Samba Server version, AD Authentication and Kerbaros

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba Server version, AD Authentication and Kerbaros

Samba - samba-technical mailing list
Hi,

I am looking for some help with samba in our organization.  Below is the current installation of samba version and the operating systems which are almost out of support. We are planning to patch our AD servers with MS security patches and it is noted that those security patch might affect samba AD and Kerberos authentication.

I would need some help understanding if we can update/upgrade current samba from 3.x to 4.x on the below OS (RHEL, AIX, HP, SUN OS and Debian  etc) ? and if I we need to integrated them to AD/Kerberos authentication what are the steps.

OS

Samba Version

Total

Comments/Recommendations

RHEL 5

3.6.23;   4.6.2

9

Can 4.x samba be installed?

RHEL 6

3.6.23

9

Can 4.x samba be installed?

AIX 5.3

3.5.8

1

Can 4.x samba be installed?

AIX 6.x

3.2.x;     3.5.8

2

AIX 7.x

3.5.11;   3.5.8

2

HP UX 11.11

2.0.6;     3.0.2

3

Sun OS 5.8

3.4.2

1

Debian

3.0.2

1

Total

28










You help is greatly appreciated.

Thank you,
Madhav Singh,
Infrastructure Solution, Design & Delivery
Honeywell Enterprise IT
Plot 115, Nanakramguda,
Hyderabad-500019
Office  : +91-40-66543570  x 61154
Mobile: +91-9000203423
Email:[hidden email]

From: Singh, Madhav
Sent: Thursday, December 14, 2017 04:13 PM
To: '[hidden email]' <[hidden email]<mailto:[hidden email]>>
Subject: Samba Server version, AD Authentication and Kerbaros

Hi Abartlet,

I need some help with Samba having AD and Kerbaros authentication. The below is the current samba version and OS version we have in our infrastructure.

My Question is:

*         Can we upgrade/install samba 4.x on the below OS versions? Without upgrading the OS itself.

*         From which Samba version AD and Kerbaros authentication is added


OS

Samba Version

Total

Comments/Recommendations

RHEL 5

3.6.23;   4.6.2

9

Can 4.x samba be installed?

RHEL 6

3.6.23

9

Can 4.x samba be installed?

AIX 5.3

3.5.8

1

Can 4.x samba be installed?

AIX 6.x

3.2.x;     3.5.8

2

AIX 7.x

3.5.11;   3.5.8

2

HP UX 11.11

2.0.6;     3.0.2

3

Sun OS 5.8

3.4.2

1

Debian

3.0.2

1

Total

28










You help is greatly appreciated.

Thank you,
Madhav Singh,
Infrastructure Solution, Design & Delivery
Honeywell Enterprise IT
Plot 115, Nanakramguda,
Hyderabad-500019
Office  : +91-40-66543570  x 61154
Mobile: +91-9000203423
Email:[hidden email]

From: Feller, Loras
Sent: Tuesday, December 12, 2017 03:59 AM
To: Mcguire, Dennis <[hidden email]<mailto:[hidden email]>>; Nelson, Scott <[hidden email]<mailto:[hidden email]>>; Shah, Baiju (Enterprise IT) <[hidden email]<mailto:[hidden email]>>; Singh, Madhav <[hidden email]<mailto:[hidden email]>>; Van Ryswyk, Jason <[hidden email]<mailto:[hidden email]>>
Cc: Hogan, Bill <[hidden email]<mailto:[hidden email]>>; Yarbrough, David <[hidden email]<mailto:[hidden email]>>
Subject: RE: Samba Server and AD Authentication

Honeywell Internal

Dennis,
I see (5)Linux for Kerberos update.  And (3)AIX that can be updated to Kerberos, since they are AIX6 & AIX7 with Samba v3.5.
  ...for a total of (8)Kerberos, and (0)switch-to-local needs. There are 19 already on local authentication use.

The oltengsvc1 Samba must not be used, since it is Samba v3.4, and smb.conf still identifies as binding to Global.

