use of a DNS cache in front of samba4 internal DNS
samba at dm.cobite.com
Wed Feb 13 13:25:46 MST 2013
On 02/13/2013 01:53 PM, Marc Muehlfeld wrote:
> Am 13.02.2013 17:58, schrieb David Mansfield:
>> In particular I'd like postfix to auth. my users, and as I understand it
>> I have two options, one is to join the machine to the domain
>> (pam_winbind) and then postfix will authenticate that way (via pam), and
>> the other would be to use postfix with SASL and in turn have sasl use
>> kerberos5 or ldap.
>> In case anyone has read this far and has suggestions, I'd love to hear
>> them, and also w.r.t using sasl and kerberos5, how do I set up a keytab
>> and SPN using samba4? I've googled and googled and cannot seem to get
>> it straight.
> This is, how I had solved this:
> Here I have in my internal network my samba4 DC and in the DMZ my
> On my mailserver I have installed openLDAP in proxy mode against AD:
> Then I made the AD users available on my mailserver by nslcd over the
> openLDAP proxy:
> And finally I had configured, that the users where authenticated against
> AD (through the openLDAP proxy):
This is great info. I may do the exact same thing as you have
described. I have a few followup questions: do you know if this
configuration can coexist with GSSAPI authentication? I'd like for users
on the network to be able to single-sign-on (and outside users still
require password), although given the cleanliness of your approach it
may be worth sacrificing. I especially like that there are no DNS
changes, no winbind etc.
Second question, when you have a "connect account" (e.g.
cn=nslcd-connect,cn=Users,...), how should such an account be
provisioned so that the privileges are as low as possible?
More information about the samba-technical