[Samba] nslcd samba 4.1 and FreeBSD 10

[Doug Sampson]

> > We find that if we use the TDB backend instead of either RID or AD, we
> are able to enumerate our AD users via getent. I cannot enumerate AD users
> via either the AD or the RID backends. This doesn't strike me as a method
> I want to use especially when the numerical users/groups mappings differ
> between servers.
> You should be able to enumerate users with any backend, but if you use
> the ad backend, your users would need a uidNumber at least.

Noted. How do you go about the business of creating these uidNumbers? Manually? Do you have a system for implementing these numbers?

> > #map    passwd uid           cn
> > map    passwd uid           sAMAccountName
> > map    passwd uidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
> XXXXXXXXXX
> > map    passwd gidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
> XXXXXXXXXX
> > map    passwd homeDirectory "/home/$cn"
> > map    passwd gecos         displayName
> > map    passwd loginShell    "/bin/csh"
> > #filter group (|(objectClass=group)(objectClass=person))
> > filter group (objectClass=group)
> > map    group gidNumber      objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
> XXXXXXXXXX
> >
> > The next question is how to authenticate AD users using samba 4.1. What
> is the recommended method for authenticating AD users via samba 4.1 and
> nslcd? Should I use the smbpasswd auth method -i.e. using the migrate
> keyword to migrate auth info from the passwd/group files to the smbpasswd
> database? Or should I use ldap using the same mappings that nslcd uses?
> 
> If you need to authenticate AD users, then the easiest way will probably
> to run samba 4.1 as a DC.

I neglected to mention that I'm authenticating against two domain controllers in a Microsoft 2008R2 Active Directory domain. Samba AD is a no go. What is the next easiest way?

~Doug