[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 20 11:29:57 MDT 2015 

On 20/04/15 17:45, john wrote:
>
>
>
>     Is this wheezy ? if so, it might be an idea to use backports, this
>     will get you 4.1.17 which is still in development, 3.6 is now EOL
>

OK, I understand a bit better where your problems lie. I would still use 
backports, supported code is (hopefully) better code :-)

>
>
> I'd be willing to do that if it got me support for UPN names (see below)
>
>
>         I installed NSLCD to allow users in AD to authenticate against
>         my linux
>         server per
>         https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>
>     Why use nlscd ? why not use winbind, see:
>     https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>
> My impression from this thread 
> https://lists.samba.org/archive/samba/2014-May/181372.html
>
>  is that Winbind doesn't support UPN names. This was my lame-brain 
> attempt to "work around" that issue.

I use winbind and using the UPN seems to work for smbclient:

smbclient \\\\xp.example.com\\shared -Urowland at example.com
Enter rowland at example.com's password:
Domain=[EXAMPLE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \>

Is this the way you mean ?

Rowland
>
>         getent passwd and getent group returns domain users with UID
>         mappings like:
>
>         tempuser at vanguard.mydomain.org:*:16043:16043:temp
>         user:/home/VANGUARD/tempuser:/bin/bash
>
>
>     Well, that's wrong for a start, you seem to be getting the users
>     principal name, it should look like:
>
>  I need to support UPN names for my scheme to work.
>
>
>
>         Those same users can log into the linux box with their domain
>         credentials
>         via ssh and create files owned by them
>
>         However I can't figure out how to configure Samba to allow
>         these same users
>         to access a samba file share via a windows 7 client. I thought
>         that Samba
>         would check /etc/nsswitch.conf like other services and use
>         ldap just like
>         ssh would.
>
>
>     No, this is down to whatever you are using for authentication. Can
>     you post your smb.conf ?
>
>
>
>
> Here is my non-working smb.conf file for reference.
>
> Thanks for your help.
>
> John
>
> [global]
>     workgroup = VANGUARD
>     server string = sserve
>     passdb backend = ldapsam:ldap://kram.vanguard.mydomain.org 
> <http://kram.vanguard.mydomain.org>
>     username map = /etc/samba/smbusers
>     syslog = 0
>     log file = /var/log/samba/%m
>     smb ports = 139 445
>     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>     name cache timeout = 3600
>     max stat cache size = 16384
>     domain logons = Yes
>     preferred master = Auto
>     domain master = No
>     wins support = Yes
>     ldap idmap suffix = ou=Idmap
>     idmap config * : range = 10000-200000
>     ldapsam:trusted = yes
>     idmap config * : backend = ldap:ldap://kram.vanguard.mydomain.org 
> <http://kram.vanguard.mydomain.org>
>     map acl inherit = Yes
>
> [ALLSTUDENTS]
>     path = /home/ALLSTUDENTS
>     admin users = "@VANGUARD\domain admins"
>     read only = No
>     create mask = 0700
>     directory mask = 0700
>     delete readonly = Yes
>

More information about the samba mailing list