[Samba] OpenSSH auth in SAMBA4 LDAP
Marc Muehlfeld
samba at marc-muehlfeld.de
Mon Aug 26 02:43:06 MDT 2013
Hello Bruno,
Am 25.08.2013 22:26, schrieb Bruno Vane:
> Yes I read these sections, but I want something different. Users will
> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
> and from this server they can access other SSH servers on the network.
> All SSH servers are configured with /etc/hosts.allow to allow SSH
> connections only from this "entry" SSH server. This Ubuntu servers
> running SSH will not join in the AD domain, only users of the network.
> Is this possible?
I think this shouldn't matter. You can configure the "entry" host with
nslcd to retrieve the account information via LDAP from AD and pam_ldap
to authenticate against AD (without necessity to join the machine to the
domain).
Then you have the other hosts. These you can authenticate on the same
way, if they are not joined to the domain, or you join them and the
authentication is done through winbind.
For the nslcd you can use the following config (you must create an bind
account in your domain for that first):
#Mappings for Active Directory
pagesize 1000
referrals off
# Passwd
filter passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
# Shadow
filter shadow
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
# Groups
filter group
(&(objectClass=group)(objectClass=posixGroup)(gidNumber=*))
map group uniqueMember member
# Local account, nslcd runs under
uid nslcd
gid ldap
# LDAP server settings
uri ldap://127.0.0.1:389/
base dc=SAMDOM,dc=example,dc=com
# Account in AD that is used from Nslcd to bind to the directory
binddn CN=nslcd-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
bindpw xxxxx
pam_ldap config you find here:
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD
Regards,
Marc
More information about the samba
mailing list