2005 that if I just used the stripped down smb.conf 
file, all the issues I was having with Windows constantly barfing every time I 
tried to do anything that involved talking to Linux, my problems would go away. 
So I did that and the problem immediately ceased to be a problem.

We have a software staff of 1, an IT staff of 1 and we use a few contractors to 
help out. For us this has been a completely sufficient, cheap, easy, long-term 
solution for an undermanned staff and I just passed it on.

But thanks for your corrections.

- Frank

-Original Message-
From: gnhlug-discuss-boun...@mail.gnhlug.org 
[mailto:gnhlug-discuss-boun...@mail.gnhlug.org] On Behalf Of Ben Scott
Sent: Wednesday, February 13, 2013 11:53 AM
To: Greater NH Linux User Group
Subject: Re: Authenticating users against AD *without* joining the domain?

On Wed, Feb 13, 2013 at 11:03 AM, Rudolph, Frank  
wrote:
> We have all our Linux boxes (we have about 50 of them connected 
> together under the umbrella of a MS Exchange Server)

  Uh... just FYI, Exchange has nothing to do with SMB/CIFS/NetBIOS/etc.  That 
might be your problem right there.  :-)

> We rely on the firewall of the Exchange Server ...

  Nor is Exchange a firewall.  Exchange is a mail server.  :-)

> Here was the most important piece: We DO NOT REFER TO THE LINUX 
> SERVERS BY THEIR NETWORK NAMES.

  You have no name resolution configured in the provided Samba config file; I 
suspect that's part of your problem.  The defaults use broadcasts, which are 
unreliable at best, and often don't work at all.

  If you're in a good-sized Microsoft shop, and there is a need or desire to 
support NetBIOS (very common), the Windows admins very likely using WINS 
(NBNS), and you're going to need to configure that.
The Windows people may also have disabled broadcast name resolution entirely.

  Alternatively, the Windows admins may have gone entirely to using DNS names, 
and you're going to need to configure Samba to know that.

-- Ben
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


Re: Authenticating users against AD *without* joining the domain?

2013-02-13 Thread Ben Scott
On Wed, Feb 13, 2013 at 9:28 AM, Ken D'Ambrosio  wrote:
> *sigh*  Yeah, I realized (much) later that I wasn't descriptive enough.
> That's *exactly* what I'm looking to do -- basically, I see it like
> this: if they can bind to the AD server with the credentials (via LDAP,
> which is woo feasible), then I want to let them in.  And, yes, all via
> ssh.

  Okay, there are two ways to approach this.

  One is to have Linux speak LDAP to Windows, and do the auth via
LDAP.  It should basically be a pure LDAP scenario, with no knowledge
of Windows-ese stuff involved.  I don't know much about LDAP auth, but
we do have people here who do.

  The other way is to have Linux speak Windows-ese to Windows, and do
the auth via Windows-ese.  This I know (far too much) about.

  There are two ways to have Samba do Windows-ese authentication.  One
is to have Samba join the domain.  The other is to have Samba do
pass-along server authentication against a Domain Controller server.

  Joining the domain is the preferred method.  Is the situation truly
hopeless?  If you have a valid set of domain credentials, by default
that will have permission to join up to 10 members to the domain, so
we could try that and you could plead ignorance later.  OTOH, that may
be politically bad (i.e., a Career Limiting Move).  On the third hand,
can you have a dialog with the Windows admin team?  If they're letting
a Linux box on your network in the first place, one hopes they'd want
it to be subject to corporate security and all that.  (Or are you
firewalled?)

  The other method is to configure Samba with "security = server".
This basically passes credentials (username/password/hash) unprocessed
to a named Windows server, and gets the auth that way.  The problem
here is that I AFAIK this excludes winbind, which is the mechanism
Samba uses to provide a NSS/PAM compatible interface to the host OS.

  I guess this prolly doesn't help you much.  Sorry.

-- Ben
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/