[Samba] Winbind + SFU - was: Re: samba4 and sssd and user mapping

Björn JACKE bj at SerNet.DE
Fri Jan 31 02:40:32 MST 2014

Hi Márcio,
On 2014-01-30 at 10:51 -0200 Márcio Merlone sent off:
> I'm confused. You probably mean "no shell login for AD users here",
> right? What if I want to use my AD user to ssh into de DC? Shall I
> create a /etc/passwd user for that? Is there any tech limit or is
> this just a best practice?

if you follow the dc is a dc is a dc rule then your users don't log in via ssh,
so simple :-).  only your DC admins log on via local accoungts then.
This is the best practice actually. If you want to enable shell logins do that
on a different machine. Of course you can also ignore the best practice rule
and enable winbind4. But you know about the limits.

> If I can bring my AD users to the unix floor by whatever mean, I'd
> like to select which ones are allowed by defining their shell as
> /bin/bash, opposed to mortals, which get /bin/false. That implies on
> "winbind nss info = sfu" (if goind the winbind way) so I can define
> its login shell on AD and have this available to nss. That did not
> work on DC (disregard my last post citing a member server).

have a look at the available options for that parameter in the smb.conf man
page. Remember this is for the "classic" winbind which is not yet merged with
the "AD winbind".

> I'm still figuring out the paradigms I'll have to break. On my
> samba3+OpenLDAP env, I have a unix user database (OpenLDAP) that is
> "converted" as a windows database by samba. On samba4 I have the
> other way around, a windows user database (AD) that is read by a
> unix env. The former is very mature and complete for the unix env,
> while the latter, well, I'll have to get used to. :)


> I think the question can be simplified to: on _the_ DC, what is the
> best approach to bring my AD users down to the shell and home
> defined on their SFU attributes?

see above

> A side question: if the DC is also the main file server for my
> windows network doesn't that also requires winbind - opposed to "no
> winbind needed"?

it is still not *required*. But it's much nicer for you to see which files
belong to which users on the shell. But again: you ignore all the advices if
you do this, so don't complain too much about the the problems you have with a
DC plus fileserver on one machine setup.

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
  ☎ +49-551-370000-0, ℻ +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

More information about the samba mailing list