Samba4 idmap using uidNumber/gidNumber
steve
steve at steve-ss.com
Tue Jun 19 15:25:59 MDT 2012
On 19/06/12 20:53, Greg Dickie wrote:
> Hi Steve,
>
> You are using LDAP to pull these attributes correct?
Hi Greg.
Yes.
How did you get
> authenticated binds working in nss?
We use sasl binds under nss-pam-ldapd, and k5start to get and maintain
the ticket cache for us. Here is our /etc/nslcd.conf:
uid nslcd-user
gid nslcd-user
uri ldap://hh1.hh3.site
base dc=hh3,dc=site
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
map group uniqueMember member
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/nslcd.tkt
The latest version includes looking in the dn for the member attributes
so you can lose the group mapping, making it even faster.
>
> Also note that windows server ADs will require the msSFU30NIS objects
> in the directory before they will "recognize" the other attributes (ie:
> let you access them). You need to install the Identity Management for
> UNIX stuff to get that working. Silly windows ;-)
No. Not needed, for S4 at least. The schema as it is allows for all the
rfc2307 attributes and objectClasses that are needed for Linux
integration. A script to write new users/groups to the directory and
away you go.
I was wrong when I said we don't touch idmap. We do, but only for
uidNumber and gidNumber. I believe that this is due to change soon or at
least be made an option, after which we will be able to read these from
the directory too. In any case, it's easy enough to do just by using
wbinfo commands.
Looking better day by day for the Linux client side:-)
>
>
> Greg
HTH
Cheers,
Steve
More information about the samba-technical
mailing list