[Samba] Manage unix users from AD

Márcio Merlone marcio.merlone at a1.ind.br
Tue Jan 28 09:36:45 MST 2014


Em 28-01-2014 14:23, mourik jan heupink escreveu:
>>>> Consider a network with about 200+ employees, most of them windows 
>>>> user.
>>>> Happens that one need to provide other non-windows services like 
>>>> e-mail,
>>>> proxy and many others to them, running on other linux servers.
> We are running a network exactly like that.  In the samba3 days (one 
> PDC, openldap backend) we did not need winbind, never used it, no 
> complaints.
> I am now testing samba4, and need (like we did in samba3/openldap) my 
> users to be linux and windows. We have one realm/domain, all users 
> have posix attributes.
I am still considering a dual auth-database and keep an OpenLDAP tree 
for unix-only users, like ftp and daemons accounts - bacula, munin, 
dovecot, etc, etc, etc.

> I was planning to have two (DC only) DC's, both virtualised, and two 
> fileservers. 
Why two? Fail-over?

> It seems now (having read all discussion recently on sssd/winbind) in 
> samba4 we DO need winbind?
Wait! Is there a chance not to? Please, tell me if you find.... :)

>>> A related but tangential question is if is there a way to provision
>>> these services when a new user is created from the windows
>>> administration tool, i.e., if is there a way for samba to run a script
>>> when a new user is created (or modified) from windows.
>>> If there isn't, would it be possible to add it as a new feature?
>
> [homes]
>         root preexec = /usr/local/sbin/mkhomedir.sh %U
>         comment=Home directory for %S
>         read only = No
>         browseable = No
>
> Each time a user logs on, this script is executed. First the script 
> checks if it needs to run, and if yes, it does all sorts of things:
>
> - create homedirectory
> - fill it with default requirements
> - set correct permissions
> - set quota
> - create a DFS base for that particular user
> - create a network recycle bin (with vfs module recycle)
> - etc, etc
Works nice, but that happens on first login time, not on provision time. 
He was asking for the moment he - the admin - creates the user on AD, 
can be a month before the new employee effectively start working. 
Meanwhile he is already receiving mails, ahead of his start, for example.

Regards.


-- 
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 9689-0036

http://www.a1.ind.br/ <http://www.a1.ind.br>


More information about the samba mailing list