Thank you Marc, I will try this configuration. For this to work I need openLDAP proxy?
2013/8/26 Marc Muehlfeld <[email protected]> > Hello Bruno, > > Am 25.08.2013 22:26, schrieb Bruno Vane: > > Yes I read these sections, but I want something different. Users will >> join on AD domain (Samba 4) and will connect to an "entry" SSH server, >> and from this server they can access other SSH servers on the network. >> All SSH servers are configured with /etc/hosts.allow to allow SSH >> connections only from this "entry" SSH server. This Ubuntu servers >> running SSH will not join in the AD domain, only users of the network. >> Is this possible? >> > > I think this shouldn't matter. You can configure the "entry" host with > nslcd to retrieve the account information via LDAP from AD and pam_ldap to > authenticate against AD (without necessity to join the machine to the > domain). > > Then you have the other hosts. These you can authenticate on the same way, > if they are not joined to the domain, or you join them and the > authentication is done through winbind. > > > > > For the nslcd you can use the following config (you must create an bind > account in your domain for that first): > > #Mappings for Active Directory > pagesize 1000 > referrals off > > # Passwd > filter passwd (&(objectClass=user)(!(**objectClass=computer))(** > uidNumber=*)) > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map passwd gecos displayName > map passwd gidNumber primaryGroupID > > # Shadow > filter shadow (&(objectClass=user)(!(**objectClass=computer))(** > uidNumber=*)) > map shadow uid sAMAccountName > map shadow shadowLastChange pwdLastSet > > # Groups > filter group (&(objectClass=group)(**objectClass=posixGroup)(** > gidNumber=*)) > map group uniqueMember member > > # Local account, nslcd runs under > uid nslcd > gid ldap > > # LDAP server settings > uri ldap://127.0.0.1:389/ > base dc=SAMDOM,dc=example,dc=com > > # Account in AD that is used from Nslcd to bind to the directory > binddn CN=nslcd-connect,cn=Users,dc=**SAMDOM,dc=example,dc=com > bindpw xxxxx > > > > pam_ldap config you find here: > https://wiki.samba.org/index.**php/Authenticating_other_** > services_against_AD#**Authentication_against_AD<https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD> > > > > > Regards, > Marc > -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
