[Samba] Link AD to pre-existing UNIX accounts
ansarm at gmail.com
Tue Apr 24 14:33:42 GMT 2007
You can use a rules based editor to manage the user accounts in AD or
OpenLDAP like http://www.ldapeditor.com
On 4/24/07, Jonathan C. Detert <Jonathan.Detert at msoe.edu> wrote:
> On Mon, 2007-04-23 at 14:17 +0000, CG wrote:
> > I'm trying to use winbindd to enumerate and link AD users to their
> > existing UNIX accounts. Right now, winbindd creates new "users" for
> UNIX based
> > on windows username and groups.
> You seem to have 2 separate criteria:
> > What I can't figure out is how to explicitly map the AD users to their
> > existing UNIX accounts. I'd like the users to be able to access their
> That's one criterium: mapping AD users to the existing Unix accounts.
> >From this, I assume you mean that after the mapping, you want the
> 'getent passwd' info to be the same: i.e. the same uid, gid, homedir,
> shell, gecos. Call this criterium 1.
> > accounts with their UNIX authentication information /and/ their AD
> > authentication information. I had hung my hat on the "username map"
> That's another criterium: ability to authenticate as a given user via
> either the existing unix password (e.g. the /etc/shadow password), or
> the MsAD password. Call this criterium 2.
> > directive, but I find now that it doesn't apply to winbindd.
> > Has anyone worked out a strategy for this scenario?
> I think so:
> Criterium 1:
> extend the MsAD schema to include posix attributes. I think Ms calls
> this 'Ms Services For Unix'. Doing so will add uid, gid, homedir, and
> login-shell attributes. They have their own ms-hopped-up names, but
> that's what they're for.
> Populate the MsAD schema w. the values you already have in your unix
> system. You could do this manually, but you could also write scripts to
> do it. The script(s) would use LDAP to update MsAD.
> I did this 2 years ago. It's some work, but you only do it once, and
> then you're set ever after.
> Criterium 2:
> Use pam to allow authentication via either the existing unix password,
> or via winbind. I am not a pam expert, but here's the general kind of
> approach I've used for situations like this:
> auth sufficient pam_winbind.so
> auth required pam_unix.so
> In summary, I believe that what you want is achievable.
> Good luck,
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba