Thanks for your statement, Andrew. I know about winbind and we've used it in the past, but I remember there were some issues when dealing with POSIX ACLs and windbind.
Now while winbind might work in some environments, I think it would be much nicer and cleaner to integrate Linux clients into a Samba AD domain with "native" Linux tools. The PAM part is very easy and works great already with Samba 4 and Linux clients using Kerberos. The only somewhat troublesome part is the NSS information (passwd/groups/shadow), which would also not really be an issue if Samba 4 properly implemented separation between users and groups in POSIX ACLs (#9521). I guess I'll take a second look at winbind then. Regards, Frederik 2013/1/24 Andrew Bartlett <[email protected]>: > On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote: >> 2013/1/22 Gémes Géza <[email protected]>: >> > I don't agree, because users can be members of multiple groups, not just >> > the >> > group identified as their primary group >> Well, yes. That is not the point. Users can still be members of >> multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through >> the "member" attributes of the AD/LDAP nodes, but the actual issue >> here is that plain users do not show up in (CN=Domain >> Users,CN=Users,CN=DOMAIN), because "Domain Users" is set as the >> primary group directly. Additionally added groups show up on the Linux >> side as well, just not the primary group (with my approach). >> >> Any other thoughts? Isn't this scenario one of the most common usage >> scenarios ever? Serving both Windows and Linux? How come so little >> information is available about Samba4 with Linux clients? > > That is because there isn't anything special about Samba 4.0 as an AD DC > with Linux clients that hasn't already been done for a Windows AD > domain. > > The Samba Team recommends winbind as the AD client to use on Linux, > because it handles these and many other details much better than just > nss_ldap. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
