[Samba] Re: Linux with AD auth

Tue Apr 24 18:24:59 GMT 2007

On Tue, 2007-04-24 at 13:45 -0400, Jean-Sebastien Pilon wrote:
> This is kind of a side question, 
> 
> Have you missed anything in using MS Services for Unix over some
> opensource solution ? 

possibly.  I used mssfu soley in order to extend the msad schema to
include attributes that unix accounts need, like homedir, loginshell,
uid, and gid.

Using mssfu also means that Ms.Windows admins can view/set the 'unix
attributes' of a user object via the Ms.Win 'Active Directory Users and
Groups' gui app, which they're already familiar with.

There may have been better ways.

As it turns out, I don't use the mssfu supplied attributes that were
intended to record :

	loginname
	group membership
	group name

Instead, I use the cannonical msad attributes for those info items.

I think there might exist non-microsoft software to extend an msad ldap
schema to include posix groups and logins.  That option might be more to
your liking.

If u don't care whether or no the unix uid and gid are the same for the
same user on different boxen,

and

your unix user homedirs all have the same parent dir

and

your unix user accounts all have the same login shell

then

you don't need to mess w. the a.d. schema at all.  Instead, you can use
winbind and smb.conf macros specific to winbind to configure the
homedir, login shell, and uid/gid mapping algorithm.

In my case, the unix homedir is a f() of the the username and another
factor.  That preculded relying on the winbind template-home-dir macro.
So, I used mssfu in conjunction w. winbind.

hope that helps

> 
> I am considering both solutions now and I need some input
> 
> > 
> > Criterium 1:
> > -------------
> > 
> > extend the MsAD schema to include posix attributes.  I think Ms calls
> > this 'Ms Services For Unix'.  Doing so will add uid, gid, homedir, and
> > login-shell attributes.  They have their own ms-hopped-up names, but
> > that's what they're for.
> > 
> > Populate the MsAD schema w. the values you already have in your unix
> > system.  You could do this manually, but you could also write 
> > scripts to
> > do it.  The script(s) would use LDAP to update MsAD.
> > 
> > I did this 2 years ago.  It's some work, but you only do it once, and
> > then you're set ever after.
> > 
> NOTICE: This email contains privileged and confidential information and is intended only for the individual to whom it is addressed. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this transmission by mistake and delete this communication from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 
> 
> AVIS: Le prsent courriel contient des renseignements de nature privilgie et confidentielle et nest destin qu' la personne  qui il est adress. Si vous ntes pas le destinataire prvu, vous tes par les prsentes aviss que toute diffusion, distribution ou reproduction de cette communication est strictement interdite. Si vous avez reu ce courriel par erreur, veuillez en aviser immdiatement lexpditeur et le supprimer de votre systme. Notez que la transmission de courriel ne peut en aucun cas tre considr comme inviolable ou exempt derreur puisque les informations quil contient pourraient tre intercepts, corrompues, perdues, dtruites, arrives en retard ou incompltes ou contenir un virus. 