On Thu, 23 Jun 2016, Bedynek, Matthew J. wrote:
> I would first like to be able to provide user/password authentication
> via Active directory simply because it would allow the user to access
> shares without prompting a password if he is already logged into domain
> from client.
>
> However, I would like to control security by using the user/group
> information available from OpenLDAP server (not AD).
>
> I am fortunate that username / password in AD and OpenLDAP are
> synchronized. However, group membership is not.
As far as I know, smbd just uses standard system calls to look up file
uid/gid ownership info. So what you should be able to do is configure the
system to use OpenLDAP with sssd. This means all of your system logins
and file permissions will be on OpenLDAP. Then you can just do a "net ads
join <yourdomain>" (you may need to set up kerberos too, for
passwordless
auth), and Samba will join your active directory domain. Samba will
always use active directory authentication, but it will use the system
uid/gid lookup for user/group information.
That said, there is a possibility that using LDAP for user info would
cause a problem with Kerberos, in which case you could use winbindd/active
directory for the system lookups as well, but in nsswitch.conf, set
"group: files sss", and leave passwd and shadow at "files
winbind". This
way the system would only use sssd for group lookups, but use active
directory for everything else.
I think where you might run into trouble is if you have Windows ACLs on
your files, as I think smbd may use winbind to translate the sids into
uid/gid in that case. I believe Windows ACLs are disabled by default, so
you should be fine as long as you don't enable them.