[Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
I'm lost in documentation. I setup a samba4 AD, and configured winbind so I can have local authentification using pam, I can now login to AD users vía ssh. I want to achieve the Holy Gria of 1 source of users and password, for both, linux and windows machines, but I'm lost in documentation. So far I know: samba4 cann't use openldap as backend. samba4 ldap doesn't really is a full ldap. samba4 provides uid/gid mapping using winbind or nlscd So far, I'm using winbind and I can see the samba ad users added to the password database executing: getenv passwd But, after that, I'm lost. Can I impelement remote winbind at remote linux client machines? Do I need to setup a openldap proxy? If I setup an openldap proxy, should I use winbind or nslcd? openldap now uses automatic configuration, any clue to implement the openldap proxy with this type? Thanks... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
Hello Andres, Am 15.08.2013 18:45, schrieb Andres Tello Abrego: I want to achieve the Holy Gria of 1 source of users and password, for both, linux and windows machines, but I'm lost in documentation. So far I know: samba4 cann't use openldap as backend. Right. samba4 ldap doesn't really is a full ldap. What do you mean by is not a full ldap? samba4 provides uid/gid mapping using winbind or nlscd Samba AD provides the backend, where the accounts are stored. To get the users to your local *nix system, you can use winbind, nslcd or sssd. Can I impelement remote winbind at remote linux client machines? What is remote winbind? Do I need to setup a openldap proxy? I would only use an openldap proxy to AD in my DMZ, because this prevents me from having a Samba AD installation there with all that open ports and Winbind on all DMZ machines. If I setup an openldap proxy, should I use winbind or nslcd? If you get your information from AD via a LDAP proxy, I guess the only solution are LDAP based tools like nslcd. I think Winbind can't access through an LDAP proxy, because it uses more than LDAP to talk to the DC (rpc or whatever). openldap now uses automatic configuration, any clue to implement the openldap proxy with this type? Automatic configuration? Here I placed e. g. a solution for an openLDAP proxy and examples for how to connect other services: https://wiki.samba.org/index.php/Authenticating_other_services_against_AD I guess it's really time, to finish my Winbind/Nslcd/SSSD page for the different methods to get the directory users to the local system. This questions are comming up very often meanwhile :-) I already started a while ago. I'll try to find some time to finish and publish it next week. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
How can I help :) maybe you can pass whatever you have written, tip me to mabe, use sssd What I refer to remote winbind is that. currently I have 1box with AD, I want to use that same box, that same users, to client linux... winbind worked as a charm, but I only have authentication to the machine with the AD... 2013/8/15 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Andres, Am 15.08.2013 18:45, schrieb Andres Tello Abrego: I want to achieve the Holy Gria of 1 source of users and password, for both, linux and windows machines, but I'm lost in documentation. So far I know: samba4 cann't use openldap as backend. Right. samba4 ldap doesn't really is a full ldap. What do you mean by is not a full ldap? samba4 provides uid/gid mapping using winbind or nlscd Samba AD provides the backend, where the accounts are stored. To get the users to your local *nix system, you can use winbind, nslcd or sssd. Can I impelement remote winbind at remote linux client machines? What is remote winbind? Do I need to setup a openldap proxy? I would only use an openldap proxy to AD in my DMZ, because this prevents me from having a Samba AD installation there with all that open ports and Winbind on all DMZ machines. If I setup an openldap proxy, should I use winbind or nslcd? If you get your information from AD via a LDAP proxy, I guess the only solution are LDAP based tools like nslcd. I think Winbind can't access through an LDAP proxy, because it uses more than LDAP to talk to the DC (rpc or whatever). openldap now uses automatic configuration, any clue to implement the openldap proxy with this type? Automatic configuration? Here I placed e. g. a solution for an openLDAP proxy and examples for how to connect other services: https://wiki.samba.org/index.**php/Authenticating_other_** services_against_ADhttps://wiki.samba.org/index.php/Authenticating_other_services_against_AD I guess it's really time, to finish my Winbind/Nslcd/SSSD page for the different methods to get the directory users to the local system. This questions are comming up very often meanwhile :-) I already started a while ago. I'll try to find some time to finish and publish it next week. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
2013-08-15 18:45 keltezéssel, Andres Tello Abrego írta: I'm lost in documentation. I setup a samba4 AD, and configured winbind so I can have local authentification using pam, I can now login to AD users vía ssh. I want to achieve the Holy Gria of 1 source of users and password, for both, linux and windows machines, but I'm lost in documentation. So far I know: samba4 cann't use openldap as backend. samba4 ldap doesn't really is a full ldap. samba4 provides uid/gid mapping using winbind or nlscd So far, I'm using winbind and I can see the samba ad users added to the password database executing: getenv passwd But, after that, I'm lost. Can I impelement remote winbind at remote linux client machines? Do I need to setup a openldap proxy? If I setup an openldap proxy, should I use winbind or nslcd? openldap now uses automatic configuration, any clue to implement the openldap proxy with this type? Thanks... We use winbind from samba 3.6.x on the non DC linux boxes for this. Winbind from samba 4.0.x under testing. Our config (the relevant part of): /etc/krb5.conf: [libdefaults] default_realm = YOURREALM /etc/samba/smb.conf: [global] workgroup = YOURDOMAIN realm = YOURREALM kerberos method = system keytab security = ads winbind enum groups = yes winbind enum users = yes idmap config *:backend = tdb idmap config *:range = 11-30 idmap config YOURDOMAIN:default = yes idmap config YOURDOMAIN:backend = ad idmap config YOURDOMAIN:range = 0-10 idmap config YOURDOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 5 winbind nested groups = yes winbind use default domain = yes Of course the ranges depend on the uids/gids you've allocated. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
