[Samba] OpenSSH auth in SAMBA4 LDAP

[Marc Muehlfeld]

Hello Luca,

Am 27.08.2013 00:11, schrieb Luca Olivetti:
> The problem is, how do I get the posix information into samba4? With
> samba 3 I could manage users and groups with ldap account manager and
> they got both samba and posix attributes.

I have a windows workstation at work. There I use ADUC. Everything I 
need to administrate users/groups, etc. And if you delegate permissions 
(https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Add.2Fchange.2Fdelete_accounts.2Fgroups.27-permissions), 
you don't have to work with an domain administrator account the whole day.

ADUC has for me some advantages:
- I can administrate all accounts in a nice clear GUI (I know that linux 
admins shouldn't say that :-))
- I don't have to track the last UID/GID I give, because it's stored in 
AD and ADUC automatically incements.
- I can delegate permissions down to attribute level to other 
departments (like human resources for changing phone numbers, etc.)
- and some more





 > Another nice thing is that I
> could script the creation of home directory, mailbox, etc.
> I though that samba 4 allowed me to do the same, but with windows
> administrative client (ADUC?)

Maybe this can be a solution for you:
https://lists.samba.org/archive/samba/2013-July/174252.html





>> If you don't want to manage them in AD, you can use winbind or sssd. But
>> there you have other requirements (machine joined to domain, kerberos,
>> ...).
>
> I'd like to avoid winbind if at all possible

In Samba 4 you don't need to have the users local. You can completely 
skip ldap/winbind/whatever. Permission changing can be done from windows 
on directories/shares.

Only if you don't want to see only UIDs/GIDs on the filesystem or other 
services require them, you need a way to get the users/groups mapped.




Regards,
Marc