Web lists-archives.com

Re: [Samba] Authenticating against Samba 4 AD LDAP service

Rowland Penny via samba писал 2018-09-06 16:59:
On Thu, 06 Sep 2018 16:12:43 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

Rowland Penny via samba wrote 2018-09-06 14:50:
> On Thu, 06 Sep 2018 12:47:02 +0700
> Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> Rowland Penny via samba писал 2018-09-05 16:10:
>> > However, are you sure you cannot use kerberos ?
>> > What are your existing services ?
>> to name most important ones:
>> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> - Shell (SSH) server (same, using nslcd)
>> - Apache 2.* LDAP authentication module
>> - Atlassian Confluence
>> - GitLab
> I am positive that most of the above will work with kerberos
> authentication, the only exception is 'Mail server'. This is only
> because saying 'Mail server' is a bit like saying 'I have a
> computer', it could be anything, but whatever it is, you probably
> can use kerberos and if Dovecot is in the mix, you definitely can
> use kerberos.

Thanks for the reassuring. The mail server/SSH server are using
pam_ldap and nss_ldap to authenticate and get attributes from LDAP
(via nss_pam_ldapd CentOS package).

You keep saying 'mail server', but what mail server ? What are its
components ? are you using postfix ?, exim4 ? or something else. Does
it use saslauthd, dovecot or something else

I thought I answered by mentioning PAM authentication.

Exim 4, using saslauthd (which still uses PAM to auth against username/password).
Dovecot, using PAM.

Basically, I have configured nslcd to get info from Samba4, according


The further questions are:

1. I have to add uidNumber/gidNumber manually per user/group, as said


Is it possible to do that in batch mode, as well (i.e. create kind of
.ldif and update the sam.ldb with it)?

Write a script around 'samba-tool user create'. You could extract the
required data from a file (csv ?) and use this to create the users one
by one.

Users and groups *has been* created (imported) by 'classic upgrade'. What is missing is group memberships and uidNumber/gidNumber fields (requried by nslcd).

So question is, is it possible to add attributes on per-item (user, group) basis in batch mode (without doing that manually with ldbedit)?

Namely, mass add uidNumber/gidNumber attributes.

There can be cases when all the attributes must be changes/added/deleted en masse, so I assume I am not the only one in need of batch altering users/groups attributes.

2. I have no luck setting up pam_ldap.conf to allow  authentication
against Samba4. There are no visible hints in Samba Wiki. I could
only guess I have to try Kerberos, perhaps, instead of pam_ldap.

Are you using a DC as a fileserver ?

Yes. It's relatively small domain, so no performance penalty is expected.

This should work, but you will need to use nslcd or winbind or sssd
You can, as you have found, use nslcd to extract rfc2307 attributes
from AD, sssd works in a similar way, winbind only extracts the
username & uidNumber.

Question is how to authenticate. Currently, PAM part authenticates against Samba 3 domain, while NSS gets required attributes. That satisfies all the Linux services.

On Samba 4, I wasted much time trying to make PAM authentication to work. I will try using Kerberos for now (if it works along with nslcd, I won't touch sssd, which, in my experience, is more a problem than a solution)



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba