AD DC+SAMBA share+Windows Clients works, now how to work with Linux clients?

Hi All,

I’ve got NethServer as a user authentication and file sharing server for my network full of Windows 10 computers. All works great.

Now I have a growing number of outdated Chromebooks which (after conversion) are happily working under Manjaro Linux. I don’t want to play with home directories (yet) nor micromanage those clients… but it would be nice to authenticate on them with the AD user credentials (for a starter).

I found (clicking Local Active Directory Details in Users & Groups section) all my LDAP settings although there is nothing about LDAP in the list of services! Wow.
So, the question really is: should I try to authenticate my Linux clients against LDAP, or start working on joining them to AD?

I really like the idea of LDAP authentication since AD is very unnatural to Linux clients, but found no good guide on how to do it. I’ve tried with one Linux computer and got stuck on authentication not getting through (there was no complaint about the user name… probably encryption of the password wasn’t set up properly).

So, what would be the least intrusive to my current NethServer path (don’t touch what’s not broken) to authenticate my Linux clients with it?

Sincerely,
Sasha

Study what the distro says? I mean…
Several forumers shared their experience about integration with AD for their environment of linux. But joining to AD might (or might not) be a goal of the distro. Samba container as AD Domain Controller is built for… Windows.

So.
If simply the access for shared folder with granular permission is needed… Mount SMB share (please, avoid SMBv1!) and save the password. But the Nethserver password won’t be the local linux user password. (Can be the same but change will happen separately).
If you’d love to use the centralized authentication… study the distro you’re using and/or other options for achieve what you’re looking for.

(All written above is my personal opinion. I have no connection with the project and/or development team)

Thanks.

But what about LDAP? First, is it there or am I dreaming (it’s not on the list of services)? Second, if it is in the system’s foundation for user authentication, will it have the list of users and can I simply authenticate Linux against it with my current NethServer setup?

Sincerely,
Sasha

PS I also have Nextcloud installed and working. Maybe that is why there is LDAP somewhere?

AFAIK
sssd acts like a bridge for centralized authentication of serveral services/modules of nethserver.
So all services relate to sssd and you feed sssd with user data via AD/NSDC container or OpenLDAP server (the choice for account provider). sssd acts as client.

So you cannot use LDAP from clients to sssd? Never personally tried, IDK
So you cannot use LDAP from clients to NSDC? Never personally tried, IDK
But it’s only my knowledge currently, not the “best in class deep knowledge of every use possible”

Oh. OK. Thanks!

Is there a guide how to setup a LDAP authentication Linux client, to use information given under “Users & Groups” Local Active Directory Details?

Sincerely,
Sasha

Hi @sashaluda

Have a look at this here, it works well:

Good feedback here on the forum…

My 2 cents
Andy

Thanks a lot. I really didn’t want to join AD domain and was hoping on simple LDAP authentication… moreover, I was hoping to slowly kiss Windows 10 goodbye and move completely to Linux based computers in our lab. That is possible with pGINA…

Sincerely,
Sasha

HI @sashaluda

I think you’re completly missing the point with this statement:

LDAP will not allow ANY user or group based shares!!!
That alone is the reason to evade using LDAP on NethServer, even though it works well.

AD use on NethServer (Or any other server platform for that matter) is NOT about using Windows!

From a security point of view, not even for a home server usable!
“Public” Shares, based on a “per-share” Password is an absolute No-Go in 2023!
You don’t want your kids overwriting their pocket money allowance on the home budget spreadsheet!

Side Note: Spreadsheet does NOT mean MS Excel - or the now dormant Lotus 1-2-3. There are LibreOffice and other variants of Office suites including Spreadsheets and all. The same as AD use does not imply a MS-Usage or Environment! It makes plenty of sense to use AD even in a complete Mac or Linux environment!

My 2 cents
Andy

Hi @Andy_Wismer,

Wait a minute! Are you saying that Linux (apart from AD and Samba) is not capable of creating a single-sign-on authentication with user-group regulated shares?

I thought it is accomplished with LDAP+NFS. Right? I thought one could have a lab of users and network shares without Samba and AD authentication…

NethServer, out of the box, is not capable of using LDAP / NFS to create shares…
NFS does not really support any user or group authentification, NFS only supports Host or IP based authentification.

→ This is valid at least until NFSv3, I don’t touch NFSv4, as it’s not supported by a lot of systems and it’s unstable / unreliable.

There is a addon (Module) by Stephdl which allows you to create NFS shares, but only per IP/host…

Most current OSes have moved from using native file sharing (eg NFS for UN*X/Linux, AFP for Apple) to use CIFS (Samba, also known as Windows File sharing).

No, as it seems even die-hard Linux users will often choose AD/Samba, even without a single Windows box. It just works with all NAS, printers, workstations and others.

Note:

All the above is specifically for NethServer. As NethServer is based on Centos7, itself a copy of RHEL7, the real issue is that RedHat didn’t include AD capable components. The Samba released by RedHat can’t be AD, due to RedHat compiling “standard” Samba, not Samba4AD, which requires Heimdal Kerberos, not the standard Kerberos used by RedHat. RHEL7 compatible can be AD members, but not run AD themselves. (A long story cut short…).

