[Samba] integrating samba with pam

L.P.H. van Belle belle at bazuin.nl
Mon Jul 3 11:28:24 UTC 2017

See below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Guido Lorenzutti via samba
> Verzonden: zaterdag 1 juli 2017 23:21
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] integrating samba with pam
> >> I read that to join a squid proxy to the domain.
> >> But its a pain to have to install winbind on every unix I have just to be able to use the same credentials
> >> that the samba domain. Before samba4, i was able to use ldap. 
> Samba4 has a ldap like service. There should be a way to use that an ldapsearch, for example. And of course, pam_ldap.
> > 
> > You need to speak to Louis
> van Belle about squid, he is the expert.
Im no expert, but maybe I can help. ;-) 

> Everything its ok with the squid for the time being... im using kerberos only.
Great, you using kerberos already, so whats the problem? I dont get it, sorry. 

>> I have several barebone systems with the minimum of hardrive, ram, and utilities on the SO. 
>> Everything works great only with nslcd and pam_ldap and I have the same users and passwords that the Samba3+OpenLDAP DC.
>> Now in Samba4 it seems that its required to have winbind runnin ient and obviously a lot of dependencies... 
Not its not required, but very usefull for you keytab refresh.
And you can use exact the same setup (squid+ldap) against samba AD, 
you only need to make sure your setup has everything for ldaps or you need to lower your AD DC security. 
Once thats done, life is much more easy. 

> The nslcd uses ldap queries to have all the users,
> groups, etc, talking directly to the ldap server. If samba4 has a ldap
> like server, he has to had a way to query the service, to avoid using
> winbind on eeevery client. 
Thats a choice, i use winbind for my keytab refresh not for auth users, i dont use nslcd anywhere.
There i use kerberos with ldaps fallback auth. 
I just followed most of : http://wiki.squid-cache.org/ConfigExamples

> Well, for what you said, I must start to
> try to give it a go to winbind and hope it dosent need too much ram to
> run. 

My usage, System1 8GB ram, debian jessie, winbind 4.6.5, squid 3.5.24 ( own build )
cat /proc/$(ps x| grep winbind | head -n1| awk {'print $1'})/status  | grep Vm
VmPeak:   266608 kB
VmSize:   266548 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     10220 kB
VmRSS:     10160 kB
VmData:      792 kB
VmStk:       132 kB
VmExe:      1092 kB
VmLib:     22376 kB
VmPTE:       528 kB
VmSwap:        0 kB

My usage, System2 8GB ram, debian stretch, winbind 4.6.5-3, squid 3.5.24 ( own build )
cat /proc/$(ps x| grep winbind | head -n1| awk {'print $1'})/status  | grep Vm
VmPeak:   274744 kB
VmSize:   274744 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     10088 kB
VmRSS:     10028 kB
VmData:      780 kB
VmStk:       132 kB
VmExe:      1088 kB
VmLib:     24232 kB
VmPTE:       520 kB
VmSwap:        0 kB

> What do you want to authenticate to Samba ?
> Rowland 
> >
> Links:
> ------
> [1] mailto:guido at lorenzutti.com.ar
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list