Hmm, i played around with this nss_ldap, also with the rfc2307 from winbind
looks all nice, but samba4 does not have posix scheme loaded
and filled for users by default.
if i make a new user, it will not have the posix attributes.
and the attributes are not auto set (no uid, gid)
so yeh it can go around the problem, but creates a bunch of new ones
to bad we can't do the nss_ldap mapping within winbind.
since it's only the (unix)homedir we're after at.
thx anny way...
Collen
On 24-5-2012 19:11, steve wrote:> Hi
>
> Making it default is the easy bit. Install nss-pam-ldapd (libnss-ldapd
> and libpam-ldapd under Debian).
>
> Here is our config in /etc/nslcd.conf
>
> uid nslcd
> gid nslcd
> uri ldap://sam4dc.polop.site
> base dc=polop,dc=site
> map passwd uid samAccountName
> map passwd homeDirectory unixHomeDirectory
> #map group uniqueMember member
> sasl_mech GSSAPI
> sasl_realm POLOP.SITE
> krb5_ccname /tmp/nslcd.tkt
>
> Most of this is site dependent but the mappings are all that are
> important. The latest version (0.8.4 up) maps group members too hence
> the commented out line.
>
> We have written scripts to implement this but you can do this from Linux
> using ldbedit to add only the objects and attributes
> you need.
>
> Here is an example of a user called steve2 (samba-tool user add steve2
> or from ADUC in windows) in the directory to which we have added the
> attributes necessary for nss-ldapd mappings:
>
> dn: CN=steve2,CN=Users,DC=polop,DC=site
> cn: steve2
> instanceType: 4
> whenCreated: 20120508141303.0Z
> uSNCreated: 3719
> name: steve2
> objectGUID: 2e73c14e-976e-431e-830e-863494cc4a1c
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> objectSid: S-1-5-21-1196638036-2541980263-511278767-1105
> logonCount: 0
> sAMAccountName: steve2
> sAMAccountType: 805306368
> userPrincipalName: steve2 at polop.site
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
> pwdLastSet: 129809599830000000
> uidNumber: 3000008
> unixHomeDirectory: /home2/CACTUS/steve2
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> profilePath: \\sam4dc\profiles\steve2
> homeDrive: Z:
> homeDirectory: \\sam4dc\home\steve2
> memberOf: CN=staff,CN=Users,DC=polop,DC=site
> primaryGroupID: 513
> gidNumber: 20513
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20120518160301.0Z
> uSNChanged: 3944
> distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site
>
> You can either add the objects and attributes to taste using ldbedit or
> write scripts to add
> them for you. We have written a suite of well tested scripts called
> 's4bind' which do all this for you. Remember, if the attributes are
> stored in the directory and mapped by something up to date which
> understands AD, then there can never be any confusion as to uid, gid,
> home directory or whatever. m$ have granted us free access to the posix
> attributes necessary to connect Linux machines to 2008r2 and therefore
> Samba4 AD. Let's use them to our advantage.
>
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
>
> Cheers,
> Steve
>