I would like to ask for some advice. The scenario is the following.
We have a department server with Opensuse (now 15.4 although I have to upgrade asap to 15.5).
Desktop machines have Windows 10 and they are using samba to authenticate against the server (users are created in the server as linux users and added to samba database with smbpasswd) and mount their home as a Z: disk, they use also roaming profiles. The user home are accesible from ssh in the server. Samba in the server is configured as a PDC and the windows WS join the domain (it worked fine with WXP and W7 but is producing headache with W10)
We are in the process of changing all the desktop computers and I’m evaluating the new configuration. First of all I’m evaluating if drop the use of roaming profiles (they worked well on Windows XP, no so good on W7 and even worst on W10), but in any case keeping the mount of Z: from the server.
And I want to be able to access (authenticate and file mounting home directory) from linux machines, Ubuntu and Opensuse.
I’m thinking maybe it is time to review all the system and I’m not sure what can be the correct approach.
In the past I used NIS+NFS to use authentication+file system sharing on linux machines to the server, and I’m currently using samba for the windows WS. But I’m not sure if NFS+Kerberos and samba+Kerberos could be a better approach or if there are other better approaches.
first: identify yourself to open session in the computer as a user os the server. I have done it with NIS in linux and with samba in windows. The question is It’s the better way or there is others better?
second: mount the remote filesystem
It must be done automatically.
-In windows it can be done (it is not really done in Windows but in the server) with samba within the [general] section
logon drive = Z:
There is a better way?
-In linux I have done it with NIS+automount
There is a better way
I don’t understand why, Im talking of configuring the server (linux) and the linux clients… and also the windows clients, but in this case it is absolutely transparent to them, the windows clients must think they are connecting to a windows server, so we are talking again about linux server configuration
I understand, his is an alternative to samba as filesystem sharing, instead of using
net use x: \\host\username
using samba in the server.
Have you ever compared performance of samba vs sshfs?
Anyway if I need samba (maybe is there other way) in the server to authenticate the users I don’t know if there is any advantage on using sshfs to mount x:
I mean (I’m no sure if I explained it well) I want the server to authenticate the login in the windows machines (user/pass to open session in Windows10 with the credentials of the linux server)
If you truly want it to be completely transparent to the Windows clients you need to use a windows domain. An actual Windows Server acting as a domain controller is the easiest way to do this on Windows, but Samba 4 can act like a Domain Controller.
That’s the point. I’m actually using a windows domain with samba as PDC, just samba. but is there a better way to do it? for instance samba + kerberos or any other way
I have seen that doc. It seems a good aproach altough it does not seems easy. It looks like Kerberos is then mandatory, so maybe then I could use Kerberos+Samba for windows domain and Kerberos+NFS or Kerberos+sshfs for linux authentication+mounts.
Which triggers two questions:
Why do you say I will need at least 2 domain controllers?
While I configure and test it the users must continue using the “old samba”, so it will be possible to configure a second server with the new configuration of samba and then from this new server share the home directories from the “old” server?
Once you have centralized accounts, the absolute last thing you want is that to become a single point of failure. Again, do do this completely transparently on the Windows hosts, you’ll be joining them to the AD domain so local auth really won’t exist anymore.
You can also simply use smb on the linux hosts as well. Using NFS and SMB against the same volume can create permissions issues.
It’s easy to continue using the existing PDC as long as you are not naming the new AD domain the same as the existing NT domain. As for sharing from the existing file server, if it’s sharing out from locally attached storage it’ll be easier to migrate users home directories as you move them to the new infrastructure. If the existing storage is a NAS/SAN device, you could share it from the new servers by mounting the existing storage, but you’ll probably run into permissions issues. You probably want to treat this like a migration, move them to the new infrastructure and decommission the old when you’re done.
And yes, Samba 4 as an AD controller is more involved than as a PDC, and it really is a whole lot easier to use an actual Windows Server install. Simply promoting a Windows Server will create the LDAP server, the KDC, and DNS entries, all which you need to do manually if you go the Samba route.
I didn’t think about using smbfs also from the linux clients. Do you suggest using also smb for authentication or NIS+smbfs?
As for the home directories, they are in the server not in external storage, and the server is also a mail server and we use if from outside to access to it using sshfs, so I’m thinking on a way to migrate samba. If I could do it on the same server but with different domains and configuring in my server samba as AD controller with the new domain while I keep “the old samba” running it will be the best option, but if it is not possible, I would like try to configure it in a different server and share the home directories between them both in the meantime.
The benefit to using the same network file system is that permissions are always handled the same way. SMB performs well on Linux so it’s not like you have to choose a poor alternative just to prevent headaches. Unless there is a strong technical reason you must have NFS, there’s no reason not to use SMB everywhere.
You are really not going to be able to run the Samba PDC and a Samba Domain Controller without some funky configurations on the same host so I wouldn’t recommend trying. With that many services on the same box, you really want to treat this as a migration from the old to the new. It will work out better in the long run.
For the period of the migration you might be able to export the file system from the old host to the new host and have it expose them from there, but speaking from experience that’s often more trouble than it’s worth and a clean migration does work better.
I’m working on it. Up to now I have installed the samba AD, joined W10 computers to it, installed remote admin tools (RSAT) in the domain clients. I’m documenting it all and I will post it here once I have finished.
I am now working on setting linux domain members.
I am working on two different clients, Kubuntu 22.04 and Opensuse Leap 15.5. I want the clients to authenticate against the AD and mount the directories.
I’m using Setting up Samba as a Domain Member as a guide to configure the Kubuntu. Up to know authentication works (using rid backend) but mounting remote directories don’t… I think (although not sure if it is the best option) I have to use ssid. … working on it.
But with Opensuse I thought i was going to be very easy, and it seem so. In yast
and It asked me for authentication as Administrator of the domain and said I was succesfully joined to the domain … but then it didn’t work. I can log in the computer with any of the users of the domain
This is the system log when trying to log in with a domain user
It was a network misconfiguration.
It works. It is as simple at is seemed. Yast is a wonderful tool.
I have disabled the “offline authentication” checkbox because i read it works with roaming profiles, I’m currently not configuring in the AD, and “single sign-on for ssh”.
I can log in the linux machine with the users, only thing I have to specify the domain when login so I have a “testuser” in the AD and I have to log-in as user DOM1\testuser in the linux machine.
