[Samba] Question on approach to authenticate Linux against Samba4

Daniel Müller mueller at tropenklinik.de
Mon Jul 29 00:27:03 MDT 2013 

So first of all winbind is  the fastest and easiest solution with samba 4:
Just be sure winbind is loaded in your samba4 smb.conf. So winbind can read
from samba:
wbinfo -u
Administrator
Guest
krbtgt
dns-s4master
then do a ldconfig -v | grep winbind
If the result is ex:

ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-358.11.1.el6.x86_64.conf:6:
duplicate hwcap 1 nosegneg
        libnss_winbind.so -> libnss_winbind.so.2

You have to link libnss_winbind this way ex.:

ln -s  /usr/local/samba/lib/libnss_winbind.so.2  /lib64/libnss_winbind.so
ln  -s /lib64/libnss_winbind.so  /lib64/libnss_winbind.so.2

In your nsswitch.conf:
passwd:     files winbind 
shadow:     files
group:      files winbind 

now you get all your ads members and groups with getent passwd and group.

Good luck
Daniel 


-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von dahopkins at comcast.net
Gesendet: Donnerstag, 25. Juli 2013 18:59
An: samba at lists.samba.org
Betreff: [Samba] Question on approach to authenticate Linux against Samba4






This is in a test environment: Also, it is wordy, but I'm hoping it explains
my scenario. 

I am migrating from a custom LDAP+Samba3 authentication solution to Samba4.
I have used the classicupgrade option to pull off the data from the existing
ldap server to populate the samba4 database. I've installed AD DS and Server
for NIS tools on a Windows 2008 server that is connected to the Samba4 DC as
a member server. All the information appears to be correct, including the
Unix uid and group memberships, and the unixHomedirectory. 

Now I need to authenticate a Linux system against the Samba4 DC and I need
to have the unixHomedirectory used. There is a lot of older information on
the net on how to authenticate. I'd prefer to not be required to install
samba4 on these other Linux systems which a lot of these approaches seem to
require. These linux systems are running LTSP so I have 50+ users logged in
at any given time. I currently NFS mount home directories for the linux
systems from a central fileserver. Home directories are of the pattern
/home/Graduation_year/username. 

I've tested the Windows logins. I have an issue with mapped drives to the
fileservers but I expected this since the fileservers don't exist on the
test network. I expect this issue to be resolved once the fileservers are
upgraded to samba4 and joined as member servers. 

I found
http://zachbethel.com/2013/04/10/linux-ldap-authentication-with-samba4/
which I think will work, The ldbsearch works but before embarking further on
this approach, I have some concerns. 

1) will the unixHomedirectory be honored? 
2) will I be able to easily add users so that the unix settings will be
properly configured? I currently use the IDEALX smbldap tools. Being able to
script account creation is very important to me .. adding 200+ user accounts
manually each year is not very appealing. ;) 

3) Will the scripting tools be able to automatically assign a unique uid for
each unix account. Current approach uses NextFreeUnixID but this does not
exist in the Samba4 database (the ldap entry is shown below ) 

dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us 
objectClass: inetOrgPerson 
objectClass: sambaUnixIdPool 
cn: NextFreeUnixId 
sn: NextFreeUnixId 
structuralObjectClass: inetOrgPerson 
entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 
creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us 
createTimestamp: 20050708023946Z 
gidNumber: 1002 
uidNumber: 3885 

I have read through the recent thread on winbind and honestly I am not sure
that I want to pursue either winbind or sssd if it is possible to use
nss_pam_ldap which seems closest to the current approach. 


Thank you for your patience and taking the time to read the above. 

Sincerely, 
Dave Hopkins 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list