[Samba] Samba / AD integration
This is a discussion on [Samba] Samba / AD integration within the Samba forums, part of the Networking and Network Related category; I have a quick question on hooking Samba to a large AD domain. Following the excellent recipe at: http://wiki....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-05-2008
|
|||
|
|||
[Samba] Samba / AD integration
I have a quick question on hooking Samba to a large AD domain.
Following the excellent recipe at: http://wiki.samba.org/index.php/Samb...tive_Directory I see it states about half way down to join the machine to AD "Now to join your machine to the active directory. You will need the user-name and password to a Domain Administrator account to do this. The command you need to join the domain is net ads join -U sadwrn. This should then ask you for a password, and print a domain join notice." Is this required to use a Domain Administrator account, or can any normal user AD account be used? I know AD doesn't allow anonymous browsing, but can a normal non-admin account be used? As I read through it, I don't see any other special admin access required other the root on the Linux machine. My goal is this... We have a very large AD system, 80.000+ users, and we want to activate Samba on two servers for a very small user group (maybe 12 users) but validate userid/passwords against AD. If Samba can be setup with little or no AD changes, or involvement from the AD administrators, but with some simple config from the UNIX admins, then we have a much better chance of getting this approved. But if it requires a lot of heavy involvement of the AD support group, ongoing maintenance, etc, then the odds are slim. Largely political, the UNIX admins are much more open to open source solutions than the Windows side of the fence. So if this can be sold as "just another AD client app" not requiring any special AD domain permissions, we have a chance. Thanks for any help/advice. Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
08-05-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
On Tue, Aug 05, 2008 at 10:50:21AM -0500, Brian Foddy wrote:
> I have a quick question on hooking Samba to a large AD domain. > Following the excellent recipe at: > > http://wiki.samba.org/index.php/Samb...tive_Directory > > I see it states about half way down to join the machine to AD > > "Now to join your machine to the active directory. You will need the > user-name and password to a Domain Administrator account to do this. The > command you need to join the domain is net ads join -U sadwrn. This > should then ask you for a password, and print a domain join notice." > > Is this required to use a Domain Administrator account, or can any > normal user AD account be used? I know AD doesn't allow anonymous > browsing, but can a normal non-admin account be used? As I read through > it, I don't see any other special admin access required other the root > on the Linux machine. Any account with the ability to join a machine to a domain can be used. You only need this for the join operation, in daily use no extra permission is needed (it acts the same way as a Windows box in the domain). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-05-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
Check out this paper:
http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf I wrote it about 3 years ago, so the Samba version was 3.0.7. Things may have changed. It refers to HP-UX CIFS Server but at the time held true for Opensource too. Eric Roseme Brian Foddy wrote: > I have a quick question on hooking Samba to a large AD domain. > Following the excellent recipe at: > > http://wiki.samba.org/index.php/Samb...tive_Directory > > I see it states about half way down to join the machine to AD > > "Now to join your machine to the active directory. You will need the > user-name and password to a Domain Administrator account to do this. The > command you need to join the domain is net ads join -U sadwrn. This > should then ask you for a password, and print a domain join notice." > > Is this required to use a Domain Administrator account, or can any > normal user AD account be used? I know AD doesn't allow anonymous > browsing, but can a normal non-admin account be used? As I read through > it, I don't see any other special admin access required other the root > on the Linux machine. > > > My goal is this... We have a very large AD system, 80.000+ users, and > we want to activate Samba on two servers for a very small user group > (maybe 12 users) but validate userid/passwords against AD. If Samba can > be setup with little or no AD changes, or involvement from the AD > administrators, but with some simple config from the UNIX admins, then > we have a much better chance of getting this approved. But if it > requires a lot of heavy involvement of the AD support group, ongoing > maintenance, etc, then the odds are slim. Largely political, the UNIX > admins are much more open to open source solutions than the Windows side > of the fence. So if this can be sold as "just another AD client app" > not requiring any special AD domain permissions, we have a chance. > > Thanks for any help/advice. > Brian > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-05-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hey Eric, > Check out this paper: > > http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf > > I wrote it about 3 years ago, so the Samba version was 3.0.7. Things > may have changed. It refers to HP-UX CIFS Server but at the time held > true for Opensource too. > It has changed. I rewrote the join a long time ago to make the Windows XP network signature. commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b Author: Gerald Carter <jerry@samba.org> Date: Fri May 12 15:17:35 2006 +0000 r15543: New implementation of 'net ads join' to be more like Windows XP. This was first included in Samba 3.0.23. cheers, jerry - -- ================================================== =================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFImIh0IR7qMdg1EfYRAo5RAKDkFVHyUosN8FI/qDeO2u0j/CWe6wCeM9Ko B0w5w3acZBFWinqljid3idQ= =IDYt -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-05-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
Gerald (Jerry) Carter wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hey Eric, > > > >>Check out this paper: >> >>http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf >> >>I wrote it about 3 years ago, so the Samba version was 3.0.7. Things >>may have changed. It refers to HP-UX CIFS Server but at the time held >>true for Opensource too. >> >> >> > >It has changed. I rewrote the join a long time ago to make the >Windows XP network signature. > > > commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b > Author: Gerald Carter <jerry@samba.org> > Date: Fri May 12 15:17:35 2006 +0000 > > r15543: New implementation of 'net ads join' to be > more like Windows XP. > >This was first included in Samba 3.0.23. > > > > >cheers, jerry >- -- >================================================= ==================== >Samba ------- http://www.samba.org >Likewise Software --------- http://www.likewisesoftware.com >"What man is a man who does not make the world better?" --Balian >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFImIh0IR7qMdg1EfYRAo5RAKDkFVHyUosN8FI/qDeO2u0j/CWe6wCeM9Ko >B0w5w3acZBFWinqljid3idQ= >=IDYt >-----END PGP SIGNATURE----- > > > Jerry, Are you saying the pdf document is not correct and usable anymore, or a couple minor points need modifications? In general, it describes almost exactly the situation I'm in. Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-05-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
Eric Roseme wrote:
> Check out this paper: > > http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf > > I wrote it about 3 years ago, so the Samba version was 3.0.7. Things > may have changed. It refers to HP-UX CIFS Server but at the time held > true for Opensource too. > > Eric Roseme > > Brian Foddy wrote: > >> I have a quick question on hooking Samba to a large AD domain. >> Following the excellent recipe at: >> >> http://wiki.samba.org/index.php/Samb...tive_Directory >> >> I see it states about half way down to join the machine to AD >> >> "Now to join your machine to the active directory. You will need the >> user-name and password to a Domain Administrator account to do this. >> The command you need to join the domain is net ads join -U sadwrn. >> This should then ask you for a password, and print a domain join >> notice." >> >> Is this required to use a Domain Administrator account, or can any >> normal user AD account be used? I know AD doesn't allow anonymous >> browsing, but can a normal non-admin account be used? As I read >> through it, I don't see any other special admin access required other >> the root on the Linux machine. >> >> >> My goal is this... We have a very large AD system, 80.000+ users, >> and we want to activate Samba on two servers for a very small user >> group (maybe 12 users) but validate userid/passwords against AD. If >> Samba can be setup with little or no AD changes, or involvement from >> the AD administrators, but with some simple config from the UNIX >> admins, then we have a much better chance of getting this approved. >> But if it requires a lot of heavy involvement of the AD support >> group, ongoing maintenance, etc, then the odds are slim. Largely >> political, the UNIX admins are much more open to open source >> solutions than the Windows side of the fence. So if this can be sold >> as "just another AD client app" not requiring any special AD domain >> permissions, we have a chance. >> >> Thanks for any help/advice. >> Brian >> > Thanks for the good responses so far. I was talking with a more "open minded" company AD administrator and he mentioned that a product called Centrify is in the currently "blessed" state and deployed to numerous high security PCI Unix servers in the company. If Centify was installed on the RHEL Linux servers we hope to run Samba on, does this change the mix of steps or significantly alter prospects? Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-05-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hey Brian, > Are you saying the pdf document is not correct and usable anymore, or a > couple minor points need modifications? In general, it describes almost > exactly the situation I'm in. I'm saying that the domain join process was rewritten in Samba 3.0.23. So any documented permissions for prior version is out of date. The current process technically should require only the same permissions as joining a Windows XP host. What exactly is failing? cheers, jerry - -- ================================================== =================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFImMjRIR7qMdg1EfYRApPAAJ9vHuX1+QioHG9LNse6Nf 9c0LqcGACgl8NM CVdTjLO8OcDK7oS8NegWnn0= =BgWP -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-06-2008
|
|||
|
|||
|
Re: [Samba] Samba / AD integration
Gerald (Jerry) Carter wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hey Brian, > > > >>Are you saying the pdf document is not correct and usable anymore, or a >>couple minor points need modifications? In general, it describes almost >>exactly the situation I'm in. >> >> > >I'm saying that the domain join process was rewritten in Samba >3.0.23. So any documented permissions for prior version is >out of date. The current process technically should require >only the same permissions as joining a Windows XP host. > >What exactly is failing? > > > > Nothing is failing, I'm purely in the research mode so far and haven't tried anything yet. Thanks for the info. Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
