[Samba] Link AD to pre-existing UNIX accounts

Ansar Mohammed ansarm at gmail.com
Tue Apr 24 14:33:42 GMT 2007


You can use a rules based editor to manage the user accounts in AD or
OpenLDAP like http://www.ldapeditor.com




On 4/24/07, Jonathan C. Detert <Jonathan.Detert at msoe.edu> wrote:
>
>
> On Mon, 2007-04-23 at 14:17 +0000, CG wrote:
> > I'm trying to use winbindd to enumerate and link AD users to their
> pre-
> > existing UNIX accounts. Right now, winbindd creates new "users" for
> UNIX based
> > on windows username and groups.
> >
>
> You seem to have 2 separate criteria:
>
> > What I can't figure out is how to explicitly map the AD users to their
> pre-
> > existing UNIX accounts. I'd like the users to be able to access their
> UNIX
>
> That's one criterium: mapping AD users to the existing Unix accounts.
> >From this, I assume you mean that after the mapping, you want the
> 'getent passwd' info to be the same: i.e. the same uid, gid, homedir,
> shell, gecos.  Call this criterium 1.
>
> > accounts with their UNIX authentication information /and/ their AD
> > authentication information. I had hung my hat on the "username map"
> smb.conf
>
> That's another criterium: ability to authenticate as a given user via
> either the existing unix password (e.g. the /etc/shadow password), or
> the MsAD password.  Call this criterium 2.
>
> > directive, but I find now that it doesn't apply to winbindd.
> >
> > Has anyone worked out a strategy for this scenario?
>
> I think so:
>
> Criterium 1:
> -------------
>
> extend the MsAD schema to include posix attributes.  I think Ms calls
> this 'Ms Services For Unix'.  Doing so will add uid, gid, homedir, and
> login-shell attributes.  They have their own ms-hopped-up names, but
> that's what they're for.
>
> Populate the MsAD schema w. the values you already have in your unix
> system.  You could do this manually, but you could also write scripts to
> do it.  The script(s) would use LDAP to update MsAD.
>
> I did this 2 years ago.  It's some work, but you only do it once, and
> then you're set ever after.
>
> Criterium 2:
> -------------
>
> Use pam to allow authentication via either the existing unix password,
> or via winbind.  I am not a pam expert, but here's the general kind of
> approach I've used for situations like this:
>
> auth sufficient pam_winbind.so
> auth required   pam_unix.so
>
> In summary, I believe that what you want is achievable.
>
> Good luck,
>
> Jon
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list