Winbind - functionality extension needed
Ondrej Valousek
webserv at s3group.cz
Wed Jul 8 14:38:52 GMT 2009
Hi all,
I would like to ask if it would be possible to extend the functionality
of the winbind and nss_winbind.so to cover other system databases (not
only passwd and group).
The trick is, that as of Windows server 2003 R2 or 2008, AD schema
already contains all necessary rfc2307 attributes needed to store unix
system databases in AD - so the obvious question would be, if we can use
winbind & nsswitch.conf and store all databases in Active Directory.
The immediate answer is, that nss_ldap (from PADL software) does this -
but unfortunately not effectively. Why?
1. nss_ldap does no caching (no daemon running)
2. By default, you need to authenticate to AD in order to access it via
LDAP. That leaves us 2 options:
a) Allows anonymous access to AD
b) configure something like "proxy" user to access AD
I do not like neither of those options - the most elegant solution would
be to use machine Kerberos credentials to access AD - the same way
winbind does.
So hence my question - would it be possible to extend the functionality
of winbind or am I completely wrong /bad idea here?
Many thanks for any feedback.
Ondrej
More information about the samba-technical
mailing list