On Tue, 2013-10-01 at 15:48 +1100, m...@electronico.nc wrote: > Hi again, > > Thanks again, Denis, Steve and Rowland for your previous answers about > RFC2307 and winbind. > > Maybe I'm an dreamer but here is that I wanted to achieve : > Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS > Use a windows VM (on this server) to control AD through WRAT > AD offers me the 'wishdom' of software deployment and GPO, users are > can't install anything > All standard Linux services (apache, postfix, dovecot, pptp, mysql, > webmail, ...) can query AD > > What is done : > I have setup 'folder redirection' in WRAT, so users 'documents' and > 'desktop' are avalaible offline and mapped to home/%U on server > AD Administrator has a roaming profile > Searched a lot and succeed to deploy Office, Acrobat reader, Skype, > 7-zip, Firefox to users (windows is another world...) > Shares are mounted (depending on AD 'ou' rights) on user's pc > Administrator can login via UltraVNC to all workstation > > What needs to be done: > Linux services to auth to AD > > From what I've read, sssd is the more secure solution to achieve this, > but ... > Using sssd 1.11.1 : files configuration: > 1) > > sudo cat /etc/sssd/sssd.conf > > [sssd] > > services = nss, pam > > config_file_version = 2 > > domains = radiodjiido.nc > > [nss] > > [pam] > > [domain/radiodjiido.nc] > > dyndns_update = false > > ad_hostname = serveur.radiodjiido.nc > > ad_server = serveur.radiodjiido.nc > > ad_domain = radiodjiido.nc > > ldap_schema = ad > > id_provider = ad > > access_provider = simple > > enumerate = true > > cache_credentials = true > > auth_provider = krb5 > > chpass_provider = krb5 > > krb5_realm = RADIODJIIDO.NC > > krb5_server = serveur.radiodjiido.nc > > krb5_kpasswd = serveur.radiodjiido.nc > > #next line only lists users with uidNumber/gidNumber entered via ldbedit > > ldap_id_mapping = false > > ldap_referrals = false > > ldap_uri = ldap://serveur.radiodjiido.nc > > ldap_search_base = dc=radiodjiido,dc=nc > > ldap_user_object_class = user > > ldap_user_name = samAccountName > > ldap_user_uid_number = uidNumber > > ldap_user_gid_number = gidNumber > > ldap_user_home_directory = unixHomeDirectory > > ldap_user_shell = loginShell > > ldap_group_object_class = group > > ldap_group_search_base = dc=radiodjiido,dc=nc > > ldap_group_name = cn > > ldap_group_member = member > > ldap_sasl_mech = gssapi > > #ldap_sasl_authid = serveur$ > > ldap_sasl_authid = serveur$@RADIODJIIDO.NC > > krb5_keytab = /etc/krb5.sssd.keytab > > ldap_krb5_init_creds = true
Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
