[Samba] Samba as AD member & without winbind...
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 30 11:05:48 UTC 2020
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
Might help here.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Thomas Besser via samba
> Verzonden: vrijdag 30 oktober 2020 11:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba as AD member & without winbind...
>
> Am 30.10.20 um 11:30 schrieb Rowland penny via samba:
> > On 30/10/2020 10:09, Thomas Besser via samba wrote:
> >> Am 30.10.20 um 10:57 schrieb Rowland penny via samba:
> >>> On 30/10/2020 09:20, Thomas Besser via samba wrote:
> >>>> actually we have running samba 4.5.16 under Devuan 2.0
> (Ascii) as AD
> >>>> member without winbind configured. UID and GID
> informations coming
> >>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync.
> >>> So you will have uidNumber and gidNumber attributes in AD.
> >>
> >> No, AD does not have uidNumber and gidNumber. Only LDAP (separate
> >> OpenLDAP!) does have this informations.
> >
> > So, that's what you get for not really reading a post, I
> missed that ????
> >
> >> Both, AD and LDAP are provided by identity management
> system, so are
> >> in sync according accounts and groups.
> >
> > I think we might have been here before, but why use AD and LDAP ?
>
> Because they are there ;-)
>
> I'm not the admin of theses systems. In our big organization
> (kit.edu)
> these two systems are provided from the computer center
> having all users
> and groups in it.
>
> >>> Ok, then I would need a winbind 'ldap' backend. Does this exist?
> >>
> > There is the 'idmap_ldap' winbind backend, but I do not
> think this will
> > work with 'security = ADS', but then I have never tried it
> and there is
> > also the problem that it is an allocating backend i.e. your
> users and
> > groups will get new ID's
> >
> > There is also the 'idmap_nss' backend, but this will also
> suffer with
> > the same problems as 'idmap_ldap'
>
> That's the reason why I configured NSS to get this informations from
> LDAP until now.
>
> I don't want 'new ID's' for the users/groups in AD. I want to use the
> real one from LDAP.
>
> I need a winbind backend with that I can use the informations from
> configured NSS.
>
> > I think your best idea will be to load your users and
> groups in AD with
> > the relevant uidNumber or gidNumber attributes and use this for
> > authentication and sync passwords between your AD and your LDAP.
>
> No, that's no option for me. See above.
>
> Regards
> Thomas
>
> --
> Karlsruher Institut für Technologie (KIT)
> archIT [IT-Management der Fakultät Architektur]
> Dipl.-Ing. Thomas Besser
> Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
> http://www.arch.kit.edu/fakultaet/it-management.php
>
> KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list