I am being forced by the upper management to tie our Linux system
logins to the corporate Windows Active Directory accounts. The
problem is our UNIX accounts do not match our corporate AD
accounts in either name or underlying UID. For just plain
Linux login I solved this issue using OpenLDAP with SASL PassThru
so I can set my 'raines' user password in LDAP to be
"{SASL}per2"
where per2 is my corporate account.
This does not help though with SAMBA. I was hoping there was a way
to use samba idmap/winbind such that when someone logins into samba
on one of my Linux boxes configures to use our corporate AD realm
with say the 'per2' account it remaps that user to 'raines' in
file operations on the box. Is there a way to do this with the
idmap ldap backend by manually editting each user record there
with the right mapping? I can find no examples of this.
---------------------------------------------------------------
Paul Raines http://help.nmr.mgh.harvard.edu
MGH/MIT/HMS Athinoula A. Martinos Center for Biomedical Imaging
149 (2301) 13th Street Charlestown, MA 02129 USA
On Wed, 28 Sep 2016 09:07:55 -0400 (EDT) Paul Raines via samba <samba at lists.samba.org> wrote:> > I am being forced by the upper management to tie our Linux system > logins to the corporate Windows Active Directory accounts. The > problem is our UNIX accounts do not match our corporate AD > accounts in either name or underlying UID. For just plain > Linux login I solved this issue using OpenLDAP with SASL PassThru > so I can set my 'raines' user password in LDAP to be "{SASL}per2" > where per2 is my corporate account. > > This does not help though with SAMBA. I was hoping there was a way > to use samba idmap/winbind such that when someone logins into samba > on one of my Linux boxes configures to use our corporate AD realm > with say the 'per2' account it remaps that user to 'raines' in > file operations on the box. Is there a way to do this with the > idmap ldap backend by manually editting each user record there > with the right mapping? I can find no examples of this. > >Read the 'username map' portion of 'man smb.conf' Rowland