samba - Aug 2013 - Remote linux auth vs samba4: winbind or nslcd + openldap.

I'm lost in documentation.

I setup a samba4 AD, and configured winbind so I can have local
authentification using pam, I can now login to AD users v?a ssh.

I want to achieve the Holy Gria of 1 source of users and password, for
both, linux and windows machines, but I'm lost in documentation.
So far I know:
samba4 cann't use openldap as backend.
samba4 ldap doesn't really is a full ldap.
samba4 provides uid/gid mapping using winbind or nlscd

So far, I'm using winbind and I can see the samba ad users added to the
password database executing:
getenv passwd

But, after that, I'm lost.
Can I impelement "remote winbind" at remote linux client machines?
Do I need to setup a openldap proxy?
If I setup an openldap proxy, should I use winbind or nslcd?
openldap now uses automatic configuration, any clue to implement the
openldap proxy with this type?

Thanks...

Hello Andres,

Am 15.08.2013 18:45, schrieb Andres Tello Abrego:
> I want to achieve the Holy Gria of 1 source of users and password, for
> both, linux and windows machines, but I'm lost in documentation.
> So far I know:
> samba4 cann't use openldap as backend.
Right.

> samba4 ldap doesn't really is a full ldap.
What do you mean by "is not a full ldap"?

> samba4 provides uid/gid mapping using winbind or nlscd
Samba AD provides the backend, where the accounts are stored. To get the 
users to your local *nix system, you can use winbind, nslcd or sssd.


> Can I impelement "remote winbind" at remote linux client
machines?
What is "remote winbind"?


> Do I need to setup a openldap proxy?
I would only use an openldap proxy to AD in my DMZ, because this 
prevents me from having a Samba AD installation there with all that open 
ports and Winbind on all DMZ machines.


> If I setup an openldap proxy, should I use winbind or nslcd?
If you get your information from AD via a LDAP proxy, I guess the only 
solution are LDAP based tools like nslcd. I think Winbind can't access 
through an LDAP proxy, because it uses more than LDAP to talk to the DC 
(rpc or whatever).


> openldap now uses automatic configuration, any clue to implement the
> openldap proxy with this type?
Automatic configuration?






Here I placed e. g. a solution for an openLDAP proxy and examples for 
how to connect other services:
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD





I guess it's really time, to finish my Winbind/Nslcd/SSSD page for the 
different methods to get the directory users to the local system. This 
questions are comming up very often meanwhile :-) I already started a 
while ago. I'll try to find some time to finish and publish it next week.


Regards,
Marc

2013-08-15 18:45 keltez?ssel, Andres Tello Abrego ?rta:
> I'm lost in documentation.
>
> I setup a samba4 AD, and configured winbind so I can have local
> authentification using pam, I can now login to AD users v?a ssh.
>
> I want to achieve the Holy Gria of 1 source of users and password, for
> both, linux and windows machines, but I'm lost in documentation.
> So far I know:
> samba4 cann't use openldap as backend.
> samba4 ldap doesn't really is a full ldap.
> samba4 provides uid/gid mapping using winbind or nlscd
>
> So far, I'm using winbind and I can see the samba ad users added to the
> password database executing:
> getenv passwd
>
> But, after that, I'm lost.
> Can I impelement "remote winbind" at remote linux client
machines?
> Do I need to setup a openldap proxy?
> If I setup an openldap proxy, should I use winbind or nslcd?
> openldap now uses automatic configuration, any clue to implement the
> openldap proxy with this type?
>
> Thanks...
We use winbind from samba 3.6.x on the non DC linux boxes for this. 
Winbind from samba 4.0.x under testing.

Our config (the relevant part of):

/etc/krb5.conf:

[libdefaults]
         default_realm = YOURREALM

/etc/samba/smb.conf:

[global]
    workgroup = YOURDOMAIN
    realm = YOURREALM
    kerberos method = system keytab
    security = ads
    winbind enum groups = yes
    winbind enum users = yes
    idmap config *:backend = tdb
    idmap config *:range = 1000000001-3000000000
    idmap config YOURDOMAIN:default = yes
    idmap config YOURDOMAIN:backend = ad
    idmap config YOURDOMAIN:range = 0-1000000000
    idmap config YOURDOMAIN:schema_mode = rfc2307
    winbind nss info = rfc2307
    winbind expand groups = 5
    winbind nested groups = yes
    winbind use default domain = yes

Of course the ranges depend on the uids/gids you've allocated.

Regards

Geza Gemes