[Samba] nslcd samba 4.1 and FreeBSD 10
Doug Sampson
dougs at dawnsign.com
Tue Oct 14 13:20:39 MDT 2014
Hello list-
As a FreeBSD shop we've used Samba 3.x quite well for a couple years. With version 3.6 due to expire in due time, we've been experimenting with version 4.1 using winbindd with very limited success. We find that if we use the TDB backend instead of either RID or AD, we are able to enumerate our AD users via getent. I cannot enumerate AD users via either the AD or the RID backends. This doesn't strike me as a method I want to use especially when the numerical users/groups mappings differ between servers.
I saw a posting where it was recommended that FreeBSD sysadmins use either nslcd or sssd in order to enumerate AD users. After a period of experimentation, I can enumerate AD users successfully via nslcd (using bindpw) using the getent command. I can ssh into a FreeBSD box with my AD user credentials! The nslcd mappings are as follows:
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
pagesize 1000
referrals off
#idle_timelimit 800
filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
map passwd gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
map passwd homeDirectory "/home/$cn"
map passwd gecos displayName
map passwd loginShell "/bin/csh"
#filter group (|(objectClass=group)(objectClass=person))
filter group (objectClass=group)
map group gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
The next question is how to authenticate AD users using samba 4.1. What is the recommended method for authenticating AD users via samba 4.1 and nslcd? Should I use the smbpasswd auth method -i.e. using the migrate keyword to migrate auth info from the passwd/group files to the smbpasswd database? Or should I use ldap using the same mappings that nslcd uses?
If it is suggested that smbpasswd be used, which PAM policy should I use for Samba user authentication? The default FreeBSD implementation does not offer a policy for the Samba service. Here are the default policies:
root at cache:/home# ll /etc/pam.d/
total 64
-r--r--r-- 1 root wheel 2911 Jan 16 2014 README
-rw-r--r-- 1 root wheel 322 Jan 16 2014 atrun
-rw-r--r-- 1 root wheel 199 Jan 16 2014 cron
-rw-r--r-- 2 root wheel 531 Jan 16 2014 ftp
-rw-r--r-- 2 root wheel 531 Jan 16 2014 ftpd
-rw-r--r-- 1 root wheel 365 Jan 16 2014 imap
-rw-r--r-- 1 root wheel 588 Oct 10 12:16 login
-rw-r--r-- 1 root wheel 907 Oct 10 11:12 other
-rw-r--r-- 1 root wheel 318 Jan 16 2014 passwd
-rw-r--r-- 1 root wheel 365 Jan 16 2014 pop3
-rw-r--r-- 1 root wheel 328 Jan 16 2014 rsh
-rw-r--r-- 1 root wheel 884 Oct 10 13:46 sshd
-rw-r--r-- 1 root wheel 384 Jan 16 2014 su
-rw-r--r-- 1 root wheel 714 Jan 16 2014 system
-rw-r--r-- 1 root wheel 764 Jan 16 2014 telnetd
-rw-r--r-- 1 root wheel 529 Jan 16 2014 xdm
root at cache:/home#
Which one of these policies should be used for Samba?
If it is suggested to use LDAP, I am finding that this link:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607186
may be outdated. The use of 'ldap backend' appears to be outdated. Where can I find the current version of how to connect Samba using LDAP?
Obviously I remain unclear as to what the best way to accomplish authentication via Samba 4.1. Any pointers/clarifications would be greatly appreciated! This is on a FreeBSD 10.0 machine.
~Doug
More information about the samba
mailing list