[Samba] Authenticating against Samba 4 AD LDAP service
lists at boyandin.info
Fri Sep 7 03:57:18 UTC 2018
Rowland Penny via samba писал 2018-09-06 16:59:
> On Thu, 06 Sep 2018 16:12:43 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> Rowland Penny via samba wrote 2018-09-06 14:50:
>> > On Thu, 06 Sep 2018 12:47:02 +0700
>> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> >> Rowland Penny via samba писал 2018-09-05 16:10:
>> >> > However, are you sure you cannot use kerberos ?
>> >> > What are your existing services ?
>> >> to name most important ones:
>> >> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> >> - Shell (SSH) server (same, using nslcd)
>> >> - Apache 2.* LDAP authentication module
>> >> - Atlassian Confluence
>> >> - GitLab
>> > I am positive that most of the above will work with kerberos
>> > authentication, the only exception is 'Mail server'. This is only
>> > because saying 'Mail server' is a bit like saying 'I have a
>> > computer', it could be anything, but whatever it is, you probably
>> > can use kerberos and if Dovecot is in the mix, you definitely can
>> > use kerberos.
>> Thanks for the reassuring. The mail server/SSH server are using
>> pam_ldap and nss_ldap to authenticate and get attributes from LDAP
>> (via nss_pam_ldapd CentOS package).
> You keep saying 'mail server', but what mail server ? What are its
> components ? are you using postfix ?, exim4 ? or something else. Does
> it use saslauthd, dovecot or something else
I thought I answered by mentioning PAM authentication.
Exim 4, using saslauthd (which still uses PAM to auth against
Dovecot, using PAM.
>> Basically, I have configured nslcd to get info from Samba4, according
>> The further questions are:
>> 1. I have to add uidNumber/gidNumber manually per user/group, as said
>> Is it possible to do that in batch mode, as well (i.e. create kind of
>> .ldif and update the sam.ldb with it)?
> Write a script around 'samba-tool user create'. You could extract the
> required data from a file (csv ?) and use this to create the users one
> by one.
Users and groups *has been* created (imported) by 'classic upgrade'.
What is missing is group memberships and uidNumber/gidNumber fields
(requried by nslcd).
So question is, is it possible to add attributes on per-item (user,
group) basis in batch mode (without doing that manually with ldbedit)?
Namely, mass add uidNumber/gidNumber attributes.
There can be cases when all the attributes must be changes/added/deleted
en masse, so I assume I am not the only one in need of batch altering
>> 2. I have no luck setting up pam_ldap.conf to allow authentication
>> against Samba4. There are no visible hints in Samba Wiki. I could
>> only guess I have to try Kerberos, perhaps, instead of pam_ldap.
> Are you using a DC as a fileserver ?
Yes. It's relatively small domain, so no performance penalty is
> This should work, but you will need to use nslcd or winbind or sssd
> You can, as you have found, use nslcd to extract rfc2307 attributes
> from AD, sssd works in a similar way, winbind only extracts the
> username & uidNumber.
Question is how to authenticate. Currently, PAM part authenticates
against Samba 3 domain, while NSS gets required attributes. That
satisfies all the Linux services.
On Samba 4, I wasted much time trying to make PAM authentication to
work. I will try using Kerberos for now (if it works along with nslcd, I
won't touch sssd, which, in my experience, is more a problem than a
More information about the samba