[Samba] Manage unix users from AD

[Márcio Merlone]

Em 28-01-2014 11:10, Volker Lendecke escreveu:
> On Tue, Jan 28, 2014 at 01:54:11PM +0100, Sven Schwedas wrote:
>>> Which of each would bring my rfc2307 users with all their attributes
>>> defined on SFU, *and only those users*, to my linux system? If I create
>>> a user _without_ rc2307 means I don't want linux to know about him. If I
>>> define a user with /bin/false as shell on SFU, bring that to linux.
>>> That's it. As an admin, I don't care about idmapping, I already defined
>>> an uidNumber (or wathever AD attribute is used to store it) to the user,
>>> just use it.
>> Then you can safely ignore winbindd, as it doesn't honour shell settings.
> If you use "winbind nss info = sfu" it should do it.
Good to know, I'll play with that and see how it works. But looking for 
information and docs I found that on smb.conf man page (1) it says 
something about "winbind nss info = sfu" - and no more than you have 
already said - while at winbind page (2) there is no mention to 'sfu' 
nor 'nss' even though it seems to be the samba4 version of winbind - as 
per the url.

(1) http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#idp62681648
(2) http://www.samba.org/samba/docs/man/manpages/winbindd.8.html

Also, I am still not sure to which winbind all docs and information 
found on net refers to: samba3, samba4, internal, daemon... . for a 
non-samba expert/specialist, it is very confusing and frustrating.

>> Food for thought: Is offline login (/resilience against domain
>> controller outages) needed? nss_ldap afaik does not provide this
>> natively, e.g., and needs external caching by pam_ccreds (which makes
>> for a more complicated setup).
Resilience is always welcome; in my case just desired, not required.

Regards,

-- 
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 9689-0036

http://www.a1.ind.br/ <http://www.a1.ind.br>