[Samba] Authenticating against Samba 4 AD LDAP service
rpenny at samba.org
Thu Sep 6 09:59:15 UTC 2018
On Thu, 06 Sep 2018 16:12:43 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Rowland Penny via samba wrote 2018-09-06 14:50:
> > On Thu, 06 Sep 2018 12:47:02 +0700
> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> >> Rowland Penny via samba писал 2018-09-05 16:10:
> >> > However, are you sure you cannot use kerberos ?
> >> > What are your existing services ?
> >> to name most important ones:
> >> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
> >> - Shell (SSH) server (same, using nslcd)
> >> - Apache 2.* LDAP authentication module
> >> - Atlassian Confluence
> >> - GitLab
> > I am positive that most of the above will work with kerberos
> > authentication, the only exception is 'Mail server'. This is only
> > because saying 'Mail server' is a bit like saying 'I have a
> > computer', it could be anything, but whatever it is, you probably
> > can use kerberos and if Dovecot is in the mix, you definitely can
> > use kerberos.
> Thanks for the reassuring. The mail server/SSH server are using
> pam_ldap and nss_ldap to authenticate and get attributes from LDAP
> (via nss_pam_ldapd CentOS package).
You keep saying 'mail server', but what mail server ? What are its
components ? are you using postfix ?, exim4 ? or something else. Does
it use saslauthd, dovecot or something else
> Basically, I have configured nslcd to get info from Samba4, according
> The further questions are:
> 1. I have to add uidNumber/gidNumber manually per user/group, as said
> Is it possible to do that in batch mode, as well (i.e. create kind of
> .ldif and update the sam.ldb with it)?
Write a script around 'samba-tool user create'. You could extract the
required data from a file (csv ?) and use this to create the users one
> 2. I have no luck setting up pam_ldap.conf to allow authentication
> against Samba4. There are no visible hints in Samba Wiki. I could
> only guess I have to try Kerberos, perhaps, instead of pam_ldap.
Are you using a DC as a fileserver ?
This should work, but you will need to use nslcd or winbind or sssd
You can, as you have found, use nslcd to extract rfc2307 attributes
from AD, sssd works in a similar way, winbind only extracts the
username & uidNumber.
A Unix domain member only needs winbind, here it can do virtually what
the others do and for what it cannot do, there are workarounds.
More information about the samba