[Samba] nslcd samba 4.1 and FreeBSD 10

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 15 01:55:17 MDT 2014

On 14/10/14 22:49, Doug Sampson wrote:
>>> We find that if we use the TDB backend instead of either RID or AD, we
>> are able to enumerate our AD users via getent. I cannot enumerate AD users
>> via either the AD or the RID backends. This doesn't strike me as a method
>> I want to use especially when the numerical users/groups mappings differ
>> between servers.
>> You should be able to enumerate users with any backend, but if you use
>> the ad backend, your users would need a uidNumber at least.
> Noted. How do you go about the business of creating these uidNumbers? Manually? Do you have a system for implementing these numbers?

I personally have a bash script that I wrote myself to add the required 
rfc2307 attributes and the next uidNumber & gidNumber are stored in the 
samba4 AD in the attributes that microsoft provides.

>>> #map    passwd uid           cn
>>> map    passwd uid           sAMAccountName
>>> map    passwd uidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
>>> map    passwd gidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
>>> map    passwd homeDirectory "/home/$cn"
>>> map    passwd gecos         displayName
>>> map    passwd loginShell    "/bin/csh"
>>> #filter group (|(objectClass=group)(objectClass=person))
>>> filter group (objectClass=group)
>>> map    group gidNumber      objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-
>>> The next question is how to authenticate AD users using samba 4.1. What
>> is the recommended method for authenticating AD users via samba 4.1 and
>> nslcd? Should I use the smbpasswd auth method -i.e. using the migrate
>> keyword to migrate auth info from the passwd/group files to the smbpasswd
>> database? Or should I use ldap using the same mappings that nslcd uses?
>> If you need to authenticate AD users, then the easiest way will probably
>> to run samba 4.1 as a DC.
> I neglected to mention that I'm authenticating against two domain controllers in a Microsoft 2008R2 Active Directory domain. Samba AD is a no go. What is the next easiest way?
> ~Doug

OK, if you cannot get your windows admins to add 'service for NIS' 
(sometimes known as SFU) then your options are limited, you can forget 
nslcd & the winbind ad backend, they both rely on the rfc2307 attributes 
that 'SFU' provides. You will need to use something like sssd or the 
winbind rid backend, both can create uid's & gid's from the user/group 
RID. You posted that you could not get the winbind rid backend to work, 
any chance of posting the smb.conf you used?


More information about the samba mailing list