Hmm, i played around with this nss_ldap, also with the rfc2307 from winbind looks all nice, but samba4 does not have posix scheme loaded and filled for users by default.
if i make a new user, it will not have the posix attributes. and the attributes are not auto set (no uid, gid) so yeh it can go around the problem, but creates a bunch of new ones to bad we can't do the nss_ldap mapping within winbind. since it's only the (unix)homedir we're after at. thx anny way... Collen On 24-5-2012 19:11, steve wrote:
Hi Making it default is the easy bit. Install nss-pam-ldapd (libnss-ldapd and libpam-ldapd under Debian). Here is our config in /etc/nslcd.conf uid nslcd gid nslcd uri ldap://sam4dc.polop.site base dc=polop,dc=site map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory #map group uniqueMember member sasl_mech GSSAPI sasl_realm POLOP.SITE krb5_ccname /tmp/nslcd.tkt Most of this is site dependent but the mappings are all that are important. The latest version (0.8.4 up) maps group members too hence the commented out line. We have written scripts to implement this but you can do this from Linux using ldbedit to add only the objects and attributes you need. Here is an example of a user called steve2 (samba-tool user add steve2 or from ADUC in windows) in the directory to which we have added the attributes necessary for nss-ldapd mappings: dn: CN=steve2,CN=Users,DC=polop,DC=site cn: steve2 instanceType: 4 whenCreated: 20120508141303.0Z uSNCreated: 3719 name: steve2 objectGUID: 2e73c14e-976e-431e-830e-863494cc4a1c badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 objectSid: S-1-5-21-1196638036-2541980263-511278767-1105 logonCount: 0 sAMAccountName: steve2 sAMAccountType: 805306368 userPrincipalName: [email protected] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site pwdLastSet: 129809599830000000 uidNumber: 3000008 unixHomeDirectory: /home2/CACTUS/steve2 loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user profilePath: \\sam4dc\profiles\steve2 homeDrive: Z: homeDirectory: \\sam4dc\home\steve2 memberOf: CN=staff,CN=Users,DC=polop,DC=site primaryGroupID: 513 gidNumber: 20513 userAccountControl: 66048 accountExpires: 0 whenChanged: 20120518160301.0Z uSNChanged: 3944 distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site You can either add the objects and attributes to taste using ldbedit or write scripts to add them for you. We have written a suite of well tested scripts called 's4bind' which do all this for you. Remember, if the attributes are stored in the directory and mapped by something up to date which understands AD, then there can never be any confusion as to uid, gid, home directory or whatever. m$ have granted us free access to the posix attributes necessary to connect Linux machines to 2008r2 and therefore Samba4 AD. Let's use them to our advantage. http://linuxcostablanca.blogspot.com.es/p/s4bind.html Cheers, Steve
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
