[Novalug] Samba book

[Stephen Cicirelli]

Kerberos is the default authentication protocol for Windows since
2000.  It wasn't until 2003 when they "fixed it" to be fully compliant
with the MIT Kerberos standards and behavior - you know: embrace and
extend.  Windows will fall back on NTLM and LM if you let it (default
config 2003 and earlier) and just NTLM (default for 2008 and later)

SAMBA 3.x and later should all be NTLMv2 compliant but I would suggest
using Kerberos wherever possible.  In my experiance the Samba 3.x and
later Kerberos config has been easy and robust.

I won't comment on permissions.

I believe it is also the defualt for Novell eDir but I might be wrong
about that now.

Stephen

On Wed, Feb 29, 2012 at 11:12 PM, Dan Lavu <dan at lavu.net> wrote:
> Nick,
>
> Kerberos is an authentication protocol, fun fact, it's named after Cerberus
> the three headed dog that guarded the Greek underworld. Anyways it's a
> ticket based authentication protocol, for example;
>
> I installed FreeIPA on my home network which uses Kerberos, for each service
> I install or computer I add, I issue a ticket through the server, then
> install ticket on the service or computer, with a pre-issued  passphrase
> validating the client, now the client can connect to the server without
> using a password.
>
> I'm not much of a windows guy either but from what I read, NT4 uses Kerberos
> to validate clients on the domain, I think it's legacy on 2k3 domains.
>
> So when you join a computer to a windows domain, it will take *.domain.com,
> whatever is configured in AD, because you're joining that domain. If you
> have two computers with the same name they will conflict, names should be
> unique.
>
> Issuing the 'net join -U blah' command joins the Linux server (this doesn't
> require samba, but winbind) and creates an entry in Windows AD for the
> computer. So if you ran this command already and the join was successful you
> should see a new entry in AD.
>
> Netbios is an older networking protocol which windows users for discovery
> and resolution, named should be unique. So when changing the name and having
> it work, I assume that the server is using netbios for name resolution.
>
> In regards to groups, you should be able to use wbinfo -g (-u for users) to
> view the proper name, but you must have unix attributes enabled for these
> users to log into your linux system, creating a uid and gid. I'm not sure if
> that's the case for permissions as well. You should be able to see the
> windows groups in the linux file permissions; like so
>
> drwxrwxrwx 15 DOMAIN\user           DOMAIN\group     4096 Dec 27 08:27 Tmp
>
> I hope this helps, I'd read up on winbind and nssswitch.
>
> Dan
>
> -----Original Message-----
> From: Nick Danger [mailto:nick at hackermonkey.com]
> Sent: Wednesday, February 29, 2012 8:27 PM
> To: Dan Lavu; NOVALUG
> Subject: Re: [Novalug] Samba book
>
> I am fairly sure I do not understand Kerberos and how it ties to windows AD
> and authentication. I am really not a windows administrator so I am guessing
> in some places.
>
> Ie: The machine name is "www01". It is fully "www01.test.domain.com".
> Well if I join to AD, it goes in as "www01." Which means when I join
> "www01.production.domain.com" I have a problem, two machines with the same
> name in the AD. ... so I fudged the "netbios name" in smb.conf to be
> something else. And that worked. But it was a bit of a guess, as I didn't
> find clear instructions, just things like "run net join -U admin at domain". No
> one said "This will join the machine to the domain using the hostname". Only
> one document I found talked about setting netbios name option. and now I
> find there is even an option I can pass on net join to give it a netbios
> name.
>
> In the end I was trying to allow two AD groups to map a share on a linux box
> and have read/write access. Its done, and working, but only after I tried
> about a million different formats of @"DOMAIN+group" and @"group"
> and @Domain+"group". I think the first one finally worked but I swear I had
> tried that 4 times previously. But who knows. I think I used commas to
> separate groups at one try, which was wrong.
>
> Its working now, I just want to rip apart what I did and know exactly WHY
> its working. I am sure I will have to repeat this again and I am not so keep
> on the old "copy that config, it works!". I was hoping a manual/book might
> help explain the theory, and then the man pages will explain the
> particulars.
>
> Nick
>
>
> On 02/29/2012 07:22 PM, Dan Lavu wrote:
>> Nick,
>>
>> I always found the Samba documentation to be sufficient and I've been
>> trying to sync FreeIPA and Samba but the documentation is very limited
>> when doing this. I've love to know what you are trying to do and how
>> it's configured and maybe we can shed some light on how it works?
>>
>> To my  understanding ADS is old for NT4/2000 domains which used
>> Kerberos, or if you want to use Kerberos. Domain security mode builds
>> a trust based upon machine accounts on the domain, you must join and
>> should be able to view all users using wbinfo.
>>
>> Either way I always found the O'Reilly books to be enlightening.
>>
>>
>> Dan
>>
>> -----Original Message-----
>> From: novalug-bounces at calypso.tux.org
>> [mailto:novalug-bounces at calypso.tux.org] On Behalf Of Nick Danger
>> Sent: Wednesday, February 29, 2012 6:03 PM
>> To: NOVALUG
>> Subject: [Novalug] Samba book
>>
>> I have been battling samba most of the day. Mostly because the
>> examples I am finding aren't what it was I need to do. And then they
>> only explain the options they use, if I am lucky. I finally figured it
>> out, by combining several different web pages and some documentation from
> samba.org itself.
>> Oddly I am still using DOMAIN and not ADS for authentication option
>> because I couldn't get ADS to do crap, no matter what page said otherwise.
>>
>> So, I am checking for a good samba manual. And most seem to be a
>> little older. Is that because Samba really hasn't changed much? I
>> don't want to get some out of date manual, so if anyone has
>> recommendations I would appreciate it.
>>
>> I want to understand what I did and not just go "well I made it work
>> but beats me as to which trick did it."
>>
>> Nick
>> _______________________________________________
>> Novalug mailing list
>> Novalug at calypso.tux.org
>> http://calypso.tux.org/mailman/listinfo/novalug
>>
>
>
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug