[Samba] winbind idmap using active directory as ldap backend

Roman Sommer roman.sommer at gmail.com
Wed Jan 18 12:59:21 GMT 2006


I need to continue where this HOWTO ends:
I worked with krb+ldap authentication/authorization against Windows 2003
Servers (SP1 with SFU3.5 and R2) before so I am familiar with the mappings
needed but I don't really understand how winbind is of any use if
/etc/nsswitch.conf points to "files ldap". If it pointed to winbind ok...
there are some links to ldap in smb.conf but I can't see anything like it
the other way round. No evidence of samba/winbind whatsoever in ldap.conf.
Having either one of these schema extensions (R2 or SFU3.5) I don't need to
further extend the schema right? SID is already there and I could probably
use the msSFU30UidNumber (R2: uidNumber) attribute to do the mapping.. so AD
looks like a good choice :)

I like the winbind approach (in contrast to ldap) because it automatically
creates unix attributes for existing domain users which saves a lot of work.
In a second step I would like to kerberize the ldap query to not send plain
text password over the network (I wonder if it is good idea to use the
existing domain computer account).

I would appreciate any feedback regarding this approach (e.g. reliability
etc pp)

best regards

More information about the samba mailing list