[Samba] integrating samba with pam

Rowland Penny rpenny at samba.org
Sat Jul 1 21:58:31 UTC 2017

On Sat, 01 Jul 2017 18:21:08 -0300
Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:

> On Sat, 1 Jul 2017 19:27:09 +0100, Rowland Penny via samba wrote:
> > On Sat, 01 Jul 2017 14:19:13 -0300
> > Guido Lorenzutti wrote:
> > 
> >>
> We used to hide some information from our windows group, to make acls
> only in unix groups. But well.. i think we can start sharing that info
> with the domain groups.
> > 
> > You can do something very similar by using
> ACLs, create groups in AD,
> > add RFC2307 attributes and add your Unix
> users to the groups. You can
> > then make only members of these Unix
> groups be allowed access to a
> > share.
> Great.
> >>> I read that to join
> a squid proxy to the domain.
> >> But its a pain to have to install
> winbind on every unix I have just to be able to use the same
> credentials that the samba domain. Before samba4, i was able to use
> ldap. Samba4 has a ldap like service. There should be a way to use
> that an ldapsearch, for example. And of course, pam_ldap.
> > 
> > You need to speak to Louis
> van Belle about squid, he is the expert.
> Everything its ok with the
> squid for the time being... im using kerberos only.
> I don't understand
> your problem with winbind, if you do use nslcd, you
> will have to
> configure smb.conf, the nslcd conf file and run k5start to
> ensure that
> kerberos refreshes tickets. If yo> er with nslcd ? Just what does
> nslcd give you that winbind doesn't ? I should also point out that
> nslcd isn't supported by Samba. 
> > 
> > I have several barebone systems with the
> minimum of hardrive, ram, and utilities on the SO. Everything works
> great only with nslcd and pam_ldap and I have the same users and
> passwords that the Samba3+OpenLDAP DC.
> > 
> > Now in Samba4 it seems that
> its required to have winbind runnin
> ient and obviously a lot of
> dependencies... 
> The nslcd uses ldap queries to have all the users,
> groups, etc, talking directly to the ldap server. If samba4 has a ldap
> like server, he has to had a way to query the service, to avoid using
> winbind on eeevery client. 
> Well, for what you said, I must start to
> try to give it a go to winbind and hope it dosent need too much ram to
> run. 

If you want Samba to talk to an AD DC, then you need winbind installed,
you do not need to run it, it just needs to be installed.

You can use nslcd or sssd if you want, but neither are supported by
Samba, sssd also has it own implementation of a a winbind lib.

So, as winbind is installed, you should use it, if you don't, you are
on your own as far as Samba is concerned.

You can run a Samba AD DC on an rpi2, this only has 512k memory, so
running a Unix domain member on whatever computers you have, shouldn't
be a problem.


More information about the samba mailing list