My 2 cents
Andy

Oh… That’s a complete worldview change! I thought that UNIX pre-existed SAMBA by decades… and that UNIX was most of it’s existence a multi-user environment. The only thing that was added over time is good encryption (especially asymmetric kind, followed by certificates, certificate authorities…) instead of just sending things over network unencrypted.
So, the entire hierarchy of user directories… I understand that it was driven by “Terminal Server”-design.

But even in a “non-terminal server” scenario, for an authentication – just create link to proper files from one computer on the network to the other and a client will use the remote files in /etc for authentications rather than local… Although this sounds like a stone age solution.
… Never mind that… just thinking out-loud in astonishment…

So, there was never in the history of Linux/UNIX a network share solution with user and group access rights?

Anyway, I found this: FreeIPA. Of course the project had it’s 1st version only in 2007… but this is a completely Linux solution that supposed to be able to replace AD. Or am I wrong in this case also?

Keep increase your knowledge of the world of IT and systems.
Take a run here…

What Microsoft put in place (and arm-twisted 4 to 5 times) as paradigm was not the only one for network connected systems.
So centralized management and SSO are one way to design a system, not the only one. SSO has some nice pros but so fearful cons.

Oh… So, what is a way to be able not to assign in a lab each user a particular computer (with credentials saved locally), but allow users change workstations being able to login wherever computer is available? Is it to sync accounts and files across network? Or have /etc files responsible for authentication stored on the network?

I believe that Microsoft way of development of their tech was and is a most painful way of slow upgrades with keeping old tech under the hood. They, so to speak, slowly upgraded a bicycle to a jeep. You can still find old parts in some places, but it is a Frankenstein’s monster.

On the other hand the philosophy of UNIX that everything is a file (and many other fundamental ideas) prepared it for a future upgrade of hardware and software capabilities.

So, I thing that there must be the “UNIX” way (or a Linux way) that a lab or a business should be able to successfully operate in the world of PCs (and not the mainframes). Or is it an inherited problem of UNIX based systems to be by their nature a mainframe based system (a terminal server)?

Sincerely,
Sasha

Thanks for explain and expose your personal believe about that. Now that you done it, you might want to look for is there any translation on that in the real world.
And don’t forget that there are more mobile phones and tablets than computers in the world…

That is exactly my point: Android and iOS are based on UNIX concepts (FreeBSD and Linux) and not Microsoft technologies. So, there must be a away.

Yes, I understand that FAT32 is the most popular freely supported file system in all devices – because there are no legal limitations, and that (just like Samba) Microsoft popularized it.

Yet, I hope to find the right way to do my lab. … So, have you heard of FreeIPA? Moreover, (returning to subject of discussion) I looked around Nethserver file system and found this:
# find / -type f -name “ldap.conf”
/etc/openldap/ldap.conf
/etc/e-smith/events/nethserver-sssd-save/templates2expand/etc/openldap/ldap.conf
/etc/e-smith/events/nethserver-sssd-update/templates2expand/etc/openldap/ldap.conf
/var/lib/machines/nsdc/etc/openldap/ldap.conf

But looking at the settings of ldap.conf saved in each copy – they are all default:

# ================= DO NOT MODIFY THIS FILE =================
**# **
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer’s guide, which is available
# at NethServer official site: https://www.nethserver.org
#
**# **
#
# 10default
#

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/openldap/certs

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

#
# 20tls
#
TLS_REQCERT never

So, the question is, where are the settings shown in “Users&Groups–Local Active Directory Details” are stored and how to use them?

Yes. That (a long story cut short…) is the history of development of protocols injured by legal issues. So, have you heard of FreeIPA? The project is based on Fedora, but there are compiled versions for CentOS and Debian.

Yes, I have… Unfortunately, I heard the Big Bad Blue news first, then the early discontinuation of Centos…

I don’t really think I can trust anything from either Big Blue or Red…

Besides which: FreeIPA uses MIT Kerberos, so will most likely NEVER support any Windows.
If my clients have 1 Linux Workstation for every 30-50 Windows workstations. Even Macs outnumber Linux 4:1… I use (also) a Linux workstation, but reality in workplaces is still Windoze…

At the moment, version 4 of FreeIPA allows FreeIPA as a client of Windows AD…
Any decent Linux Desktop can join ActiveDirectory as is - without any need to put FreeIPA in between.
Why add on software with no additional functionality? Bloatware?

I do not see any realistic reason to support FreeIPA at all!

My 2 cents
Andy

Oh… Well… FreeIPA has LDAP in its bases, and AFAIK LDAP is more widely supported and used by modern tech than AD (online services…). There is a project pGina which allows Windows workstations authenticate against LDAP. I really want to try it.

Why I’m looking for another way than AD… mostly because I see that the “Workstation way” is dying as much as “Mainframe way”. I installed Nextcloud on Nethserver and can make a script that would connect Nextcloud “user home folder” to Windows or Linux via Webdav at the login. This is all thanks to LDAP, not AD. Although Webdav felt slower than Samba access, but this might be due to the setup or hardware I used to test it (I might be wrong and Webdav might be the outdated thing altogether). I am also able to quickly access Webdav resources on my cellphone and tablet, none of which thanks to AD or Samba.

