{"id":3376,"date":"2014-12-20T15:15:21","date_gmt":"2014-12-20T15:15:21","guid":{"rendered":"http:\/\/blog.bachi.net\/?p=3376"},"modified":"2017-03-11T17:15:39","modified_gmt":"2017-03-11T17:15:39","slug":"samba-mit-primary-domain-controller-pdc","status":"publish","type":"post","link":"https:\/\/blog.bachi.net\/?p=3376","title":{"rendered":"Single Sign On (SSO) for Linux and Windows"},"content":{"rendered":"

SingleSignOn<\/a>
\nKerberos<\/a>
\nOpenLDAPServer<\/a>
\nSamba\/Kerberos<\/a><\/p>\n

Abk\u00fcrzungen \/ Abbreviations<\/h3>\n

Active Directory (AD)
\nDomain Controller (DC)
\nPrimary Domain Controller (PDC)
\nGroup Policy Object (GPO)<\/a>, Gruppenrichtlinienobjekt f\u00fcr eine Windows Active-Directory-Domain<\/p>\n

Linux Logon\/Logoff Scripts<\/h3>\n

AppNote: How to Implement Login Scripts into a Pure Linux Environment<\/a><\/p>\n

Name Service Switch (NSS)<\/h3>\n

Background on Name Service Switch<\/a><\/p>\n

Pluggable Authentication Modules (PAM)<\/h3>\n

Understand PAM and NSS<\/a>
\nPAM\/NSS<\/a><\/p>\n

How PAM works<\/a>
\nUnderstanding PAM<\/a>
\nNetBSD: Pluggable Authentication Modules (PAM)<\/a>
\nFreeBSD: Pluggable Authentication Modules<\/a>
\nWikipedia: Pluggable Authentication Modules<\/a>
\nRedHat: Using Pluggable Authentication Modules (PAM)<\/a>
\nUser Authentication HOWTO – PAM (Pluggable Authentication Modules)<\/a><\/p>\n

Samba Shared Folders<\/h3>\n

Samba Server<\/a>
\nSamba Server: smb.conf<\/a>
\nsamba question: share = user<\/a>
\nubuntu server and samba<\/a><\/p>\n

