[Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)

Marc Muehlfeld samba at marc-muehlfeld.de
Mon Aug 26 17:39:26 MDT 2013

Hello Steve,

thanks for your suggestions.

Am 27.08.2013 00:40, schrieb steve:
> 1. Nested groups work fine with nslcd. Please use the latest version:
> man nslcd.conf(5)

I use the version Redhat ships. I haven't used that latest version and I 
think most will use the one shipped with their distribution, too. But of 
course I've changed the information in the HowTo.

> 2. We really should encourage users away from plain text passwords
> stored in files. nslcd works fine with sasl binds. The devs have worked
> hard to give us Kerberos out of the box. I think we should use it:
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html

I wanted to first create a very simple and basic HowTo, because during 
the last time we often had questions about nslcd, etc. on the list.

But you are right. Kerberos should be the preferred way. I'll have a 
look on that the next days and switch the HowTo to Kerberos or add this 
as an additional way. But give me some time, because I validate 
everything I publish.

> 3. nslcd is already AD aware and this is not winbind so let's keep it
> simple. The following lines are not required/produce errors/ slow down
> lookups.
> filter  passwd
> (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
> map     passwd  gecos              displayName
> map     passwd  gidNumber          primaryGroupID
> filter  group   (&(objectClass=group)(gidNumber=*))
> map     group   uniqueMember       member

Can you please give me more details here? I don't get any errors on 
RHEL6 here.

Because the removal of this line, I'm not sure, why. I have added them 
deliberately out of the following reasons:

If I remove the "filter passwd" line, then "getent passwd" returns 
nothing no domain accounts any more.

If I remove the "map passwd gidNumber primaryGroupID", then "id 
username" doesn't return the in AD configured primary group in the unix tab.

If I remove the "filter group" line, then "getent group" doesn't return 
domain groups any more.

If I remove the "map group uniqueMember member" line, then "id username" 
won't tell me, in which groups the user is.

Do you have different results on your system? Or why would you remove 
this lines?

> Again, it is important to use the latest version.

I think most users first try the version shipped with their 
distribution, like me. Because every self compiled program is something 
you have to update manually (and on every server), while everything else 
can be done at once via yum/apt/whatever.

I think it's not important to use the latest version, except it contains 
something I can't live without it. But everybody has different opinions 
on that, I guess. ;-)

Thanks for your comments.


More information about the samba mailing list