[Samba] Cannot bind to AD using nslcd
Rob Mason
rob.mason at acasta.co.uk
Wed Nov 19 10:10:24 MST 2014
On 19/11/2014 17:04, Rowland Penny wrote:
> On 19/11/14 16:58, Rob Mason wrote:
>> On 19/11/2014 16:51, Rowland Penny wrote:
>>> On 19/11/14 16:42, Rob Mason wrote:
>>>> <--snip-->
>>>>
>>>> OK, can you confirm that you are using samba 4.1.11 from backports,
>>>> you have
>>>> created the user 'nslcd-connect' in AD and you are trying to ssh into
>>>> the AD
>>>> DC .
>>>>
>>>> Rowland
>>>>
>>>> ------------------
>>>>
>>>> Thanks again!
>>>>
>>>> Yes - in this order:-
>>>>
>>>> # apt-get install -t wheezy-backports samba smbclient krb5-config
>>>> krb5-user
>>>> # samba-tool domain provision --use-rfc2307 --interactive
>>>> # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
>>>>
>>>> Tested OK using:
>>>>
>>>> # host -t SRV _ldap._tcp.acasta.intra.
>>>> # host -t SRV _kerberos._udp. acasta.intra.
>>>> # host -t A kepler. acasta.intra.
>>>> # kinit administrator at ACASTA.INTRA
>>>> # klist
>>>>
>>>> I am trying to ssh into my AD-DC box using a domain account (as a
>>>> starter!)
>>>>
>>>>
>>> OK, in which case why don't you just use winbind ? it works for me,
>>> exactly the same configuration as you, or do want to do something else
>>> and if so what ?
>>>
>>> Rowland
>>>
>> Hi Rowland - it's probably my misunderstanding, but basically, I'm
>> aiming to authenticate all network services (smtp, imap, file and print)
>> to the AD in order to take advantage of a single domain account per
>> user. I achieved all of this under samba3 using 'unix password sync'.
>>
>>
>>
>>
> I hope that you aren't thinking of using the AD DC to store all these,
> if so, then I would suggest that you set up a member server and use
> this instead :
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Rowland
>
Thanks. I have three servers. The AD-DC then a print/fileserver, and,
finally a smtp/imap server. I have made an assumption that the other
two servers will require 'nslcd' to authenticate against the AD-DC
domain accounts. I have no requirement for SMB service on that third
server.
My objective is for DoeJ at ACASTA.INTRA to log onto a domain account on a
Win7 workstation and access print, file and email services from the
network using that single domain account. I have little experience with
winbind - is that a better option that attempting ldap integration???
More information about the samba
mailing list