[Samba] LDAP + Samba4(AD) + SSH

Guilherme Boing kolt+samba at frag.com.br
Mon Aug 24 15:39:02 UTC 2015 

I didn't want to compile samba on all our servers and join them into the
domain.
All I wanted was the servers to be able to read the users and groups so
they could authenticate.

On Mon, Aug 24, 2015 at 11:26 AM, Rowland Penny <
rowlandpenny241155 at gmail.com> wrote:

> On 24/08/15 15:09, Guilherme Boing wrote:
>
>> Hey,
>>
>> By "through LDAP" I meant that our linux servers would look for the users
>> using pam_ldap.
>>
>> Anyway, I was able to "fix" this by mapping gidNumber to gidNumber
>> instead of primaryGroupID on nslcd.conf.
>>
>> $ id
>> uid=10000(Guilherme) gid=10001(it) grupos=10001(it)
>>
>>
>> On Fri, Aug 21, 2015 at 4:28 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
>> wrote:
>>
>>     On 21/08/15 20:08, Guilherme Boing wrote:
>>
>>         Hello,
>>
>>         I want my domain users to be able to connect to our linux
>>         servers using
>>         their AD username through LDAP.
>>
>>
>>     What do you mean 'through LDAP' ?
>>
>>
>>         I am using nslcd and pam_ldap to do so, but I am having some
>>         hard time
>>         trying to figure out why the GID is not working properly.
>>
>>         # getent passwd Guilherme
>>         Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash
>>
>>         # getent group|grep 513
>>
>>         # id Guilherme
>>         uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain
>>         Users)
>>
>>         /etc/nslcd.conf: (bind not included)
>>         filter  passwd  (objectClass=user)
>>         filter  group   (objectClass=group)
>>
>>         map     passwd  uid                sAMAccountName
>>         map     passwd  homeDirectory      unixHomeDirectory
>>         map     passwd  gecos              displayName
>>         map     passwd  gidNumber          primaryGroupID
>>         map     group   uniqueMember       member
>>
>>         I know that 513 should mean "Domain Users" from ADUC. However,
>>         "Domain
>>         Users" has the "UNIX Attributes" configuration of GID=10000.
>>
>>
>>     How do you 'know' 513 should mean "Domain Users" ?
>>     513 is the RID of "Domain Users" and by your own admission "Domain
>>     Users" has the gidNumber of 10000
>>     RID does not necessarily equal gidNumber
>>
>>
>>         # getent group|grep 10000
>>         Domain Users:*:10000:
>>
>>         Should I change the UNIX Attributes ID of Domain Users to 513 ?
>>         What am I doing wrong ?
>>
>>         Thanks
>>
>>
>>     You can if you so wish, but you will need to 'chgrp' anything
>>     stored on Unix owned by the "Domain Users" group.
>>
>>     Rowland
>>
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> You don't need to use any external packages such as nslcd, you can get
> exactly the same result using winbind (and yes I know about sssd as well)
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list