[Samba] nslcd / pam_ldap HowTo
Marc Muehlfeld
samba at marc-muehlfeld.de
Thu Aug 29 05:08:37 MDT 2013
Am 29.08.2013 12:31, schrieb steve:
> The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
> we already have? How about this instead?
>
> 1. For a client joined to the domain, please skip to (3) below.
> 2. On the DC:
> Extract the machine key:
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
> 3. Get tickets and create the cache:
> k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt
I had a look on my production site. I don't have a krb5.keytab on any of
my Samba 3 or 4 servers in my AD. After some reading, I found out, that
I must have a "kerberos method" entry in my smb.conf file for that. I'm
not sure, how many people this are having this option.
As the HowTo should be usable for as many people as possible, I would
keep this short steps. They don't bring problems and works even if
there's already a keytab on the machine.
> - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start
> nslcd.
Makes sense. Changed.
> It's unfortunate we still have to cater for the old versions too. The
> extra mappings slow things down considerably for large domains
> especially as enumeration is enabled.
I think most companies running Samba in production don't use the latest
versions of everything, because they run enterprise distributions like
RHEL, SLES, Debian, etc.
At work we only run self compiled software, when there's a requirement
for that, because everything that isn't updated through the paket
manager, is extra work (steady check for security updates, manual
patching on all servers, etc.). Also packages in the enterprise software
are more tested and stable. That's why I think it's worth to take care
of such situations and not only serve users running the latest versions
(of course not ancient versions).
But I already have some comments in the configuration examples about the
mappings. It's up to the admin to review what he/she uses in production
and fine tune. :-)
Thanks for your comments.
Regards,
Marc
More information about the samba
mailing list