[Samba] Winbind + SFU - was: Re: samba4 and sssd and user mapping
marcio.merlone at a1.ind.br
Thu Jan 30 05:51:43 MST 2014
Em 29-01-2014 18:41, Björn JACKE escreveu:
> On 2014-01-29 at 14:53 -0200 Márcio Merlone sent off:
>> server role = active directory domain controller
> remember the golden rule of thumb: a dc is a dc is a dc. no winbind needed and
> no user logins here.
I'm confused. You probably mean "no shell login for AD users here",
right? What if I want to use my AD user to ssh into de DC? Shall I
create a /etc/passwd user for that? Is there any tech limit or is this
just a best practice?
If I can bring my AD users to the unix floor by whatever mean, I'd like
to select which ones are allowed by defining their shell as /bin/bash,
opposed to mortals, which get /bin/false. That implies on "winbind nss
info = sfu" (if goind the winbind way) so I can define its login shell
on AD and have this available to nss. That did not work on DC (disregard
my last post citing a member server).
I'm still figuring out the paradigms I'll have to break. On my
samba3+OpenLDAP env, I have a unix user database (OpenLDAP) that is
"converted" as a windows database by samba. On samba4 I have the other
way around, a windows user database (AD) that is read by a unix env. The
former is very mature and complete for the unix env, while the latter,
well, I'll have to get used to. :)
I think the question can be simplified to: on _the_ DC, what is the best
approach to bring my AD users down to the shell and home defined on
their SFU attributes?
A side question: if the DC is also the main file server for my windows
network doesn't that also requires winbind - opposed to "no winbind needed"?
Thanks for your time, best regards.
TI - Administrador de redes
*A1 Engenharia - Unidade Corporativa*
Fone: +55 41 3616-3797
Cel: +55 41 9689-0036
More information about the samba