[Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
samba at marc-muehlfeld.de
Mon Aug 26 17:39:26 MDT 2013
thanks for your suggestions.
Am 27.08.2013 00:40, schrieb steve:
> 1. Nested groups work fine with nslcd. Please use the latest version:
> man nslcd.conf(5)
I use the version Redhat ships. I haven't used that latest version and I
think most will use the one shipped with their distribution, too. But of
course I've changed the information in the HowTo.
> 2. We really should encourage users away from plain text passwords
> stored in files. nslcd works fine with sasl binds. The devs have worked
> hard to give us Kerberos out of the box. I think we should use it:
I wanted to first create a very simple and basic HowTo, because during
the last time we often had questions about nslcd, etc. on the list.
But you are right. Kerberos should be the preferred way. I'll have a
look on that the next days and switch the HowTo to Kerberos or add this
as an additional way. But give me some time, because I validate
everything I publish.
> 3. nslcd is already AD aware and this is not winbind so let's keep it
> simple. The following lines are not required/produce errors/ slow down
> filter passwd
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> filter group (&(objectClass=group)(gidNumber=*))
> map group uniqueMember member
Can you please give me more details here? I don't get any errors on
Because the removal of this line, I'm not sure, why. I have added them
deliberately out of the following reasons:
If I remove the "filter passwd" line, then "getent passwd" returns
nothing no domain accounts any more.
If I remove the "map passwd gidNumber primaryGroupID", then "id
username" doesn't return the in AD configured primary group in the unix tab.
If I remove the "filter group" line, then "getent group" doesn't return
domain groups any more.
If I remove the "map group uniqueMember member" line, then "id username"
won't tell me, in which groups the user is.
Do you have different results on your system? Or why would you remove
> Again, it is important to use the latest version.
I think most users first try the version shipped with their
distribution, like me. Because every self compiled program is something
you have to update manually (and on every server), while everything else
can be done at once via yum/apt/whatever.
I think it's not important to use the latest version, except it contains
something I can't live without it. But everybody has different opinions
on that, I guess. ;-)
Thanks for your comments.
More information about the samba