Thanks, Loras


From: Nelson, Scott
Sent: Monday, December 11, 2017 12:12 PM
To: Mcguire, Dennis <[hidden email]<mailto:[hidden email]>>; Shah, Baiju (Enterprise IT) <[hidden email]<mailto:[hidden email]>>; Singh, Madhav <[hidden email]<mailto:[hidden email]>>; Van Ryswyk, Jason <[hidden email]<mailto:[hidden email]>>; Feller, Loras <[hidden email]<mailto:[hidden email]>>
Cc: Hogan, Bill <[hidden email]<mailto:[hidden email]>>; Yarbrough, David <[hidden email]<mailto:[hidden email]>>
Subject: RE: Samba Server and AD Authentication

Adding Loras

From: McGuire, Dennis W [mailto:[hidden email]]
Sent: Monday, December 11, 2017 10:11 AM
To: Shah, Baiju (Enterprise IT) <[hidden email]<mailto:[hidden email]>>; Singh, Madhav <[hidden email]<mailto:[hidden email]>>; Nelson, Scott <[hidden email]<mailto:[hidden email]>>; Van Ryswyk, Jason <[hidden email]<mailto:[hidden email]>>
Cc: Hogan, Bill <[hidden email]<mailto:[hidden email]>>; Yarbrough, David <[hidden email]<mailto:[hidden email]>>
Subject: RE: Samba Server and AD Authentication

Samba Server list, affected servers.
Those that do not bind to global (green) do not require any modifications.
Those that do (red, yellow and orange) will need modifications.
Those in yellow currently have an AD upgrade path.
Those in orange, were working on an upgrade path, or a path is possible.
Those in red have no upgrade path.

Dennis McGuire
Senior Consultant - UNIX Clusters SME
Capgemini NA
(505) 907-6432
[hidden email]<mailto:[hidden email]>
Website: www.capgemini.com<http://www.capgemini.com/>

People matter, results count.
_______________________________________________________________________
Connect with Capgemini:
[cid:image001.gif@01D32F9B.509A9260][cid:image001.jpg@01D375A8.9CE5AE90]<http://www.capgemini.com/insights-and-resources/blogs>[cid:image002.gif@01D32F9B.509A9260][cid:image002.jpg@01D375A8.9CE5AE90]<http://www.twitter.com/capgemini>[cid:image003.gif@01D32F9B.509A9260][cid:image003.jpg@01D375A8.9CE5AE90]<http://www.facebook.com/Capgemini>[cid:image004.gif@01D32F9B.509A9260][cid:image004.jpg@01D375A8.9CE5AE90]<http://www.linkedin.com/company/capgemini>[cid:image005.gif@01D32F9B.509A9260][cid:image005.jpg@01D375A8.9CE5AE90]<http://www.slideshare.net/capgemini>[cid:image006.gif@01D32F9B.509A9260][cid:image006.jpg@01D375A8.9CE5AE90]<http://www.youtube.com/capgeminimedia>


-----Original Appointment-----
From: Shah, Baiju (Enterprise IT) [mailto:[hidden email]]
Sent: Wednesday, December 6, 2017 1:18 PM
To: Shah, Baiju (Enterprise IT); McGuire, Dennis W; Singh, Madhav; Nelson, Scott; Van Ryswyk, Jason
Subject: Samba Server and AD Authentication
When: Monday, December 11, 2017 8:00 AM-8:30 AM (UTC-07:00) Arizona.
Where: Skype Meeting


Honeywell Internal



.........................................................................................................................................

--> Join Skype Meeting<https://Collaborate.Honeywell.com/Meet/baiju.shah/959NCQVS>

Trouble Joining? Try Skype Web App<https://Collaborate.Honeywell.com/Meet/baiju.shah/959NCQVS?sl=1>

Join by phone



------------------ IF NOT ONLINE ------------------<tel:+------------------%20IF%20NOT%20ONLINE%20------------------,5501472%23> (North America)                    English (United States)

USA   -   302 669 4979<tel:+USA%20%20%20-%20%20%20302%20669%204979,5501472%23> (North America)                          English (United States)

USA   -   302 669 0333<tel:+USA%20%20%20-%20%20%20302%20669%200333,5501472%23> (North America)                          English (United States)

USA   -   602 794 0088<tel:+USA%20%20%20-%20%20%20602%20794%200088,5501472%23> (North America)                          English (United States)

