samba - Sep 2020 - OpenPVN authentication via Samba AD

Am 01.09.20 um 20:02 schrieb Kris Lou via samba:
> I use:
> 
> User naming attribute: sAMAccountName
> Group naming attribute: sAMAccountName
> Group member attribute: memberof
With Samba AD I use:

User naming attribute: sAMAccountName

Group naming attribute: cn

Group member attribute: memberof

Group Object Class: posixGroup

Search scope: Entire Subtree

(and I added an Extended Query after the basics worked)
> And if I recall, the groups are only returned if they match a local pfSense
> group (must have the same name).
I didn't follow this.

On 01/09/2020 19:10, Stefan G. Weichinger via samba
wrote:
> Am 01.09.20 um 20:02 schrieb Kris Lou via samba:
>> I use:
>>
>> User naming attribute: sAMAccountName
>> Group naming attribute: sAMAccountName
>> Group member attribute: memberof
> With Samba AD I use:
>
> User naming attribute: sAMAccountName
>
> Group naming attribute: cn
>
> Group member attribute: memberof
>
> Group Object Class: posixGroup
Don't use any of the 'posix' objectclasses, you cannot rely on them 
being there, this is because they are not required, you can have the 
RFC2307 attributes without them. There are very few tools that will add 
them and any that do can probably be described as 'broken'

I would suggest using the the 'group' objectclass.
>
> Search scope: Entire Subtree
>
> (and I added an Extended Query after the basics worked)
>
>> And if I recall, the groups are only returned if they match a local
pfSense
>> group (must have the same name).
> I didn't follow this.
That doesn't make sense, if the pfsense machine is joined to the domain, 
then all AD groups with a gidNumber attribute are 'local groups'.

Rowland

>> And if I recall, the groups are only returned if they match a local
pfSense
>> group (must have the same name).
> That doesn't make sense, (...)
And yet this is what the pfsense documentation explicitly says...
And the behavior I am observing here.