On Wed, August 10, 2016 11:47, Rowland Penny wrote:
>> 1. Logon to AD from a Windows OS domain member. User obtains UID,
>> GID from LDAP but ignores shell (there is no alternative to
>> MS-Windows
>> on the client) and the home directory (which is the USERS home drive
>> share or local drive in any case).
>
> No, it is only if you log into the DC that you only get the IDs,
> anywhere else and you can use the RFC2307 attributes if they are set.
>
Got it. Thanks.
>>
>> 2. Logon to AD from a *NIX OS domain member. User obtains UID, GID,
>> shell, and home directory path from AD.
>
> Sort of, it all depends on how smb.conf on the domain member is set
> up.
>
> If you want to obtain the info from AD, it must be in AD and Samba
> must be set up to get it.
>
> Try reading this wiki page:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
>>
>> Is there a reference as to how UNIX hosts are added to the Domain
>
> That is on the wiki page, but it fairly simple, set up the host
> correctly including smb.conf and then run:
>
> net ads join -U Administrator
>
>> (SSSD?) or is that unnecessary?
>
> The only place where you may need sssd, is on a DC and then only
> if you want to use it as a fileserver along with using the
> RFC2307 attributes stored in AD.
>
>> I ask because one of my goals is to
>> implement a single sign-on for our Unix host users via the Samba AD.
>
> If you mean storing your Unix users in AD and then allowing them to
> login to Unix machines that are joined to the domain, then this is
> very possible. The users home directories don't have to exist, you can
> set PAM to create these at login.
>
>> These machines come and go but not with any great frequency. Many
>> are
>> themselves virtualised. Most are accessed via ssh or using OPENVPN
>> (which will be certificate based anyway).
>>
>> I am hoping that adding the PAM AD authentication will alleviate
>> some
>> of the tediousness of setting up temporary hosts for an unknown
>> number
>> of users. Respecting which, are there references to any scripts
>> that
>> can be run to automatically set-up a user's home directory upon
>> first
>> login to an AD authenticated *NIX host?
>
> You do this by adding this line to /etc/pam.d/common-account
>
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"
>
Thank you for this. You have been most helpful.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3