[Samba] OpenSSH auth in SAMBA4 LDAP

Bruno Vane broonu at gmail.com
Mon Aug 26 06:10:46 MDT 2013 

Thank you Marc,

I will try this configuration. For this to work I need openLDAP proxy?


2013/8/26 Marc Muehlfeld <samba at marc-muehlfeld.de>

> Hello Bruno,
>
> Am 25.08.2013 22:26, schrieb Bruno Vane:
>
>  Yes I read these sections, but I want something different. Users will
>> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
>> and from this server they can access other SSH servers on the network.
>> All SSH servers are configured with /etc/hosts.allow to allow SSH
>> connections only from this "entry" SSH server. This Ubuntu servers
>> running SSH will not join in the AD domain, only users of the network.
>> Is this possible?
>>
>
> I think this shouldn't matter. You can configure the "entry" host with
> nslcd to retrieve the account information via LDAP from AD and pam_ldap to
> authenticate against AD (without necessity to join the machine to the
> domain).
>
> Then you have the other hosts. These you can authenticate on the same way,
> if they are not joined to the domain, or you join them and the
> authentication is done through winbind.
>
>
>
>
> For the nslcd you can use the following config (you must create an bind
> account in your domain for that first):
>
>  #Mappings for Active Directory
>  pagesize 1000
>  referrals off
>
>  # Passwd
>  filter  passwd (&(objectClass=user)(!(**objectClass=computer))(**
> uidNumber=*))
>  map     passwd  uid                     sAMAccountName
>  map     passwd  homeDirectory           unixHomeDirectory
>  map     passwd  gecos                   displayName
>  map     passwd  gidNumber               primaryGroupID
>
>  # Shadow
>  filter  shadow (&(objectClass=user)(!(**objectClass=computer))(**
> uidNumber=*))
>  map     shadow  uid                     sAMAccountName
>  map     shadow  shadowLastChange        pwdLastSet
>
>  # Groups
>  filter  group (&(objectClass=group)(**objectClass=posixGroup)(**
> gidNumber=*))
>  map     group   uniqueMember            member
>
>  # Local account, nslcd runs under
>  uid nslcd
>  gid ldap
>
>  # LDAP server settings
>  uri ldap://127.0.0.1:389/
>  base dc=SAMDOM,dc=example,dc=com
>
>  # Account in AD that is used from Nslcd to bind to the directory
>  binddn CN=nslcd-connect,cn=Users,dc=**SAMDOM,dc=example,dc=com
>  bindpw xxxxx
>
>
>
> pam_ldap config you find here:
> https://wiki.samba.org/index.**php/Authenticating_other_**
> services_against_AD#**Authentication_against_AD<https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD>
>
>
>
>
> Regards,
> Marc
>



-- 

Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br

More information about the samba mailing list