[Samba] Samba4 AD sssd or pam_krb

Chan Min Wai dcmwai at gmail.com
Sun Dec 29 12:02:38 MST 2013 

Dear Rowland,

I think that it does have it if they are same as what windows AD have
according to the link below.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx

Yes these are the attribute that I use.

winbind might have a weakness on it home and also shell as it was not from
AD but by smb.conf.
Also without userPassword you will need to change pam config  to work with
winbind.

With shadow in AD, your changes on that part will only be on ldap.conf
which is just uncomment :)



On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:

> On 28/12/13 14:38, Chan Min Wai wrote:
>
>> Dear Michael,
>>
>> I'm on gentoo, as far as I know sssd required mit-krb5 and wouldn't
>> compile
>> heimdal...
>>
>> I do hope we can directly use shadow attribute from Samba AD and make it
>> work like ldap...
>>
> The hint is in the name, Samba 4 is an implementation of Active Directory,
> it is not at this time LDAP. Having said that, it does have the 'User'
> objectClass which has the auxiliaryClasses, shadowAccount & posixAccount.
> The attributes of shadowAccount are:
>   uid, userPassword, description, shadowLastChange,shadowMin, shadowMax,
> shadowWarning, shadowInactive, shadowExpire,shadowFlag
>
> Are these of any use to you ?
>
> Also if you cannot use sssd, then why not try winbind ?
>
> Rowland
>
>  But it is missing the access to userpasswd or shadow* attribute...
>>
>>
>> On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood <esiotrot at gmail.com> wrote:
>>
>>  Hi
>>>
>>> On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com> wrote:
>>>
>>>  Dear All,
>>>>
>>>> I was using Samba3 + LDAP central authentication for the pass 5 years.
>>>>
>>>> And since need to move to Samba4 AD was wonder if there is a way to do
>>>> linux central authentication without sssd but using pam_krb
>>>> I'm asking this because I've removed mit-krb5 on my testing machine as
>>>> required by samba4 in my gentoo.
>>>>
>>>>  Samba 4 AD includes its own KDC (based on Heimdal), but you should be
>>> able
>>> to install the MIT krb5 client libs which are what sssd or pam_krb would
>>> require.  Otherwise, surely they would also work with the heimdal client
>>> libs?
>>>
>>> I don't know how gentoo packages Samba 4, so it might be more or less
>>> tricky, but the main thing to do is avoid installing the MIT KDC.
>>>
>>> So without mit-krb5 sssd don't compile.
>>>
>>>> So was wonder if there any other solution and how hard it will be.
>>>>
>>>> I've 2 linux gentoo server will dependent on this central authentication
>>>> (at lease the user Id and the GID have to be correct)
>>>>
>>>> without the proper UID and GID display, I can still see the number just
>>>> very not convenient and hard to see what I'm doing...
>>>>
>>>>
>>>> Thank You
>>>>
>>>
>>> --
>>> Michael Wood <esiotrot at gmail.com>
>>>
>>>
>

More information about the samba mailing list