[Samba] SSH SSO without keytab file

Rowland Penny rpenny at samba.org
Fri Jan 18 09:28:42 UTC 2019


On Fri, 18 Jan 2019 09:15:18 +0000
Harpoon via samba <samba at lists.samba.org> wrote:

> > ............
> >
> > > You can, provided you have a user.map in smb.conf
> >
> > Oeps, Ah yes, forgot that, because he was testing on the DC.
> > And DC's dont use the user.mapping.
> >
> > Thanks for the correction.
> 
> With regard to tdb ipmap, I set this parameter on domain member.
> Domain controller has no such parameter set.

Yes, but just setting this isn't a supported method, you need to also
set an 'idmap config' block for the domain, this isn't optional.
The actual winbind backend you use is up to you, but the two most
popular are the 'ad' and the 'rid'. The former requires adding
uidNumber & gidNumber attributes to AD, but would give you the same IDs
everywhere (plus all the other rfc2307 attributes). The latter doesn't
require anything adding to AD, but you will only get the same IDs on
Unix domain members, the DCs will have totally different ID numbers and
they can (and probably will) be different between DCs, you will also
have to use template shell & homedir lines in smb.conf

Rowland





More information about the samba mailing list