[Samba] LDAP + Samba4(AD) + SSH
Guilherme Boing
kolt+samba at frag.com.br
Mon Aug 24 15:39:02 UTC 2015
I didn't want to compile samba on all our servers and join them into the
domain.
All I wanted was the servers to be able to read the users and groups so
they could authenticate.
On Mon, Aug 24, 2015 at 11:26 AM, Rowland Penny <
rowlandpenny241155 at gmail.com> wrote:
> On 24/08/15 15:09, Guilherme Boing wrote:
>
>> Hey,
>>
>> By "through LDAP" I meant that our linux servers would look for the users
>> using pam_ldap.
>>
>> Anyway, I was able to "fix" this by mapping gidNumber to gidNumber
>> instead of primaryGroupID on nslcd.conf.
>>
>> $ id
>> uid=10000(Guilherme) gid=10001(it) grupos=10001(it)
>>
>>
>> On Fri, Aug 21, 2015 at 4:28 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
>> wrote:
>>
>> On 21/08/15 20:08, Guilherme Boing wrote:
>>
>> Hello,
>>
>> I want my domain users to be able to connect to our linux
>> servers using
>> their AD username through LDAP.
>>
>>
>> What do you mean 'through LDAP' ?
>>
>>
>> I am using nslcd and pam_ldap to do so, but I am having some
>> hard time
>> trying to figure out why the GID is not working properly.
>>
>> # getent passwd Guilherme
>> Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash
>>
>> # getent group|grep 513
>>
>> # id Guilherme
>> uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain
>> Users)
>>
>> /etc/nslcd.conf: (bind not included)
>> filter passwd (objectClass=user)
>> filter group (objectClass=group)
>>
>> map passwd uid sAMAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map passwd gecos displayName
>> map passwd gidNumber primaryGroupID
>> map group uniqueMember member
>>
>> I know that 513 should mean "Domain Users" from ADUC. However,
>> "Domain
>> Users" has the "UNIX Attributes" configuration of GID=10000.
>>
>>
>> How do you 'know' 513 should mean "Domain Users" ?
>> 513 is the RID of "Domain Users" and by your own admission "Domain
>> Users" has the gidNumber of 10000
>> RID does not necessarily equal gidNumber
>>
>>
>> # getent group|grep 10000
>> Domain Users:*:10000:
>>
>> Should I change the UNIX Attributes ID of Domain Users to 513 ?
>> What am I doing wrong ?
>>
>> Thanks
>>
>>
>> You can if you so wish, but you will need to 'chgrp' anything
>> stored on Unix owned by the "Domain Users" group.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> You don't need to use any external packages such as nslcd, you can get
> exactly the same result using winbind (and yes I know about sssd as well)
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list