[Samba] Question on approach to authenticate Linux against Samba4

Thu Jul 25 10:59:20 MDT 2013

This is in a test environment: Also, it is wordy, but I'm hoping it explains my scenario. 

I am migrating from a custom LDAP+Samba3 authentication solution to Samba4. I have used the classicupgrade option to pull off the data from the existing ldap server to populate the samba4 database. I've installed AD DS and Server for NIS tools on a Windows 2008 server that is connected to the Samba4 DC as a member server. All the information appears to be correct, including the Unix uid and group memberships, and the unixHomedirectory. 

Now I need to authenticate a Linux system against the Samba4 DC and I need to have the unixHomedirectory used. There is a lot of older information on the net on how to authenticate. I'd prefer to not be required to install samba4 on these other Linux systems which a lot of these approaches seem to require. These linux systems are running LTSP so I have 50+ users logged in at any given time. I currently NFS mount home directories for the linux systems from a central fileserver. Home directories are of the pattern /home/Graduation_year/username. 

I've tested the Windows logins. I have an issue with mapped drives to the fileservers but I expected this since the fileservers don't exist on the test network. I expect this issue to be resolved once the fileservers are upgraded to samba4 and joined as member servers. 

I found http://zachbethel.com/2013/04/10/linux-ldap-authentication-with-samba4/ which I think will work, The ldbsearch works but before embarking further on this approach, I have some concerns. 

1) will the unixHomedirectory be honored? 
2) will I be able to easily add users so that the unix settings will be properly configured? I currently use the IDEALX smbldap tools. Being able to script account creation is very important to me .. adding 200+ user accounts manually each year is not very appealing. ;) 

3) Will the scripting tools be able to automatically assign a unique uid for each unix account. Current approach uses NextFreeUnixID but this does not exist in the Samba4 database (the ldap entry is shown below ) 

dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us 
objectClass: inetOrgPerson 
objectClass: sambaUnixIdPool 
cn: NextFreeUnixId 
sn: NextFreeUnixId 
structuralObjectClass: inetOrgPerson 
entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 
creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us 
createTimestamp: 20050708023946Z 
gidNumber: 1002 
uidNumber: 3885 

I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. 

Thank you for your patience and taking the time to read the above. 

Sincerely, 
Dave Hopkins 