[Samba] LDAP + Samba4(AD) + SSH

Rowland Penny rowlandpenny241155 at gmail.com
Mon Aug 24 14:26:59 UTC 2015 

On 24/08/15 15:09, Guilherme Boing wrote:
> Hey,
>
> By "through LDAP" I meant that our linux servers would look for the 
> users using pam_ldap.
>
> Anyway, I was able to "fix" this by mapping gidNumber to gidNumber 
> instead of primaryGroupID on nslcd.conf.
>
> $ id
> uid=10000(Guilherme) gid=10001(it) grupos=10001(it)
>
>
> On Fri, Aug 21, 2015 at 4:28 PM, Rowland Penny 
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> 
> wrote:
>
>     On 21/08/15 20:08, Guilherme Boing wrote:
>
>         Hello,
>
>         I want my domain users to be able to connect to our linux
>         servers using
>         their AD username through LDAP.
>
>
>     What do you mean 'through LDAP' ?
>
>
>         I am using nslcd and pam_ldap to do so, but I am having some
>         hard time
>         trying to figure out why the GID is not working properly.
>
>         # getent passwd Guilherme
>         Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash
>
>         # getent group|grep 513
>
>         # id Guilherme
>         uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain
>         Users)
>
>         /etc/nslcd.conf: (bind not included)
>         filter  passwd  (objectClass=user)
>         filter  group   (objectClass=group)
>
>         map     passwd  uid                sAMAccountName
>         map     passwd  homeDirectory      unixHomeDirectory
>         map     passwd  gecos              displayName
>         map     passwd  gidNumber          primaryGroupID
>         map     group   uniqueMember       member
>
>         I know that 513 should mean "Domain Users" from ADUC. However,
>         "Domain
>         Users" has the "UNIX Attributes" configuration of GID=10000.
>
>
>     How do you 'know' 513 should mean "Domain Users" ?
>     513 is the RID of "Domain Users" and by your own admission "Domain
>     Users" has the gidNumber of 10000
>     RID does not necessarily equal gidNumber
>
>
>         # getent group|grep 10000
>         Domain Users:*:10000:
>
>         Should I change the UNIX Attributes ID of Domain Users to 513 ?
>         What am I doing wrong ?
>
>         Thanks
>
>
>     You can if you so wish, but you will need to 'chgrp' anything
>     stored on Unix owned by the "Domain Users" group.
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

You don't need to use any external packages such as nslcd, you can get 
exactly the same result using winbind (and yes I know about sssd as well)

Rowland

More information about the samba mailing list