[Samba] nslcd / pam_ldap HowTo

Marc Muehlfeld samba at marc-muehlfeld.de
Thu Aug 29 05:08:37 MDT 2013

Am 29.08.2013 12:31, schrieb steve:
> The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
> we already have? How about this instead?
> 1. For a client joined to the domain, please skip to (3) below.
> 2. On the DC:
> Extract the machine key:
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
> 3. Get tickets and create the cache:
> k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt

I had a look on my production site. I don't have a krb5.keytab on any of 
my Samba 3 or 4 servers in my AD. After some reading, I found out, that 
I must have a "kerberos method" entry in my smb.conf file for that. I'm 
not sure, how many people this are having this option.

As the HowTo should be usable for as many people as possible, I would 
keep this short steps. They don't bring problems and works even if 
there's already a keytab on the machine.

> - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start
> nslcd.

Makes sense. Changed.

> It's unfortunate we still have to cater for the old versions too. The
> extra mappings slow things down considerably for large domains
> especially as enumeration is enabled.

I think most companies running Samba in production don't use the latest 
versions of everything, because they run enterprise distributions like 
RHEL, SLES, Debian, etc.

At work we only run self compiled software, when there's a requirement 
for that, because everything that isn't updated through the paket 
manager, is extra work (steady check for security updates, manual 
patching on all servers, etc.). Also packages in the enterprise software 
are more tested and stable. That's why I think it's worth to take care 
of such situations and not only serve users running the latest versions 
(of course not ancient versions).

But I already have some comments in the configuration examples about the 
mappings. It's up to the admin to review what he/she uses in production 
and fine tune. :-)

Thanks for your comments.


More information about the samba mailing list