I'm trying to use winbindd to enumerate and link AD users to their pre- existing UNIX accounts. Right now, winbindd creates new "users" for UNIX based on windows username and groups. What I can't figure out is how to explicitly map the AD users to their pre- existing UNIX accounts. I'd like the users to be able to access their UNIX accounts with their UNIX authentication information /and/ their AD authentication information. I had hung my hat on the "username map" smb.conf directive, but I find now that it doesn't apply to winbindd. Has anyone worked out a strategy for this scenario?
CG schrieb:> I'm trying to use winbindd to enumerate and link AD users to their pre- > existing UNIX accounts. Right now, winbindd creates new "users" for UNIX based > on windows username and groups. > > What I can't figure out is how to explicitly map the AD users to their pre- > existing UNIX accounts. I'd like the users to be able to access their UNIX > accounts with their UNIX authentication information /and/ their AD > authentication information. I had hung my hat on the "username map" smb.conf > directive, but I find now that it doesn't apply to winbindd. > > Has anyone worked out a strategy for this scenario?I asked this a while ago and got the answer that this it not possible. I think you've to remove the old users and change all existing files that they own to the new winbind uids (find with the uid option). Ralf
Are there AD users who need Samba access and do not have Unix accounts? If so, is there a problem giving them Unix accounts? I have a server set up to do this, but all of the users have local Unix accounts as well as AD accounts. Basically, set up Samba as an AD member server and just do not use windbindd. All permission information for the shares in smb.conf can then use the Unix user and group names instead of those in AD, and Samba will still use the AD credentials for Windows client access. You will have to map DOMAIN\administrator to root (if you want adminstrator to have Samba access) and any other domain user with a different domain login than their Unix login in the Samba usermap file. Hope this helps. ---Hillel On Mon, 23 Apr 2007 14:17:42 +0000 (UTC), CG wrote> I'm trying to use winbindd to enumerate and link AD users to their > pre- existing UNIX accounts. Right now, winbindd creates new "users" > for UNIX based on windows username and groups. > > What I can't figure out is how to explicitly map the AD users to > their pre- existing UNIX accounts. I'd like the users to be able to > access their UNIX accounts with their UNIX authentication > information /and/ their AD authentication information. I had hung my > hat on the "username map" smb.conf directive, but I find now that it > doesn't apply to winbindd. > > Has anyone worked out a strategy for this scenario? >
On Mon, 2007-04-23 at 14:17 +0000, CG wrote:> I'm trying to use winbindd to enumerate and link AD users to their pre- > existing UNIX accounts. Right now, winbindd creates new "users" for UNIX based > on windows username and groups. >You seem to have 2 separate criteria:> What I can't figure out is how to explicitly map the AD users to their pre- > existing UNIX accounts. I'd like the users to be able to access their UNIXThat's one criterium: mapping AD users to the existing Unix accounts.>From this, I assume you mean that after the mapping, you want the'getent passwd' info to be the same: i.e. the same uid, gid, homedir, shell, gecos. Call this criterium 1.> accounts with their UNIX authentication information /and/ their AD > authentication information. I had hung my hat on the "username map" smb.confThat's another criterium: ability to authenticate as a given user via either the existing unix password (e.g. the /etc/shadow password), or the MsAD password. Call this criterium 2.> directive, but I find now that it doesn't apply to winbindd. > > Has anyone worked out a strategy for this scenario?I think so: Criterium 1: ------------- extend the MsAD schema to include posix attributes. I think Ms calls this 'Ms Services For Unix'. Doing so will add uid, gid, homedir, and login-shell attributes. They have their own ms-hopped-up names, but that's what they're for. Populate the MsAD schema w. the values you already have in your unix system. You could do this manually, but you could also write scripts to do it. The script(s) would use LDAP to update MsAD. I did this 2 years ago. It's some work, but you only do it once, and then you're set ever after. Criterium 2: ------------- Use pam to allow authentication via either the existing unix password, or via winbind. I am not a pam expert, but here's the general kind of approach I've used for situations like this: auth sufficient pam_winbind.so auth required pam_unix.so In summary, I believe that what you want is achievable. Good luck, Jon