Re: [Samba] OpenSSH auth in SAMBA4 LDAP

Mon, 26 Aug 2013 01:44:18 -0700 

Hello Bruno,

Am 25.08.2013 22:26, schrieb Bruno Vane:

Yes I read these sections, but I want something different. Users will
join on AD domain (Samba 4) and will connect to an "entry" SSH server,
and from this server they can access other SSH servers on the network.
All SSH servers are configured with /etc/hosts.allow to allow SSH
connections only from this "entry" SSH server. This Ubuntu servers
running SSH will not join in the AD domain, only users of the network.
Is this possible?



I think this shouldn't matter. You can configure the "entry" host with 
nslcd to retrieve the account information via LDAP from AD and pam_ldap 
to authenticate against AD (without necessity to join the machine to the 
domain).



Then you have the other hosts. These you can authenticate on the same 
way, if they are not joined to the domain, or you join them and the 
authentication is done through winbind.






For the nslcd you can use the following config (you must create an bind 
account in your domain for that first):


 #Mappings for Active Directory
 pagesize 1000
 referrals off

 # Passwd

 filter  passwd 
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))

 map     passwd  uid                     sAMAccountName
 map     passwd  homeDirectory           unixHomeDirectory
 map     passwd  gecos                   displayName
 map     passwd  gidNumber               primaryGroupID

 # Shadow

 filter  shadow 
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*))

 map     shadow  uid                     sAMAccountName
 map     shadow  shadowLastChange        pwdLastSet

 # Groups

 filter  group 
(&(objectClass=group)(objectClass=posixGroup)(gidNumber=*))

 map     group   uniqueMember            member

 # Local account, nslcd runs under
 uid nslcd
 gid ldap

 # LDAP server settings
 uri ldap://127.0.0.1:389/
 base dc=SAMDOM,dc=example,dc=com

 # Account in AD that is used from Nslcd to bind to the directory
 binddn CN=nslcd-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
 bindpw xxxxx



pam_ldap config you find here:
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD




Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to