Single Sign-on For CentOS-6

Home » CentOS » Single Sign-on For CentOS-6
CentOS 11 Comments

Does anyone here use a Samba4 setup for single sign-on for MS_Win workstations and CentOS-6 boxes? Does anyone here use it for imap and/or SMTP
authentication? We are experimenting with replacing our existing Microsoft domain controllers with Samba4 based controllers and are contemplating moving all authentication for all our systems, Microsoft and CentOS based, over to Samba when, or if, this replacement successfully completes.

Does anyone have any references for using CentOS with Samba domain controllers that they can recommend? I have found some but the few I have found tend to be Samba3 specific.

11 thoughts on - Single Sign-on For CentOS-6

  • That is so cool!

    Could you keep us updated on your progress on this?
    Thanks.

    FWIW, while I dabbled with Samba3 I never could get it to work properly with our AD. Turns out, the AD was set to a security model Samba3 couldn’t handle.

    Has this been resolved with Samba4?

  • . . .

    The main reason is the age of the equipment and software. The current domain controller host is from c.2004 and the software is Microsoft Advanced Server
    2000. The Windows 7 workstations work with this AD but there are a few quirks.

    As the equipment is well past its best before date we need to replace it. We have virtualised just about everything else saving only the desktop workstations and this is another candidate for virtualisation.

    As a company we are moving everything we can to FOSS and away from proprietary interests. Therefore the combination of moving from MS-AS2000 and a dedicated host to Samba4 running on a virtualised guest seems an attractive option, provided that it works. Thus my question.

    The research I have done seems quite promising. It is now possible to promote a Samba4 server to an AD domain controller and to transfer all the Flexible Single Master Operations (FSMO) roles to it. It should then be possible to promote a second virtualised Samba4 server running on a different virtualised guest running on a second hardware host as a domain controller. Once done then the original AD host can be demoted and shutdown. Providing Samba4 works as described of course, which is why I am asking if anyone else has done it.

    There remains an issue with the SysVol replication, there is not any, but this can be worked around via rsync and cron. However, this means that all directory maintenance has to be performed on just one of the DCs, which effectively returns us to the days of Primary/Secondary DCs. Since in our case we are down to just one AD as it is this is not a hardship.

    Do you have a writeup of what you had to do to get CentOS to authenticate against AD?

  • As a CentOS/Linux shop serving clients who are primarily Windows-based, this is also attractive to us. However, initial research indicates that while it probably can work, it’s by no means trivial.

    EG: http://news.idg.no/cw/art.cfm?idB0DED3-A627-9A9A-C05097D23C5FD44F

    Our intentions (round tuit, etc) at this point are probably to work with Windows Live in more of a “client” role for SSO, though we haven’t started, it’s a second-level priority at this point. Personally, I’d love to see a website/project put together to document the needs and solutions of corporate/enterprise level Samba4 users, but I’m not aware of such already existing.

    Ben

  • Yes to all of these, using sssd on CentOS, for about 18 months now. It works very well. We have two DC’s on CentOS, no Windows DC’s. No winbind. I can post the sssd.conf if anyone is interested.

    Steve

  • i m working in PHYSICAL RESEARCH LABORATORY as a engineer trainee and want to install netcdf file and ncview but it gives some OS error

  • I love .conf files.. can you include Shockwave with it, there are some that may not understand it…

    j/h

  • OK, here it is. Note that we’re using service discovery to locate the DC’s, which avoids having to hard-code the DC host names. This particular sssd.conf was from a machine called nebula, and europa.icse.cornell.edu is the domain (and realm) name.

    [sssd]
    config_file_version = 2
    reconnection_retries = 3
    sbus_timeout = 30
    services = nss, pam domains = LOCAL, EUROPA

    [nss]
    filter_groups = root filter_users = root reconnection_retries = 3

    [pam]
    reconnection_retries = 3
    pam_pwd_expiration_warning = 7

    [domain/LOCAL]
    description = Local Users domain id_provider = local enumerate = false min_id = 400
    max_id = 499

    [domain/EUROPA]
    description = EUROPA Environment id_provider = ldap auth_provider = krb5
    chpass_provider = krb5
    enumerate = false min_id = 1000
    max_id = 59999
    dns_discovery_domain = europa.icse.cornell.edu

    ldap_sasl_mech = GSSAPI
    ldap_sasl_authid = HOST/nebula.icse.cornell.edu@EUROPA.ICSE.CORNELL.EDU

    ldap_search_base = DC=europa,DC=icse,DC=cornell,DC