[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
mourik jan heupink
heupink at merit.unu.edu
Thu Jan 9 06:42:11 MST 2014
Hi Rowland, list,
That is _very_ interesting. :-)
I'm testing on wheezy and self-compiled samba, and find it much easier
than I initially expected. So I intend to stick with the self-compiled
packages, as is also often recommended here.
However, for building sssd I find fas less info, plus it seems sssd is a
much 'deeper' system component. So it scares me a bit.
I guess now the easiest way to have sssd 1.11.3 plus samba 4.3.1, is to
start using ubuntu with the sssd ppa, and use self compiled samba as an
AD controller only?
Quite a change from our current only-debian servers... However, using
sssd as indicated in your post looks very interesting...!
MJ
On 01/09/2014 02:22 PM, Rowland Penny wrote:
> On 09/01/14 13:05, mourik jan heupink wrote:
>> Hi Rowland, list,
>>
>>> Yes, but you will have to be brave, stop using debian and the sernet
>>> packages, download the latest Ubuntu 14.04 iso and then install samba4 &
>>> sssd, this will work perfectly as a client.
>>
>> But I'm actually thinking about my AD controller, where I would like
>> to make my AD samba4 users available as linux users as well. (as we
>> use regular linux groups/users for access permissions)
>>
>> So, when using self-compiled samba4 (as I often see recommended here)
>> I should be fine with wheezy/stock sssd, right..?
>>
>> MJ
>
> Hi, the preferred practice, at the moment, would be to use the S4 AD
> server just for authentication and setup separate fileservers to store
> shares etc.
> Having said that, if you are going to use sssd, the higher the version
> the better. With the latest version (1.11.3) you only need this in
> sssd.conf:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = example.com
>
> [nss]
>
> [pam]
>
> [domain/example.com]
> #enumerate = true
> cache_credentials = true
> ldap_id_mapping = False
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> As you can see, no ranges to worry about or having to get the syntax
> correct, you do not even have to map anything, much easier than winbind
> etc ;-)
>
> Rowland
More information about the samba
mailing list