[Samba] Manage unix users from AD
Sven Schwedas
sven.schwedas at tao.at
Tue Jan 28 05:54:11 MST 2014
On 2014-01-28 12:22, Márcio Merlone wrote:
> Hi,
>
> Starting a fresh new thread, the ones about sssd x winbind are getting
> boring, biased and personal. :) I'd like to bring this to an admin
> point-of-view to be more useful for other Samba users (aka admins).
>
> Consider a network with about 200+ employees, most of them windows user.
> Happens that one need to provide other non-windows services like e-mail,
> proxy and many others to them, running on other linux servers. So, for
> many of those users (not all) rfc2307 windows services for unix (SFU)
> attributes are needed, to make postfix, dovecot, apache, squid and
> others aware of them too.
>
> As far as I know there are 4 possible solutions:
>
> * Internal samba winbind
> * Winbind daemon
> * sssd
> * nss_ldap
>
> Which of each would bring my rfc2307 users with all their attributes
> defined on SFU, *and only those users*, to my linux system? If I create
> a user _without_ rc2307 means I don't want linux to know about him. If I
> define a user with /bin/false as shell on SFU, bring that to linux.
> That's it. As an admin, I don't care about idmapping, I already defined
> an uidNumber (or wathever AD attribute is used to store it) to the user,
> just use it.
Then you can safely ignore winbindd, as it doesn't honour shell settings.
Food for thought: Is offline login (/resilience against domain
controller outages) needed? nss_ldap afaik does not provide this
natively, e.g., and needs external caching by pam_ccreds (which makes
for a more complicated setup).
> Also, to ease the discussion about those solutions, how about someone
> with knowledge of their internal mechanics sketch a feature matrix
> comparing those, listing advantages and drawbacks?
That would indeed be appreciated.
> I understand Samba
> team will always recommend winbind over others, but get the difference:
>
> a - Samba team does not recommend other solutions.
> b - Samba team recommend not using other solutions.
>
> I believe (a) is true, which does not disregard others.
>
> Best regards.
>
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140128/6bd71bd7/attachment.pgp>
More information about the samba
mailing list