\r\n$ chown nobody:sambashare \/raid\/share\r\n<\/pre>\n
\r\n# smbpasswd -a bachi\r\nNew SMB password:\r\nRetype new SMB password:\r\ntdbsam_open: Converting version 0.0 database to version 4.0.\r\nWARNING: database '\/var\/db\/samba4\/private\/passdb.tdb.tmp' does not end in .[n]tdb: treating it as a TDB file!\r\ntdbsam_convert_backup: updated \/var\/db\/samba4\/private\/passdb.tdb file.\r\ntdb(\/var\/db\/samba4\/winbindd_idmap.tdb): tdb_open_ex: could not open file \/var\/db\/samba4\/winbindd_idmap.tdb: No such file or directory\r\ntdb(\/var\/db\/samba4\/account_policy.tdb): tdb_open_ex: could not open file \/var\/db\/samba4\/account_policy.tdb: No such file or directory\r\naccount_policy_get: tdb_fetch_uint32 failed for type 1 (min password length), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0\r\naccount_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0\r\nAdded user bachi.\r\n\r\n# pkg remove samba41 ntdb tdb\r\n# pkg install samba41 ntdb tdb\r\n\r\n# smbpasswd -a bachi\r\nNew SMB password:\r\nRetype new SMB password:\r\n\r\n# ls -la \/var\/db\/samba4\/\r\ntotal 480\r\ndrwxr-xr-x   3 root  wheel     512 Feb 18 11:07 .\r\ndrwxr-xr-x  12 root  wheel     512 Feb 18 11:00 ..\r\n-rw-------   1 root  wheel  421888 Feb 18 11:03 account_policy.tdb\r\n-rw-r--r--   1 root  wheel     237 Feb 18 11:07 browse.dat\r\n-rw-r--r--   1 root  wheel     696 Feb 18 11:03 gencache.tdb\r\n-rw-r--r--   1 root  wheel     696 Feb 18 11:07 gencache_notrans.tdb\r\n-rw-------   1 root  wheel     696 Feb 18 11:03 group_mapping.tdb\r\n-rw-------   1 root  wheel     696 Feb 18 11:03 mutex.tdb\r\ndrwxr-xr-x   2 root  wheel     512 Feb 11 10:16 private\r\n\r\n\r\n# pdbedit -L  -v\r\n---------------\r\nUnix username:        bachi\r\nNT username:\r\nAccount Flags:        [U          ]\r\nUser SID:             S-1-5-21-565438450-2596499718-1061971255-1000\r\nPrimary Group SID:    S-1-5-21-565438450-2596499718-1061971255-513\r\nFull Name:            Andreas Bachmann\r\nHome Directory:       \\\\bsd\\bachi\r\nHomeDir Drive:\r\nLogon Script:\r\nProfile Path:         \\\\bsd\\bachi\\profile\r\nDomain:               BSD\r\nAccount desc:\r\nWorkstations:\r\nMunged dial:\r\nLogon time:           0\r\nLogoff time:          Sun, 04 Dec 219250468 16:30:07 CET\r\nKickoff time:         Sun, 04 Dec 219250468 16:30:07 CET\r\nPassword last set:    Wed, 18 Feb 2015 11:07:24 CET\r\nPassword can change:  Wed, 18 Feb 2015 11:07:24 CET\r\nPassword must change: never\r\nLast bad password   : 0\r\nBad password count  : 0\r\nLogon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\r\n\r\n# testparm\r\nLoad smb config files from \/usr\/local\/etc\/smb4.conf\r\nProcessing section "[homes]"\r\nLoaded services file OK.\r\nWARNING: 'workgroup' and 'netbios name' must differ.\r\nServer role: ROLE_STANDALONE\r\nPress enter to see a dump of your service definitions\r\n\r\n[global]\r\n        workgroup = BSD\r\n        idmap config * : backend = tdb\r\n\r\n[homes]\r\n        comment = Home Directories\r\n        valid users = %S\r\n        read only = No\r\n        create mask = 0600\r\n        directory mask = 0700\r\n        browseable = No\r\n<\/pre>\n
Samba mit Primary Domain Controller (PDC)<\/h3>\n
Samba-3 by Example: Chapter 11. Active Directory, Kerberos, and Security<\/a>
\nMicrosoft: You incorrectly receive an error message when you join a computer that is running Windows 7 to a Samba 3-based domain<\/a>
\nSamba AD DC HOWTO<\/a>
\nSamba Server PDC<\/a>
