Roman Sommer
2006-Jan-18 12:59 UTC
[Samba] winbind idmap using active directory as ldap backend
hello, I need to continue where this HOWTO ends: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#idmaprfc2307 I worked with krb+ldap authentication/authorization against Windows 2003 Servers (SP1 with SFU3.5 and R2) before so I am familiar with the mappings needed but I don't really understand how winbind is of any use if /etc/nsswitch.conf points to "files ldap". If it pointed to winbind ok... there are some links to ldap in smb.conf but I can't see anything like it the other way round. No evidence of samba/winbind whatsoever in ldap.conf. Having either one of these schema extensions (R2 or SFU3.5) I don't need to further extend the schema right? SID is already there and I could probably use the msSFU30UidNumber (R2: uidNumber) attribute to do the mapping.. so AD looks like a good choice :) I like the winbind approach (in contrast to ldap) because it automatically creates unix attributes for existing domain users which saves a lot of work. In a second step I would like to kerberize the ldap query to not send plain text password over the network (I wonder if it is good idea to use the existing domain computer account). I would appreciate any feedback regarding this approach (e.g. reliability etc pp) best regards /R.
Apparently Analagous Threads
- Samba as a AD domain member server with idmap backend = ldap
- Enabling 'idmap backend = ad' for user auth
- Retrieving UNIX UID/GID directly through Active Directory
- ldap not using kerberos (winbind rid idmap)
- Unresolved Questions for Active Directory Kerberos/LDAP/AD4Unix or SFU35 support?
Wisdom of the Ancients
