Hi Florian, I am in discussion with maintainers of Samba in Solaris, if nss_winbind and pam_winbind can be properly integrated as the option.
For now nss_ldap is the best option for cases as Julian wrote. For authentization against AD, some new pam module is needed. Best regards, Milan Florian Manschwetus p??e v st 30. 09. 2009 v 15:52 +0200: > Ok, basically we have currently on opensolaris two choices: > nss_ldap => alows the use of directory based mapping (unix nuid and ngid > and so are stored in directory (as in my case)) > nss_ad => allows easy and clean access but relies currently on generated > nuid and so > > Problems: > 1. General > - Normally solaris is limited to 16 group-memberships for a single user > > 2. nss_ldap > - can't search the complete directory for users/groups (no idea why) > - need a modification to support DN as membership attribute and allow so > recursive group-memberships (otherwise it would need additional manual > membership handling) > - incomplete group mapping leads to idmap problems with cifs-server > (maybe there is a workaround) > > 3. nss_ad > - seems to not support directory based id-mappings > - currently I was always unable to configure it correctly > - need a fine documentation (not found a really nice one) > > maybe some one could correct me if I made a mistake. > > The plan is to use the directory based nss and kerberos to authenticate > network fs (nfsv4 and cifs, maybe webdav) and system access (ssh, pfexec). > > Kerberos works fine so far, but the nss stuff isn't solved kindly > currently so, some hints or advices are welcome. > If someone could give me a good documentation how the things are > evolving, I'm willing to do my best to make the things go faster. > > Florian >
