PDA

View Full Version : SLES 11 SP4 SLES 11 samba windows domain and authentication help



ron7000
10-Nov-2015, 05:23
I am using SLES 11.4 x86-64 on a network having Microsoft Windows Server 2008.
On this network i have a Synology networked attached storage (NAS) device.
The synology nas has no problem joining the windows domain and pulling the usernames and passwords to itself to then apply to the data stored on it.
I have already applied {Windows} file permissions to all my data on the synology nas, and all people who access anything sit at a desktop pc running windows 7 professional which is a client and authenticates to the windows server.
They then can either map a network drive or go \\synology\data in a window to access data if they have permissions to.
I have all usernames and group names set up on the windows server 2008 machine.

so now i have some other servers (more than one) all running SLES 11.4 x86-64 {to do real work}.
I want my SLES servers to

1) first and foremost mount the synology:/data folder properly including user and group permissions that have already been done on the windows server 2008 machine. When a user is logged in to SLES by ssh or a remote client such as vnc, I want them to be able to "cd /data/blablabla" to access data on the synology nas. What's the best way to do this? I believe {going from memory} the synology:/data share is SMB... it's in windows world. The synology does allow for NFS export and I have done that but not a complete success since permissions get messed up I've only been able to nfs mount it having 777 permissions for everything. At this point I think i'm supposed to authenticate SLES with Windows Server 2008 for permissions, but then how do I mount synology:/data ? Will NFS mount work or should SLES be doing a smb or cifs mount?

2) not have to use a local /etc/passwd file where i have to manually re-create those user accounts which exist on the windows server 2008 machine. I've read the sles pdf files on samba and ldap... and understand you might not want every windows domain user able to log into linux but that's ok for now I just want to get things working.

Do I need to use LDAP?
Or do I need to NOT do anything with LDAP and CA {certificate authority} and can it all be done with samba?

Now we have the "Administrator" account renamed and disabled (locked out) on windows server 2008 so only admins having a valid account can log in being a "Domain Administrator". Is this a problem? The SLES pdf file for setting this up makes reference to the "Administrator" account but it's a little unclear if you must have SLES join the domain under the "Administrator" account.

Last question, I have sucessfully joined the domain in one area that I was doing it as a test.
The windows server 2008 for example had a domain name of lab.mycompany.com.
The "Administrator" account on it was renamed, but I have my own domain admin account: for instance my regular domain_users account is just "ron" and I have a domain_admins account of "ron_adm".
So in SLES I went to YAST - network services - Join Windows Domain, and successfully connected to lab.mycomany.com under "ron_adm" with my password.... but that was it and I saw no other affect. Can someone explain where I go from here in order to accomplish by goals in #1 and #2 above?
thanks.

forgot to mention, I have already set windows server 2008 to be an NTP server, and my SLES 11 systems and my synology nas recognize it and everything is time sync'd.

jmozdzen
11-Nov-2015, 11:36
Hi ron7000,

the setup requirements you describe are multi-fold and need some more detailed discussion.

Login: See https://www.suse.com/documentation/sles11/book_sle_deployment/data/cha_y2_userman_authent.html, you'll probably want to activate Samba-based authentication

File access: It all boils down to Linux users. IOW, even when logging on with a "Windows account", mapping takes place to set up an effective Linux user account (id mapping). One of the issues with multiple concurrent Linux servers (SLES servers, but iirc the Synology as well) is to provide a consistent mapping across all servers. You'll have to read up on ID mapping and making that available to all these servers, i.e. via LDAP.

Once you've created the consistent ID mapping, you'll be able to even NFS mount the file systems across all servers and have the users access the files. Having set up PAM properly, you'll be able to have users log in via AD accounts and can of course use the standard mechanisms to restrict logins to specific groups (or lists) of people.

There's an initial learning curve to this, but once you've recognized that it's about mapping, you can focus on making each component act up on that as required.

Regards,
Jens