[Samba] Question on approach to authenticate Linux against Samba4

Daniel Müller mueller at tropenklinik.de
Mon Jul 29 00:27:03 MDT 2013

So first of all winbind is  the fastest and easiest solution with samba 4:
Just be sure winbind is loaded in your samba4 smb.conf. So winbind can read
from samba:
wbinfo -u
then do a ldconfig -v | grep winbind
If the result is ex:

ldconfig: /etc/ld.so.conf.d/kernel-2.6.32-358.11.1.el6.x86_64.conf:6:
duplicate hwcap 1 nosegneg
        libnss_winbind.so -> libnss_winbind.so.2

You have to link libnss_winbind this way ex.:

ln -s  /usr/local/samba/lib/libnss_winbind.so.2  /lib64/libnss_winbind.so
ln  -s /lib64/libnss_winbind.so  /lib64/libnss_winbind.so.2

In your nsswitch.conf:
passwd:     files winbind 
shadow:     files
group:      files winbind 

now you get all your ads members and groups with getent passwd and group.

Good luck

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von dahopkins at comcast.net
Gesendet: Donnerstag, 25. Juli 2013 18:59
An: samba at lists.samba.org
Betreff: [Samba] Question on approach to authenticate Linux against Samba4

This is in a test environment: Also, it is wordy, but I'm hoping it explains
my scenario. 

I am migrating from a custom LDAP+Samba3 authentication solution to Samba4.
I have used the classicupgrade option to pull off the data from the existing
ldap server to populate the samba4 database. I've installed AD DS and Server
for NIS tools on a Windows 2008 server that is connected to the Samba4 DC as
a member server. All the information appears to be correct, including the
Unix uid and group memberships, and the unixHomedirectory. 

Now I need to authenticate a Linux system against the Samba4 DC and I need
to have the unixHomedirectory used. There is a lot of older information on
the net on how to authenticate. I'd prefer to not be required to install
samba4 on these other Linux systems which a lot of these approaches seem to
require. These linux systems are running LTSP so I have 50+ users logged in
at any given time. I currently NFS mount home directories for the linux
systems from a central fileserver. Home directories are of the pattern

I've tested the Windows logins. I have an issue with mapped drives to the
fileservers but I expected this since the fileservers don't exist on the
test network. I expect this issue to be resolved once the fileservers are
upgraded to samba4 and joined as member servers. 

I found
which I think will work, The ldbsearch works but before embarking further on
this approach, I have some concerns. 

1) will the unixHomedirectory be honored? 
2) will I be able to easily add users so that the unix settings will be
properly configured? I currently use the IDEALX smbldap tools. Being able to
script account creation is very important to me .. adding 200+ user accounts
manually each year is not very appealing. ;) 

3) Will the scripting tools be able to automatically assign a unique uid for
each unix account. Current approach uses NextFreeUnixID but this does not
exist in the Samba4 database (the ldap entry is shown below ) 

dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us 
objectClass: inetOrgPerson 
objectClass: sambaUnixIdPool 
cn: NextFreeUnixId 
sn: NextFreeUnixId 
structuralObjectClass: inetOrgPerson 
entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 
creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us 
createTimestamp: 20050708023946Z 
gidNumber: 1002 
uidNumber: 3885 

I have read through the recent thread on winbind and honestly I am not sure
that I want to pursue either winbind or sssd if it is possible to use
nss_pam_ldap which seems closest to the current approach. 

Thank you for your patience and taking the time to read the above. 

Dave Hopkins 

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list