[Samba] integrating samba with pam

Guido Lorenzutti guido at lorenzutti.com.ar
Sat Jul 1 21:21:08 UTC 2017


On Sat, 1 Jul 2017 19:27:09 +0100, Rowland Penny via samba wrote:

> On Sat, 01 Jul 2017 14:19:13 -0300
> Guido Lorenzutti wrote:
We used to hide some information from our windows group, to make acls
only in unix groups. But well.. i think we can start sharing that info
with the domain groups.
> You can do something very similar by using
ACLs, create groups in AD,
> add RFC2307 attributes and add your Unix
users to the groups. You can
> then make only members of these Unix
groups be allowed access to a
> share.


>>> I read that to join
a squid proxy to the domain.
>> But its a pain to have to install
winbind on every unix I have just to be able to use the same credentials
that the samba domain. Before samba4, i was able to use ldap. Samba4 has
a ldap like service. There should be a way to use that an ldapsearch,
for example. And of course, pam_ldap.
> You need to speak to Louis
van Belle about squid, he is the expert.

Everything its ok with the
squid for the time being... im using kerberos only.

I don't understand
your problem with winbind, if you do use nslcd, you
will have to
configure smb.conf, the nslcd conf file and run k5start to
ensure that
kerberos refreshes tickets. If yo> er with nslcd ? Just what does nslcd
give you that winbind doesn't ? I should also point out that nslcd isn't
supported by Samba. 
> I have several barebone systems with the
minimum of hardrive, ram, and utilities on the SO. Everything works
great only with nslcd and pam_ldap and I have the same users and
passwords that the Samba3+OpenLDAP DC.
> Now in Samba4 it seems that
its required to have winbind runnin
ient and obviously a lot of

The nslcd uses ldap queries to have all the users,
groups, etc, talking directly to the ldap server. If samba4 has a ldap
like server, he has to had a way to query the service, to avoid using
winbind on eeevery client. 

Well, for what you said, I must start to
try to give it a go to winbind and hope it dosent need too much ram to

What do you want to authenticate to Samba ?



[1] mailto:guido at lorenzutti.com.ar

More information about the samba mailing list