[Samba] Authenticating against Samba 4 AD LDAP service
Konstantin Boyandin
lists at boyandin.info
Thu Sep 6 09:12:43 UTC 2018
Rowland Penny via samba wrote 2018-09-06 14:50:
> On Thu, 06 Sep 2018 12:47:02 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>
>> Rowland Penny via samba писал 2018-09-05 16:10:
>> > However, are you sure you cannot use kerberos ?
>> > What are your existing services ?
>>
>> to name most important ones:
>>
>> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> - Shell (SSH) server (same, using nslcd)
>> - Apache 2.* LDAP authentication module
>> - Atlassian Confluence
>> - GitLab
>>
>
> I am positive that most of the above will work with kerberos
> authentication, the only exception is 'Mail server'. This is only
> because saying 'Mail server' is a bit like saying 'I have a computer',
> it could be anything, but whatever it is, you probably can use kerberos
> and if Dovecot is in the mix, you definitely can use kerberos.
Thanks for the reassuring. The mail server/SSH server are using pam_ldap
and nss_ldap to authenticate and get attributes from LDAP (via
nss_pam_ldapd CentOS package).
Basically, I have configured nslcd to get info from Samba4, according to
https://wiki.samba.org/index.php/Nslcd
The further questions are:
1. I have to add uidNumber/gidNumber manually per user/group, as said in
https://wiki.samba.org/index.php/Adding_users_with_samba_tool
Is it possible to do that in batch mode, as well (i.e. create kind of
.ldif and update the sam.ldb with it)?
2. I have no luck setting up pam_ldap.conf to allow authentication
against Samba4. There are no visible hints in Samba Wiki. I could only
guess I have to try Kerberos, perhaps, instead of pam_ldap.
Thanks.
Sincerely,
Konstantin
More information about the samba
mailing list