\nAufbau und Konfiguration eines Dom\u00e4nencontrollers mit Samba<\/a>
\nSamba domain controller<\/a>
\nSamba 4 Active Directory Domain Controller<\/a>
\nSamba4 AD DC on Ubuntu 14.04<\/a>
\nThe Samba AD DNS Back Ends<\/a><\/p>\n
FreeBSD<\/h4>\n
How to integrate Active Directory with FreeBSD 10.0 using security\/sssd?<\/a>
\nFreeBSD 10: SAMBA 4 as a domain controller running on a public IP (OpenVPN, BIND, pf)<\/a>
\nSamba 4.1 Active Directory Domain Controller on FreeBSD 10.1<\/a>
\nHow to set up FreeBSD 10.1 as a Domain Controller<\/a> (Video)
\nSamba4 dc in FreeBSD 10<\/a>
\nHowto setup Samba Domain Controller on FreeBSD<\/a><\/p>\n
LDAP \/ OpenLDAP<\/h3>\n
zytrax.com Open Source Guides – LDAP for Rocket Scientists<\/h4>\n
2. LDAP Concepts & Overview<\/a>
\nChapter 6. LDAP Configuration<\/a>
\nChapter 8. LDAP LDIF and DSML<\/a><\/p>\n
Useful tutorials<\/h4>\n
Example: Shared Address Book (LDAP)<\/a>
\nOpenLDAP Server on Ubuntu 14.04<\/a>
\nUbuntu Server Guide: OpenLDAP Server<\/a>
\nHow To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server<\/a>
\nHow To Install and Configure a Basic LDAP Server on an Ubuntu 12.04 VPS<\/a>
\nGetting error for setting password feild when creating generic user account phpldapadmin<\/a><\/p>\n
\r\nLine 2469:\r\n$default = $this->getServer()->getValue('appearance','password_hash');\r\nor\r\n$default = $this->getServer()->getValue('appearance','password_hash_custom');\r\n<\/pre>\n
\r\n$ ldapsearch -X u:admin -b dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\nSASL\/DIGEST-MD5 authentication started\r\nPlease enter your password: \r\nldap_sasl_interactive_bind_s: Invalid credentials (49)\r\n\tadditional info: SASL(-13): user not found: no secret in database\r\n\r\n$ ldapsearch -x -LLL -b dc=auth,dc=intra,dc=fablabwinti,dc=ch \r\ndn: dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\nobjectClass: top\r\nobjectClass: dcObject\r\nobjectClass: organization\r\no: fablabwinti\r\ndc: auth\r\n\r\ndn: cn=admin,dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\nobjectClass: simpleSecurityObject\r\nobjectClass: organizationalRole\r\ncn: admin\r\ndescription: LDAP administrator\r\n\r\n$ ldapsearch -x -LLL -b dc=auth,dc=intra,dc=fablabwinti,dc=ch dn\r\ndn: dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\ndn: cn=admin,dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\n\r\n$ ldapsearch -LLL -x -H ldap:\/\/\/ -b dc=auth,dc=intra,dc=fablabwinti,dc=ch dn\r\ndn: dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\ndn: cn=admin,dc=auth,dc=intra,dc=fablabwinti,dc=ch\r\n\r\n-X \r\n<\/pre>\n
RADIUS<\/h3>\n
FreeRADIUS<\/a>
\nCentralized Logins Using LDAP and RADIUS<\/a>
\nPrimer: Authentication – RADIUS, Kerberos, and LDAP<\/a>
\nHow to integrate RADIUS with Kerberos?<\/a>
\nRADIUS and Kerberos and LDAP!!! Oh my!!!<\/a><\/p>\n
Samba und OpenLDAP<\/h3>\n
The Linux Samba-OpenLDAP Howto<\/a>
\nSetting up Samba as a Domain Controller with OpenLDAP<\/a>
\nSamba and LDAP<\/a>
\nSetup Samba Domain Controller with LDAP Backend in Ubuntu 13.04<\/a>
\nLinux-PDC mit Samba und OpenLDAP – Zentrale Anmeldung<\/a><\/p>\n
MIT Kerberos 5<\/h3>\n
Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 14.04<\/a>
\nUbuntu 14.04 kerberos krb5 installation+removing messed up login<\/a>
\nDebian GNU and Ubuntu: Setting up MIT Kerberos 5<\/a>
\nUnable to setup Kerberos on Ubuntu 14.04 – krb5kdc: No such file or directory – while initializing database for realm myrealm<\/a>
\nKerberos – Community Help Wiki<\/a>
\nKerberos<\/a>
\nKerberos und LDAP<\/a>
