<p dir="ltr">Keep your eye on freeipa for user authentication. <a href="http://www.freeipa.org/page/Windows_authentication_against_FreeIPA">www.freeipa.org/page/Windows_authentication_against_FreeIPA</a></p>
<div class="gmail_quote">On Nov 15, 2014 10:54 AM, "Edward Holcroft" <<a href="mailto:eholcroft@mkainc.com">eholcroft@mkainc.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:small">Update: on Samba and distro change</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">This is all working now with much thanks to the initial advice gleaned on this list.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I was bashing my ahead against some inexplicable issues and in desperation I decided to try my Samba recipe on CentOS 7. As a result, I've decided that this will be my platform of choice for this particular deployment. I'm no guru and don't want to knock Ubuntu (which I run on all my Amazon servers and many in-house servers), but it just seems like the Ubuntu folks have made some little adjustments to things like certain file locations which unless you really, really know what to look for, things break and cannot be fixed by a lesser mortal like me. I never managed to resolve the "getent" issue on Ubuntu that I asked about previously. That was the deciding factor in the switch to CentOS.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Not trying to start a flame war, just sharing my experience that if anyone else tries this, they may get better mileage on CentOS, unless they're an expert, unlike me. Actually it was great to learn a little bit about a different distro, since Ubuntu had become my default go-to since until this Samba experience, given it has "just worked" for me in the past. It's kinda interesting that I switched my desktop to Debian about 18 months back 'cos Ubuntu (GUI desktop) broke so often I could hardly get my work done - seemed like there was a regression in every second darn update. Is there a pattern here? OK, maybe I am trying to start a flame war.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The only issue that really messed me around on CentOS was firewalld. Took me a day to realize that's what was stopping me from adding Windows ACL's to my my shares. I was a little surprised to find a firewall running that I had not installed or activated. Oh well, I guess it's just part of a minimal CentOS installation. Stopped firewalld and never looked back. Oh yes, there was one other issue: CentOS struggled to install on our old HP ML350 servers due to the RAID card - had to add a kernel parameter to load the older drivers.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Anyway, now that my shares are working with Windows ACL's, my next step is backup. I've opted for simple crontab with rsync to USB HDD's, along with autofs to mount the drives appropriately when the office manager replaces them each day. I still need to build a nice, elegant script for this: for now, it's ugly but it works.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">And then, as a nice to have, I believe there's a way to get an equivalent of Windows shadow copy on Linux. I'll be taking a look at that at some point in the future.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">This Samba setup, now that it appears to be viable, serves to remove Windows Server 2003 from our 18 regional offices! I will feel a LOT more comfortable knowing that we have Linux under the hood out there.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">And one day ... one day ... I hope to Linux replace our Active Directory in its entirety. I cannot wait for our next Micro$haft audit so that I can rub their noses in why we suddenly have such a steep reduction in Windows servers. bwaahaahaa ...</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">cheers and thanks again for all the help.</div><div class="gmail_default" style="font-size:small">ed</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 3, 2014 at 2:41 PM, Edward Holcroft <span dir="ltr"><<a href="mailto:eholcroft@mkainc.com" target="_blank">eholcroft@mkainc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:small">OK, so here's where this things stands right now.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I have Ubuntu 14.04 running Samba 4.1 as a member server on my AD domain. I can access Windows shares, including home shares from my Windows clients using Windows ACL's as if accessing a Windows server.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The Samba wiki, starting here, was very helpful: <a href="https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server" target="_blank">https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server</a></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Now, I've encountered a glitch that I hope someone can help me with:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">If I do a gentent passwd, I am able to see all the users from my AD, EXCEPT the ones that I have created since joining this server to the domain. Is there I command I need to run to update the user list on the Ubuntu box? I don't recall doing anything special before. Just installed libnss-winbind and lipam-winbind and bang, getent passwd just worked, fully populated with AD users.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">What is interesting, is that getent group, shows these newly created users as added to appropriate groups, which makes it all the more perplexing to me. <br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">If I do a wbinfo -u I get a list of all domain users, including the newly created ones.</div><div class="gmail_default" style="font-size:small"><div class="gmail_default"><br></div></div><div class="gmail_default" style="font-size:small">If I do id smbtest1, I get "no such user". Other users (all those created before today) work fine e.g. id eholcroft</div><div class="gmail_default">uid=10019(eholcroft) gid=10004(domain users) groups=10004(domain users),10057(atlanta),10067(accessusers),10047(mkastaff),10078(it),10162,10001(BUILTIN\users)</div><div><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">This seems to be the only issue standing between me and getting my shares fully functional. All users can access shares as expected, EXCEPT those that do not show up in getent passwd - for these users, the Windows client gets stuck on username and password prompt when trying to access a share (providing the credentials does not help)</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">cheers</div><div class="gmail_default" style="font-size:small">ed</div><div class="gmail_default" style="font-size:small"><br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 10, 2014 at 3:53 PM, Edward Holcroft <span dir="ltr"><<a href="mailto:eholcroft@mkainc.com" target="_blank">eholcroft@mkainc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:small">All,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The time has finally come to ditch our Micro$haft file servers as another increment towards weaning ourselves of our Windows habit. For now, I have to keep Active Directory in the picture, although I have managed to reduce the AD server footprint from 18 servers down to 4. Corporate mindset issues demand small steps.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Question: Is it better to go with an "appliance solution" such as FreeNAS vs. distro+Samba? </div><div class="gmail_default" style="font-size:small">
<br></div><div class="gmail_default" style="font-size:small">I played around with FreeNAS a bit and while it has great automation of things like AD integration (which I will need to do for now) and a great web interface, it seems less flexible when it comes to e.g. backup options. It seems a simple Ubuntu/Samba box gives me many options on how to handle our daily backups to USB, while FreeNAS can potentially close doors to me, or at least make things harder. That's just one example that I ran into.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">So, I'd like to hear from you about experiences/pros-cons of appliance-type options vs the manual way. I've tried both at a simple test level. They both seem viable and I really want to like FreeNAS, but just cannot seem to get comfortable with it - little glitches seem to pop up that have the potential to be major sticking points. So right now I'm leaning towards distro+Samba.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Feel free to suggest other options besides the two mentioned here. Whatever solution I deploy I have to be able to use Windows ACL's on the shares ... for now.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">cheers</div><div class="gmail_default" style="font-size:small">ed</div><span><font color="#888888"><div><br></div>-- <br><div dir="ltr">Edward Holcroft | Madsen Kneppers & Associates Inc.<br>
11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097<br>O <a href="tel:%28770%29%20446-9606" value="+17704469606" target="_blank">(770) 446-9606</a> | M <a href="tel:%28770%29%20630-0949" value="+17706300949" target="_blank">(770) 630-0949</a></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Edward Holcroft | Madsen Kneppers & Associates Inc.<br>11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097<br>O <a href="tel:%28770%29%20446-9606" value="+17704469606" target="_blank">(770) 446-9606</a> | M <a href="tel:%28770%29%20630-0949" value="+17706300949" target="_blank">(770) 630-0949</a></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">Edward Holcroft | Madsen Kneppers & Associates Inc.<br>11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097<br>O <a href="tel:%28770%29%20446-9606" value="+17704469606" target="_blank">(770) 446-9606</a> | M <a href="tel:%28770%29%20630-0949" value="+17706300949" target="_blank">(770) 630-0949</a></div></div>
</div>
<br>
<span style="font-family:arial"><font>MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception of this e-mail is illegal.</font></span><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div>