USA   -   480 293 9588<tel:+USA%20%20%20-%20%20%20480%20293%209588,5501472%23> (North America)                          English (United States)

Canada   -   1 888 974 2915<tel:+Canada%20%20%20-%20%20%201%20888%20974%202915,5501472%23> (North America)                 English (United States)

Canada (French)   -   1 888 974 2916<tel:+Canada%20(French)%20%20%20-%20%20%201%20888%20974%202916,5501472%23> (North America)                 French (Canada)

China   -   00 1 602 794 0088<tel:+China%20%20%20-%20%20%2000%201%20602%20794%200088,5501472%23> (North America)                               English (United States)

France   -   04 8912 5511<tel:+France%20%20%20-%20%20%2004%208912%205511,5501472%23> (North America)                      French (France)

Germany   -   069 222 280 666<tel:+Germany%20%20%20-%20%20%20069%20222%20280%20666,5501472%23> (North America)                            German (Germany)

India   -   00 1 602 794 0088<tel:+India%20%20%20-%20%20%2000%201%20602%20794%200088,5501472%23> (North America)                                English (United Kingdom)

Mexico   -   001 855 251 4207<tel:+Mexico%20%20%20-%20%20%20001%20855%20251%204207,5501472%23> (North America)                             Spanish (Mexico)

United Kingdom   -   016 9860 8166<tel:+United%20Kingdom%20%20%20-%20%20%20016%209860%208166,5501472%23> (North America)                  English (United Kingdom)



Find a local number<https://Collaborate.Honeywell.com/Dialin?id=5501472>



Conference ID: 5501472

Forgot your dial-in PIN?<https://Collaborate.Honeywell.com/Dialin> |Help<https://o15.officeredir.microsoft.com/r/rlidLync15?clid=1033&p1=5&p2=2009>





Honeywell Cisco/Tandberg Rooms: Connect by Dialing the Skype Conference ID.  External Participants using Jabber/standard Video Rooms (SIP/H.323): Connect by Dialing the Skype <Conference ID>@honeywell.com

[!OC([1033])!]

.........................................................................................................................................


<< Message: RE: Samba Server  >>

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

image001.jpg (1K) Download Attachment
image002.jpg (1K) Download Attachment
image003.jpg (1K) Download Attachment
image004.jpg (1K) Download Attachment
image005.jpg (1K) Download Attachment
image006.jpg (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Samba Server version, AD Authentication and Kerbaros

Samba - samba-technical mailing list
On Fri, Dec 15, 2017 at 2:59 AM, Singh, Madhav via samba-technical
<[hidden email]> wrote:

> Hi,
>
> I am looking for some help with samba in our organization.  Below is the current installation of samba version and the operating systems which are almost out of support. We are planning to patch our AD servers with MS security patches and it is noted that those security patch might affect samba AD and Kerberos authentication.
>
> I would need some help understanding if we can update/upgrade current samba from 3.x to 4.x on the below OS (RHEL, AIX, HP, SUN OS and Debian  etc) ? and if I we need to integrated them to AD/Kerberos authentication what are the steps.
>
> OS
>
> Samba Version
>
> Total
>
> Comments/Recommendations
>
> RHEL 5
>
> 3.6.23;   4.6.2

Hold it *right* there. RHEL 5 is deprecated. Do *not* expect to run
Samba 4.x on it as a server, especially if you want or need full
Active Directory replacement support. You are going to *seriously*
hurt yourself if you try to backport Samba 4.x to RHEL 5, yourself.
I'd urge you to update to RHEL 7 as a matter of basic security
updates, and decide if you can use the default Samba 4.2.x.

Kerberos is authentication, AD, or Samba with full account management,
use LDAP for the account management. Keep these *separate* in your
head.

You can get recent versions of Samba for almost any operating system
that is not this obsolete. You can get versions with full Active
Directory compatible domain controller capabilities, but they're extra
work to compile the most recent versions of Samba with these features.
Sernet publishes them pre-built, but the most recent versions of
"gnutle" need for Samba 4.7 or other recent releases are extra work to
update and manage.

