[Samba] nslcd samba 4.1 and FreeBSD 10
Rowland Penny
rowlandpenny at googlemail.com
Tue Oct 14 13:57:59 MDT 2014
On 14/10/14 20:20, Doug Sampson wrote:
> Hello list-
>
> As a FreeBSD shop we've used Samba 3.x quite well for a couple years. With version 3.6 due to expire in due time, we've been experimenting with version 4.1 using winbindd with very limited success.
Hi, yes you are right, 3.6 will reach EOL very soon, it is supposed to
be when 4.2 is released, which could be tomorrow ;-) but then again it
could be another RC. But you should be able to do anything with 4.1 that
you did with 3.6, it is based on the same code.
> We find that if we use the TDB backend instead of either RID or AD, we are able to enumerate our AD users via getent. I cannot enumerate AD users via either the AD or the RID backends. This doesn't strike me as a method I want to use especially when the numerical users/groups mappings differ between servers.
You should be able to enumerate users with any backend, but if you use
the ad backend, your users would need a uidNumber at least.
>
> I saw a posting where it was recommended that FreeBSD sysadmins use either nslcd or sssd in order to enumerate AD users. After a period of experimentation, I can enumerate AD users successfully via nslcd (using bindpw) using the getent command. I can ssh into a FreeBSD box with my AD user credentials! The nslcd mappings are as follows:
>
> # Alternative mappings for Active Directory
> # (replace the SIDs in the objectSid mappings with the value for your domain)
> pagesize 1000
> referrals off
> #idle_timelimit 800
> filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
You could use (&(objectClass=user)(!(objectClass=computer))) or
(&(objectClass=person)(!(objectClass=computer))), both would work, it's
the not being a computer part that is important.
> #map passwd uid cn
> map passwd uid sAMAccountName
> map passwd uidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
> map passwd gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
> map passwd homeDirectory "/home/$cn"
> map passwd gecos displayName
> map passwd loginShell "/bin/csh"
> #filter group (|(objectClass=group)(objectClass=person))
> filter group (objectClass=group)
> map group gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
>
> The next question is how to authenticate AD users using samba 4.1. What is the recommended method for authenticating AD users via samba 4.1 and nslcd? Should I use the smbpasswd auth method -i.e. using the migrate keyword to migrate auth info from the passwd/group files to the smbpasswd database? Or should I use ldap using the same mappings that nslcd uses?
If you need to authenticate AD users, then the easiest way will probably
to run samba 4.1 as a DC.
Rowland
>
> If it is suggested that smbpasswd be used, which PAM policy should I use for Samba user authentication? The default FreeBSD implementation does not offer a policy for the Samba service. Here are the default policies:
>
> root at cache:/home# ll /etc/pam.d/
> total 64
> -r--r--r-- 1 root wheel 2911 Jan 16 2014 README
> -rw-r--r-- 1 root wheel 322 Jan 16 2014 atrun
> -rw-r--r-- 1 root wheel 199 Jan 16 2014 cron
> -rw-r--r-- 2 root wheel 531 Jan 16 2014 ftp
> -rw-r--r-- 2 root wheel 531 Jan 16 2014 ftpd
> -rw-r--r-- 1 root wheel 365 Jan 16 2014 imap
> -rw-r--r-- 1 root wheel 588 Oct 10 12:16 login
> -rw-r--r-- 1 root wheel 907 Oct 10 11:12 other
> -rw-r--r-- 1 root wheel 318 Jan 16 2014 passwd
> -rw-r--r-- 1 root wheel 365 Jan 16 2014 pop3
> -rw-r--r-- 1 root wheel 328 Jan 16 2014 rsh
> -rw-r--r-- 1 root wheel 884 Oct 10 13:46 sshd
> -rw-r--r-- 1 root wheel 384 Jan 16 2014 su
> -rw-r--r-- 1 root wheel 714 Jan 16 2014 system
> -rw-r--r-- 1 root wheel 764 Jan 16 2014 telnetd
> -rw-r--r-- 1 root wheel 529 Jan 16 2014 xdm
> root at cache:/home#
>
> Which one of these policies should be used for Samba?
>
> If it is suggested to use LDAP, I am finding that this link:
>
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607186
>
> may be outdated. The use of 'ldap backend' appears to be outdated. Where can I find the current version of how to connect Samba using LDAP?
>
> Obviously I remain unclear as to what the best way to accomplish authentication via Samba 4.1. Any pointers/clarifications would be greatly appreciated! This is on a FreeBSD 10.0 machine.
>
> ~Doug
More information about the samba
mailing list