[Samba] nslcd samba 4.1 and FreeBSD 10
dougs at dawnsign.com
Tue Oct 14 15:49:05 MDT 2014
> > We find that if we use the TDB backend instead of either RID or AD, we
> are able to enumerate our AD users via getent. I cannot enumerate AD users
> via either the AD or the RID backends. This doesn't strike me as a method
> I want to use especially when the numerical users/groups mappings differ
> between servers.
> You should be able to enumerate users with any backend, but if you use
> the ad backend, your users would need a uidNumber at least.
Noted. How do you go about the business of creating these uidNumbers? Manually? Do you have a system for implementing these numbers?
> > #map passwd uid cn
> > map passwd uid sAMAccountName
> > map passwd uidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
> > map passwd gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
> > map passwd homeDirectory "/home/$cn"
> > map passwd gecos displayName
> > map passwd loginShell "/bin/csh"
> > #filter group (|(objectClass=group)(objectClass=person))
> > filter group (objectClass=group)
> > map group gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
> > The next question is how to authenticate AD users using samba 4.1. What
> is the recommended method for authenticating AD users via samba 4.1 and
> nslcd? Should I use the smbpasswd auth method -i.e. using the migrate
> keyword to migrate auth info from the passwd/group files to the smbpasswd
> database? Or should I use ldap using the same mappings that nslcd uses?
> If you need to authenticate AD users, then the easiest way will probably
> to run samba 4.1 as a DC.
I neglected to mention that I'm authenticating against two domain controllers in a Microsoft 2008R2 Active Directory domain. Samba AD is a no go. What is the next easiest way?
More information about the samba