[Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
Gémes Géza
geza at kzsdabas.hu
Thu Aug 15 23:12:48 MDT 2013
2013-08-15 18:45 keltezéssel, Andres Tello Abrego írta:
> I'm lost in documentation.
>
> I setup a samba4 AD, and configured winbind so I can have local
> authentification using pam, I can now login to AD users vía ssh.
>
> I want to achieve the Holy Gria of 1 source of users and password, for
> both, linux and windows machines, but I'm lost in documentation.
> So far I know:
> samba4 cann't use openldap as backend.
> samba4 ldap doesn't really is a full ldap.
> samba4 provides uid/gid mapping using winbind or nlscd
>
> So far, I'm using winbind and I can see the samba ad users added to the
> password database executing:
> getenv passwd
>
> But, after that, I'm lost.
> Can I impelement "remote winbind" at remote linux client machines?
> Do I need to setup a openldap proxy?
> If I setup an openldap proxy, should I use winbind or nslcd?
> openldap now uses automatic configuration, any clue to implement the
> openldap proxy with this type?
>
> Thanks...
We use winbind from samba 3.6.x on the non DC linux boxes for this.
Winbind from samba 4.0.x under testing.
Our config (the relevant part of):
/etc/krb5.conf:
[libdefaults]
default_realm = YOURREALM
/etc/samba/smb.conf:
[global]
workgroup = YOURDOMAIN
realm = YOURREALM
kerberos method = system keytab
security = ads
winbind enum groups = yes
winbind enum users = yes
idmap config *:backend = tdb
idmap config *:range = 1000000001-3000000000
idmap config YOURDOMAIN:default = yes
idmap config YOURDOMAIN:backend = ad
idmap config YOURDOMAIN:range = 0-1000000000
idmap config YOURDOMAIN:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 5
winbind nested groups = yes
winbind use default domain = yes
Of course the ranges depend on the uids/gids you've allocated.
Regards
Geza Gemes
More information about the samba
mailing list