[Samba] nslcd samba 4.1 and FreeBSD 10

Rowland Penny rowlandpenny at googlemail.com
Tue Oct 14 13:57:59 MDT 2014 

On 14/10/14 20:20, Doug Sampson wrote:
> Hello list-
>
> As a FreeBSD shop we've used Samba 3.x quite well for a couple years. With version 3.6 due to expire in due time, we've been experimenting with version 4.1 using winbindd with very limited success.

Hi, yes you are right, 3.6 will reach EOL very soon, it is supposed to 
be when 4.2 is released, which could be tomorrow ;-) but then again it 
could be another RC. But you should be able to do anything with 4.1 that 
you did with 3.6, it is based on the same code.

> We find that if we use the TDB backend instead of either RID or AD, we are able to enumerate our AD users via getent. I cannot enumerate AD users via either the AD or the RID backends. This doesn't strike me as a method I want to use especially when the numerical users/groups mappings differ between servers.
You should be able to enumerate users with any backend, but if you use 
the ad backend, your users would need a uidNumber at least.

>
> I saw a posting where it was recommended that FreeBSD sysadmins use either nslcd or sssd in order to enumerate AD users. After a period of experimentation, I can enumerate AD users successfully via nslcd (using bindpw) using the getent command. I can ssh into a FreeBSD box with my AD user credentials! The nslcd mappings are as follows:
>
> # Alternative mappings for Active Directory
> # (replace the SIDs in the objectSid mappings with the value for your domain)
> pagesize 1000
> referrals off
> #idle_timelimit 800
> filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
You could use (&(objectClass=user)(!(objectClass=computer))) or 
(&(objectClass=person)(!(objectClass=computer))), both would work, it's 
the not being a computer part that is important.

> #map    passwd uid           cn
> map    passwd uid           sAMAccountName
> map    passwd uidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
> map    passwd gidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
> map    passwd homeDirectory "/home/$cn"
> map    passwd gecos         displayName
> map    passwd loginShell    "/bin/csh"
> #filter group (|(objectClass=group)(objectClass=person))
> filter group (objectClass=group)
> map    group gidNumber      objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
>
> The next question is how to authenticate AD users using samba 4.1. What is the recommended method for authenticating AD users via samba 4.1 and nslcd? Should I use the smbpasswd auth method -i.e. using the migrate keyword to migrate auth info from the passwd/group files to the smbpasswd database? Or should I use ldap using the same mappings that nslcd uses?

If you need to authenticate AD users, then the easiest way will probably 
to run samba 4.1 as a DC.

Rowland

>
> If it is suggested that smbpasswd be used, which PAM policy should I use for Samba user authentication? The default FreeBSD implementation does not offer a policy for the Samba service. Here are the default policies:
>
> root at cache:/home# ll /etc/pam.d/
> total 64
> -r--r--r--  1 root  wheel  2911 Jan 16  2014 README
> -rw-r--r--  1 root  wheel   322 Jan 16  2014 atrun
> -rw-r--r--  1 root  wheel   199 Jan 16  2014 cron
> -rw-r--r--  2 root  wheel   531 Jan 16  2014 ftp
> -rw-r--r--  2 root  wheel   531 Jan 16  2014 ftpd
> -rw-r--r--  1 root  wheel   365 Jan 16  2014 imap
> -rw-r--r--  1 root  wheel   588 Oct 10 12:16 login
> -rw-r--r--  1 root  wheel   907 Oct 10 11:12 other
> -rw-r--r--  1 root  wheel   318 Jan 16  2014 passwd
> -rw-r--r--  1 root  wheel   365 Jan 16  2014 pop3
> -rw-r--r--  1 root  wheel   328 Jan 16  2014 rsh
> -rw-r--r--  1 root  wheel   884 Oct 10 13:46 sshd
> -rw-r--r--  1 root  wheel   384 Jan 16  2014 su
> -rw-r--r--  1 root  wheel   714 Jan 16  2014 system
> -rw-r--r--  1 root  wheel   764 Jan 16  2014 telnetd
> -rw-r--r--  1 root  wheel   529 Jan 16  2014 xdm
> root at cache:/home#
>
> Which one of these policies should be used for Samba?
>
> If it is suggested to use LDAP, I am finding that this link:
>
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607186
>
> may be outdated. The use of 'ldap backend' appears to be outdated. Where can I find the current version of how to connect Samba using LDAP?
>
> Obviously I remain unclear as to what the best way to accomplish authentication via Samba 4.1. Any pointers/clarifications would be greatly appreciated! This is on a FreeBSD 10.0 machine.
>
> ~Doug

More information about the samba mailing list