[Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.

Gémes Géza geza at kzsdabas.hu
Thu Aug 15 23:12:48 MDT 2013

2013-08-15 18:45 keltezéssel, Andres Tello Abrego írta:
> I'm lost in documentation.
> I setup a samba4 AD, and configured winbind so I can have local
> authentification using pam, I can now login to AD users vía ssh.
> I want to achieve the Holy Gria of 1 source of users and password, for
> both, linux and windows machines, but I'm lost in documentation.
> So far I know:
> samba4 cann't use openldap as backend.
> samba4 ldap doesn't really is a full ldap.
> samba4 provides uid/gid mapping using winbind or nlscd
> So far, I'm using winbind and I can see the samba ad users added to the
> password database executing:
> getenv passwd
> But, after that, I'm lost.
> Can I impelement "remote winbind" at remote linux client machines?
> Do I need to setup a openldap proxy?
> If I setup an openldap proxy, should I use winbind or nslcd?
> openldap now uses automatic configuration, any clue to implement the
> openldap proxy with this type?
> Thanks...
We use winbind from samba 3.6.x on the non DC linux boxes for this. 
Winbind from samba 4.0.x under testing.

Our config (the relevant part of):


         default_realm = YOURREALM


    workgroup = YOURDOMAIN
    realm = YOURREALM
    kerberos method = system keytab
    security = ads
    winbind enum groups = yes
    winbind enum users = yes
    idmap config *:backend = tdb
    idmap config *:range = 1000000001-3000000000
    idmap config YOURDOMAIN:default = yes
    idmap config YOURDOMAIN:backend = ad
    idmap config YOURDOMAIN:range = 0-1000000000
    idmap config YOURDOMAIN:schema_mode = rfc2307
    winbind nss info = rfc2307
    winbind expand groups = 5
    winbind nested groups = yes
    winbind use default domain = yes

Of course the ranges depend on the uids/gids you've allocated.


Geza Gemes

More information about the samba mailing list