[Samba] Winbind + SFU - was: Re: samba4 and sssd and user mapping

Márcio Merlone marcio.merlone at a1.ind.br
Thu Jan 30 05:51:43 MST 2014

Em 29-01-2014 18:41, Björn JACKE escreveu:
> On 2014-01-29 at 14:53 -0200 Márcio Merlone sent off:
>> server role = active directory domain controller
> remember the golden rule of thumb: a dc is a dc is a dc. no winbind needed and
> no user logins here.
I'm confused. You probably mean "no shell login for AD users here", 
right? What if I want to use my AD user to ssh into de DC? Shall I 
create a /etc/passwd user for that? Is there any tech limit or is this 
just a best practice?

If I can bring my AD users to the unix floor by whatever mean, I'd like 
to select which ones are allowed by defining their shell as /bin/bash, 
opposed to mortals, which get /bin/false. That implies on "winbind nss 
info = sfu" (if goind the winbind way) so I can define its login shell 
on AD and have this available to nss. That did not work on DC (disregard 
my last post citing a member server).

I'm still figuring out the paradigms I'll have to break. On my 
samba3+OpenLDAP env, I have a unix user database (OpenLDAP) that is 
"converted" as a windows database by samba. On samba4 I have the other 
way around, a windows user database (AD) that is read by a unix env. The 
former is very mature and complete for the unix env, while the latter, 
well, I'll have to get used to. :)

I think the question can be simplified to: on _the_ DC, what is the best 
approach to bring my AD users down to the shell and home defined on 
their SFU attributes?
A side question: if the DC is also the main file server for my windows 
network doesn't that also requires winbind - opposed to "no winbind needed"?

Thanks for your time, best regards.

*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 9689-0036

http://www.a1.ind.br/ <http://www.a1.ind.br>

More information about the samba mailing list