[Samba] Samba as AD member & without winbind...
rpenny at samba.org
Fri Oct 30 10:30:02 UTC 2020
On 30/10/2020 10:09, Thomas Besser via samba wrote:
> Am 30.10.20 um 10:57 schrieb Rowland penny via samba:
>> On 30/10/2020 09:20, Thomas Besser via samba wrote:
>>> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD
>>> member without winbind configured. UID and GID informations coming
>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync.
>> So you will have uidNumber and gidNumber attributes in AD.
> No, AD does not have uidNumber and gidNumber. Only LDAP (separate
> OpenLDAP!) does have this informations.
So, that's what you get for not really reading a post, I missed that 😅
> Both, AD and LDAP are provided by identity management system, so are
> in sync according accounts and groups.
I think we might have been here before, but why use AD and LDAP ?
Why not just use AD ?
>> Ok, then I would need a winbind 'ldap' backend. Does this exist?
There is the 'idmap_ldap' winbind backend, but I do not think this will
work with 'security = ADS', but then I have never tried it and there is
also the problem that it is an allocating backend i.e. your users and
groups will get new ID's
There is also the 'idmap_nss' backend, but this will also suffer with
the same problems as 'idmap_ldap'
I think your best idea will be to load your users and groups in AD with
the relevant uidNumber or gidNumber attributes and use this for
authentication and sync passwords between your AD and your LDAP.
More information about the samba