[Samba] Samba4 AD sssd or pam_krb

Rowland Penny rowlandpenny at googlemail.com
Sun Dec 29 14:12:21 MST 2013


On 29/12/13 19:02, Chan Min Wai wrote:
> Dear Rowland,
>
> I think that it does have it if they are same as what windows AD have 
> according to the link below.

All samba4 AD attributes are the same as windows AD attributes, because 
they ARE windows AD attributes

>
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787(v=vs.85).aspx 
> <http://msdn.microsoft.com/en-us/library/windows/desktop/ms679787%28v=vs.85%29.aspx>
>
> Yes these are the attribute that I use.
>
> winbind might have a weakness on it home and also shell as it was not 
> from AD but by smb.conf.
> Also without userPassword you will need to change pam config  to work 
> with winbind.

I think that you are falling into the 'lets put everything on the AD 
server' trap, it would be better if you just use the S4 AD server for 
authentication and then set up another server as a fileserver.

You would also need to change the pam config if you used sssd, so cannot 
see your problem here.

>
> With shadow in AD, your changes on that part will only be on ldap.conf 
> which is just uncomment :)

If you use S4 AD as it is meant to be used, you do not need the shadow 
atributes.

Rowland

>
>
>
> On Sun, Dec 29, 2013 at 12:30 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 28/12/13 14:38, Chan Min Wai wrote:
>
>         Dear Michael,
>
>         I'm on gentoo, as far as I know sssd required mit-krb5 and
>         wouldn't compile
>         heimdal...
>
>         I do hope we can directly use shadow attribute from Samba AD
>         and make it
>         work like ldap...
>
>     The hint is in the name, Samba 4 is an implementation of Active
>     Directory, it is not at this time LDAP. Having said that, it does
>     have the 'User' objectClass which has the auxiliaryClasses,
>     shadowAccount & posixAccount. The attributes of shadowAccount are:
>       uid, userPassword, description, shadowLastChange,shadowMin,
>     shadowMax, shadowWarning, shadowInactive, shadowExpire,shadowFlag
>
>     Are these of any use to you ?
>
>     Also if you cannot use sssd, then why not try winbind ?
>
>     Rowland
>
>         But it is missing the access to userpasswd or shadow* attribute...
>
>
>         On Sat, Dec 28, 2013 at 4:54 PM, Michael Wood
>         <esiotrot at gmail.com <mailto:esiotrot at gmail.com>> wrote:
>
>             Hi
>
>             On 24 December 2013 14:12, Chan Min Wai <dcmwai at gmail.com
>             <mailto:dcmwai at gmail.com>> wrote:
>
>                 Dear All,
>
>                 I was using Samba3 + LDAP central authentication for
>                 the pass 5 years.
>
>                 And since need to move to Samba4 AD was wonder if
>                 there is a way to do
>                 linux central authentication without sssd but using
>                 pam_krb
>                 I'm asking this because I've removed mit-krb5 on my
>                 testing machine as
>                 required by samba4 in my gentoo.
>
>             Samba 4 AD includes its own KDC (based on Heimdal), but
>             you should be able
>             to install the MIT krb5 client libs which are what sssd or
>             pam_krb would
>             require.  Otherwise, surely they would also work with the
>             heimdal client
>             libs?
>
>             I don't know how gentoo packages Samba 4, so it might be
>             more or less
>             tricky, but the main thing to do is avoid installing the
>             MIT KDC.
>
>             So without mit-krb5 sssd don't compile.
>
>                 So was wonder if there any other solution and how hard
>                 it will be.
>
>                 I've 2 linux gentoo server will dependent on this
>                 central authentication
>                 (at lease the user Id and the GID have to be correct)
>
>                 without the proper UID and GID display, I can still
>                 see the number just
>                 very not convenient and hard to see what I'm doing...
>
>
>                 Thank You
>
>
>             --
>             Michael Wood <esiotrot at gmail.com <mailto:esiotrot at gmail.com>>
>
>
>



More information about the samba mailing list