[Samba] OpenPVN authentication via Samba AD
rpenny at samba.org
Tue Sep 1 18:48:48 UTC 2020
On 01/09/2020 19:10, Stefan G. Weichinger via samba wrote:
> Am 01.09.20 um 20:02 schrieb Kris Lou via samba:
>> I use:
>> User naming attribute: sAMAccountName
>> Group naming attribute: sAMAccountName
>> Group member attribute: memberof
> With Samba AD I use:
> User naming attribute: sAMAccountName
> Group naming attribute: cn
> Group member attribute: memberof
> Group Object Class: posixGroup
Don't use any of the 'posix' objectclasses, you cannot rely on them
being there, this is because they are not required, you can have the
RFC2307 attributes without them. There are very few tools that will add
them and any that do can probably be described as 'broken'
I would suggest using the the 'group' objectclass.
> Search scope: Entire Subtree
> (and I added an Extended Query after the basics worked)
>> And if I recall, the groups are only returned if they match a local pfSense
>> group (must have the same name).
> I didn't follow this.
That doesn't make sense, if the pfsense machine is joined to the domain,
then all AD groups with a gidNumber attribute are 'local groups'.
More information about the samba