[Samba] Samba as AD member & without winbind...
Thomas Besser
thomas.besser at kit.edu
Fri Oct 30 10:50:43 UTC 2020
Am 30.10.20 um 11:30 schrieb Rowland penny via samba:
> On 30/10/2020 10:09, Thomas Besser via samba wrote:
>> Am 30.10.20 um 10:57 schrieb Rowland penny via samba:
>>> On 30/10/2020 09:20, Thomas Besser via samba wrote:
>>>> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD
>>>> member without winbind configured. UID and GID informations coming
>>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync.
>>> So you will have uidNumber and gidNumber attributes in AD.
>>
>> No, AD does not have uidNumber and gidNumber. Only LDAP (separate
>> OpenLDAP!) does have this informations.
>
> So, that's what you get for not really reading a post, I missed that 😅
>
>> Both, AD and LDAP are provided by identity management system, so are
>> in sync according accounts and groups.
>
> I think we might have been here before, but why use AD and LDAP ?
Because they are there ;-)
I'm not the admin of theses systems. In our big organization (kit.edu)
these two systems are provided from the computer center having all users
and groups in it.
>>> Ok, then I would need a winbind 'ldap' backend. Does this exist?
>>
> There is the 'idmap_ldap' winbind backend, but I do not think this will
> work with 'security = ADS', but then I have never tried it and there is
> also the problem that it is an allocating backend i.e. your users and
> groups will get new ID's
>
> There is also the 'idmap_nss' backend, but this will also suffer with
> the same problems as 'idmap_ldap'
That's the reason why I configured NSS to get this informations from
LDAP until now.
I don't want 'new ID's' for the users/groups in AD. I want to use the
real one from LDAP.
I need a winbind backend with that I can use the informations from
configured NSS.
> I think your best idea will be to load your users and groups in AD with
> the relevant uidNumber or gidNumber attributes and use this for
> authentication and sync passwords between your AD and your LDAP.
No, that's no option for me. See above.
Regards
Thomas
--
Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
http://www.arch.kit.edu/fakultaet/it-management.php
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
More information about the samba
mailing list