There are more and more solutions online to manage devices: this is what AD allows for PCs… And those services support all devices (PCs, phones, tablets…) I know, this sounds like the “one ring to rule them all”, but I don’t see much future for a desktop if it is stuck with AD and Samba instead of learning how to integrate with clouds (not the MS way – like a slap on ad-on OneDrive or Google drive app, but as a system service – the way it’s done in Linux when you mount whatever file-system via whatever connection).

But that’s all the impression I have from my limited experience with tech I have.

So, speaking of integration into AD of a Linux computer:
I was so surprised to start seeing (probably from 20.04) an option in Ubuntu during installation “Add this computer to a domain”. I was really excited to have it done the official way (unlike a manual or scripts solutions). So, I jumped at an opportunity and quickly installed Ubuntu trying to add it to my Nethserver AD domain during its installation… But failed miserably multiple times. There must be glitch or disconnect in what Ubuntu expects from AD domain and what NethServer offered – there is no love
{Just think about how wrong it sounds to join Ubuntu into CentOS’s implementation of Microsoft developed domain controller – another reason I’m looking around for another more natural solution)

Can anybody test and see if you can join your Nethserver AD with a new installation of Ubuntu? Maybe there is a problem with my settings. I tried to debug … but this will probably have to do with debugging Kerberos handshakes … which might be difficult.

Thank you,
Sasha

Hi @sashaluda

Globally, there are way more hosts authenticating with AD than with pure LDAP.

You’re writing as though LDAP and AD are complete different animals!

You do know that AD is based on LDAP (propreiety changes by MS)?
It’s almost completly compatible to one anotther, so much that almost anything capable of using LDAP could also use AD.

Both are essentially Enterprise Directory Systems - for large and largest organizations. It has nothing to do with Workstation nor Mainframe “way”, all of this also has nothing to do with Clouds or “Online services”. Both LDAP / AD predate the first clouds by at least 20-30 years. LDAP and AD are both actually modelled after Novells NDS / eDirectory, which was around before AD - and supported / tested with over a million users!

RedHat never supported AD, therefore also never implemented an “AD” as server. As you know, Centos was always RHEL, one to one compiled from source - so also never supported an AD as server.
→ This is well known!

WebDAV is way slower than any form of drive connection, be it NFS, AFP, CIFS or whatever, and it also has much more security “gotchas”! This is well known!

Ubuntu / Canonical have moved away from OpenSource. The snap installer isn’t completly open source - especially the “shop” part is not available at all as code. No, Ubuntu is no more the open-source like it maybe once was…

Many people think the cloud is simply the mainframe “way” in a new dress. It’s not far off, both are centralized, powerful systems, controlled from a single point.

I’m not critising you personally, @sashaluda , please don’t take this as personal critic. It is, however, a major debunking of certain myths, like thinking AD and LDAP are two completly different things.

Almost all online (“cloud”) apps can use AD in place of LDAP. They all do require use of a proper Internet domain (LDAP on the Internet also can’t work with .local!) and both need valid SSL certs to be used safely. Both actually need an well encrypted connection between authenticator and client (or completly private connection) , ssl is actually not enough!

And: There are, have been Linux out there that could join any AD since at least 10 years, just like any Mac has been able to join MS-AD (and NethServers AD) just as easily. It’s just that Ubuntu isn’t one of them!

And: personally I moved away from MS more than ten years ago. As Desktop, I use Macs and Debian with Mate. As I do need to deal with Windows professionally, I only have virtual Windows for testing / learning and a now 11 year old PC with Win10 installed. I use this to test and perfect distribution and other stuff like FOG-Project. None of my clients run an AD on Microsoft OS, all use AD on NethServer.

→ When running AD, at least on NethServer, please make sure your AD uses a valid ssl cert, like LetsEncrypt, and not a self generated one like it does out of the box. All it takes is a valid ssl cert pointing to your NethServer with your ADs name as alias, and about 5 lines of code, less than 5 minutes work! PHP and JAVA apps are both VERY fussy about the ssl cert being valid!

I see this text as an exercise in “debunking”.
Most are facts, very little above is my opinion.

My 2 cents
Andy

PS: Simple question / Test:

Can you name the one major difference between any relational Database (RDBMS) like MS-SQL, MariaDB, Oracle, PostgreSQL and LDAP (Seeing AD as compatible)?

Any responce to a query to any RDBMS will result in a field with exactly a single value.

The same responce to any LDAP compatible can result in a Field containing multiple values - like an array in programming - as an example think e-mail.

A RDBMS has often fields like email, email2, email3, as each field can contain exactly ne responce.
LDAP doesn’t need this “crutch”.

Another major difference (generall, not as specific as above) is that RDBMS are more or less optimized for read/write operation to have equal pririty / speed, wheras LDAP is optimized for fast reads (How often do users change their home address or password?)…