[Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
geza at kzsdabas.hu
Thu Aug 15 23:12:48 MDT 2013
2013-08-15 18:45 keltezéssel, Andres Tello Abrego írta:
> I'm lost in documentation.
> I setup a samba4 AD, and configured winbind so I can have local
> authentification using pam, I can now login to AD users vía ssh.
> I want to achieve the Holy Gria of 1 source of users and password, for
> both, linux and windows machines, but I'm lost in documentation.
> So far I know:
> samba4 cann't use openldap as backend.
> samba4 ldap doesn't really is a full ldap.
> samba4 provides uid/gid mapping using winbind or nlscd
> So far, I'm using winbind and I can see the samba ad users added to the
> password database executing:
> getenv passwd
> But, after that, I'm lost.
> Can I impelement "remote winbind" at remote linux client machines?
> Do I need to setup a openldap proxy?
> If I setup an openldap proxy, should I use winbind or nslcd?
> openldap now uses automatic configuration, any clue to implement the
> openldap proxy with this type?
We use winbind from samba 3.6.x on the non DC linux boxes for this.
Winbind from samba 4.0.x under testing.
Our config (the relevant part of):
default_realm = YOURREALM
workgroup = YOURDOMAIN
realm = YOURREALM
kerberos method = system keytab
security = ads
winbind enum groups = yes
winbind enum users = yes
idmap config *:backend = tdb
idmap config *:range = 1000000001-3000000000
idmap config YOURDOMAIN:default = yes
idmap config YOURDOMAIN:backend = ad
idmap config YOURDOMAIN:range = 0-1000000000
idmap config YOURDOMAIN:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 5
winbind nested groups = yes
winbind use default domain = yes
Of course the ranges depend on the uids/gids you've allocated.
More information about the samba