\nKerberos with LDAP Backend on Ubuntu 12.04 – Part One<\/a>
\nKerberos with LDAP Backend on Ubuntu 12.04 – Part Two<\/a>
\nKerberos with LDAP Backend on Ubuntu 12.04 – Part Three<\/a>
\nKerberos with LDAP Backend on Ubuntu 12.04 – Part Four<\/a>
\nMIT Kerberos Documentation: Kerberos with LDAP backend on Ubuntu 10.4<\/a>
\nMIT Kerberos Documentation: Configuring Kerberos with OpenLDAP back-end<\/a>
\nUbuntu 14.04 LTS : Samba Server : Samba AD DC : Server Settings<\/a>
\nUbuntu 14.04 LTS : WEB Server : Use Kerberos Auth<\/a><\/p>\n
LightDM<\/h4>\n
Lightdm Login & Kerberos: Ticket nicht gekommen<\/a>
\nTesting Kerberos in Ubuntu<\/a>
\nHow do I enable the \u201cOther\u201d user for login with Active Directory?<\/a>
\nUbuntu Linux and Active Directory<\/a><\/p>\n
Abh\u00e4ndigheiten \/ Dependencies<\/h4>\n
ISC-DHCPD<\/a>
\nBIND DNS-Server<\/a><\/p>\n
\r\n$ sudo apt-get install bind9\r\n$ sudo service bind9 stop\r\n<\/pre>\n
DNS<\/h3>\n
\r\n$ ls -la \/etc\/bind\r\n[...]\r\n-rw-r--r--   1 bind bind   493 Dez 26 19:41 named.conf\r\n-rw-r--r--   1 root bind   307 Dez 29 18:50 named.conf.local\r\n[...]\r\n\r\n$ ls -la \/var\/lib\/bind\r\n[...]\r\n-rw-r--r--  1 bind bind   572 Feb  6 18:49 db.192.168.1\r\n[...]\r\n\r\n$ cat \/etc\/apparmor.d\/usr.sbin.named\r\n\/usr\/sbin\/named {\r\n  [...]\r\n \r\n  # \/etc\/bind should be read-only for bind\r\n  # \/var\/lib\/bind is for dynamically updated zone (and journal) files.\r\n  # \/var\/cache\/bind is for slave\/stub data, since we're not the origin of it.\r\n  # See \/usr\/share\/doc\/bind9\/README.Debian.gz\r\n  \/etc\/bind\/** r,\r\n  \/var\/lib\/bind\/** rw,\r\n  \/var\/lib\/bind\/ rw,\r\n  \/var\/cache\/bind\/** lrw,\r\n  \/var\/cache\/bind\/ rw,\r\n \r\n  [...]\r\n}\r\n<\/pre>\n
NTP<\/h3>\n
HOWTO: Set Up an NTP Server <\/a>
\nTime Synchronisation with NTP<\/a>
\nPostponing ntpd<\/a>
\nhow do I disable ntpd?<\/a>
\nThe NTP FAQ and HOWTO – Understanding and using the Network Time Protocol<\/a><\/p>\n
Apache<\/h3>\n
\r\n$ echo "ServerName localhost" | sudo tee \/etc\/apache2\/conf-available\/fqdn.conf\r\n$ sudo a2enconf fqdn\r\n<\/pre>\n
Bugs<\/h4>\n
Bug #1125726: boot-time race between \/etc\/network\/if-up.d\/ntpdate and “\/etc\/init.d\/ntp start” <\/a>
\nBug #777879: removing ntpdate removes ubuntu-minimal<\/a> (duplicate! use Bug #61619)
\nBug #61619: ntpdate in -minimal should have an alternative<\/a>
\nBug #556372: Please remove the plymouth dependency from mountall \/ cryptsetup<\/a> (Create a simple package)<\/p>\n","protected":false},"excerpt":{"rendered":"
SingleSignOn Kerberos OpenLDAPServer Samba\/Kerberos Abk\u00fcrzungen \/ Abbreviations Active Directory (AD) Domain Controller (DC) Primary Domain Controller (PDC) Group Policy Object (GPO), Gruppenrichtlinienobjekt f\u00fcr eine Windows Active-Directory-Domain Linux Logon\/Logoff Scripts AppNote: How to Implement Login Scripts into a Pure Linux Environment Name Service Switch (NSS) Background on Name Service Switch Pluggable Authentication Modules (PAM) Understand PAM […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3376","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/3376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3376"}],"version-history":[{"count":46,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/3376\/revisions"}],"predecessor-version":[{"id":5991,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/3376\/revisions\/5991"}],"wp:attachment":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}