[Samba] Samba4 AD sssd or pam_krb

Rowland Penny rowlandpenny at googlemail.com
Sat Dec 28 09:30:44 MST 2013

On 28/12/13 14:38, Chan Min Wai wrote:
> Dear Michael,
> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't compile
> heimdal...
> I do hope we can directly use shadow attribute from Samba AD and make it
> work like ldap...
The hint is in the name, Samba 4 is an implementation of Active 
Directory, it is not at this time LDAP. Having said that, it does have 
the 'User' objectClass which has the auxiliaryClasses, shadowAccount & 
posixAccount. The attributes of shadowAccount are:
   uid, userPassword, description, shadowLastChange,shadowMin, 
shadowMax, shadowWarning, shadowInactive, shadowExpire,shadowFlag

Are these of any use to you ?

Also if you cannot use sssd, then why not try winbind ?

> But it is missing the access to userpasswd or shadow* attribute...
> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com> wrote:
>> Hi
>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
>>> Dear All,
>>> I was using Samba3 + LDAP central authentication for the pass 5 years.
>>> And since need to move to Samba4 AD was wonder if there is a way to do
>>> linux central authentication without sssd but using pam_krb
>>> I'm asking this because I've removed mit-krb5 on my testing machine as
>>> required by samba4 in my gentoo.
>> Samba 4 AD includes its own KDC (based on Heimdal), but you should be able
>> to install the MIT krb5 client libs which are what sssd or pam_krb would
>> require.  Otherwise, surely they would also work with the heimdal client
>> libs?
>> I don't know how gentoo packages Samba 4, so it might be more or less
>> tricky, but the main thing to do is avoid installing the MIT KDC.
>> So without mit-krb5 sssd don't compile.
>>> So was wonder if there any other solution and how hard it will be.
>>> I've 2 linux gentoo server will dependent on this central authentication
>>> (at lease the user Id and the GID have to be correct)
>>> without the proper UID and GID display, I can still see the number just
>>> very not convenient and hard to see what I'm doing...
>>> Thank You
>> --
>> Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list