Note that you *do not need* a full Samba installation to activate LDAP
and Kerberos account management and authentication for a designated,
local, upstream Samba server. For simple CIFS based file system
mounting, or printer access, or even Kernberos managed authentication
for local accounts to support "single sign on" configuraitons, you do
not need a local Samba server on client machines. On many systems,
these are already built into tools like "nssswitch" and "cifs-utils"
and "krb5", and do not actually require a local copy of Samba at all.
Samba needs to be on the designated *servers* for your local
environment..

Reply | Threaded
Open this post in threaded view
|

RE: Samba Server version, AD Authentication and Kerbaros

Samba - samba-technical mailing list
Thank you so much for your reply.

We have a group of users who use old SAMBA.  When specific Microsoft patches were rolled out on our domain controller, their SAMBA connectivity was broken. This why we are taking some extra care and trying to find out what would be the best approach that we install the MS security patch on our AD and also the connectivity to samba is not lost. I am assuming that the security patch is block the port/service for samba, I may be wrong too.

We need connectivity and authentication via AD and Kerberos which we would not want to break.


I explored for possibilities and found on some blogs/forums that Samba 3.6.x is compatible with RHEL 5, 6, 7 ; AIX 5.3, 6.1, 7.1 but not sure if it is compatible with HP UX 11.11, Sun OS 5.8 and Debiain 3. Am I on right directions? Please advise.

Second, can we leveraged our AD with Kerberos for authentication on the above version of OS with Samba 3.6.x ?

Is there a possibility I can call and seek advise.



Thank you,
Madhav Singh,
Infrastructure Solution, Design & Delivery
Honeywell Enterprise IT
Plot 115, Nanakramguda,
Hyderabad-500019
Office  : +91-40-66543570  x 61154
Mobile: +91-9000203423
Email:[hidden email]

-----Original Message-----
From: Nico Kadel-Garcia [mailto:[hidden email]]
Sent: Tuesday, December 19, 2017 11:12 AM
To: Singh, Madhav <[hidden email]>
Cc: [hidden email]; [hidden email]; [hidden email]; [hidden email]; [hidden email]
Subject: Re: Samba Server version, AD Authentication and Kerbaros

On Fri, Dec 15, 2017 at 2:59 AM, Singh, Madhav via samba-technical <[hidden email]> wrote:

> Hi,
>
> I am looking for some help with samba in our organization.  Below is the current installation of samba version and the operating systems which are almost out of support. We are planning to patch our AD servers with MS security patches and it is noted that those security patch might affect samba AD and Kerberos authentication.
>
> I would need some help understanding if we can update/upgrade current samba from 3.x to 4.x on the below OS (RHEL, AIX, HP, SUN OS and Debian  etc) ? and if I we need to integrated them to AD/Kerberos authentication what are the steps.
>
> OS
>
> Samba Version
>
> Total
>
> Comments/Recommendations
>
> RHEL 5
>
> 3.6.23;   4.6.2

Hold it *right* there. RHEL 5 is deprecated. Do *not* expect to run Samba 4.x on it as a server, especially if you want or need full Active Directory replacement support. You are going to *seriously* hurt yourself if you try to backport Samba 4.x to RHEL 5, yourself.
I'd urge you to update to RHEL 7 as a matter of basic security updates, and decide if you can use the default Samba 4.2.x.

Kerberos is authentication, AD, or Samba with full account management, use LDAP for the account management. Keep these *separate* in your head.

You can get recent versions of Samba for almost any operating system that is not this obsolete. You can get versions with full Active Directory compatible domain controller capabilities, but they're extra work to compile the most recent versions of Samba with these features.
Sernet publishes them pre-built, but the most recent versions of "gnutle" need for Samba 4.7 or other recent releases are extra work to update and manage.

Note that you *do not need* a full Samba installation to activate LDAP and Kerberos account management and authentication for a designated, local, upstream Samba server. For simple CIFS based file system mounting, or printer access, or even Kernberos managed authentication for local accounts to support "single sign on" configuraitons, you do not need a local Samba server on client machines. On many systems, these are already built into tools like "nssswitch" and "cifs-utils"
and "krb5", and do not actually require a local copy of Samba at all.
Samba needs to be on the designated *servers* for your local environment..