Am 30.10.20 um 10:57 schrieb Rowland penny via samba:> On 30/10/2020 09:20, Thomas Besser via samba wrote: >> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD >> member without winbind configured. UID and GID informations coming >> from NSS (nslcd -> LDAP). LDAP and AD are in sync. > So you will have uidNumber and gidNumber attributes in AD.No, AD does not have uidNumber and gidNumber. Only LDAP (separate OpenLDAP!) does have this informations. Both, AD and LDAP are provided by identity management system, so are in sync according accounts and groups.>> After upgrade to Devuan 3.0 (Beowulf) with samba 4.9.5 this >> constellation does not work anymore. Samba insists on configuring >> winbind. > Yes it does, from Samba >= 4.8.0 with 'security = ADS' in smb.conf , you > must run winbind. Before 4.8.0 , smbd could contact AD directly, this > facility has now been removed and smbd must go through winbind to > contact AD. >> >> Can I configure winbind to use 'local' users and groups from NSS? > No, local users are just that, local users, but you can make AD users > into Unix users by using the winbind 'ad' backend. This works quite well.Ok, then I would need a winbind 'ldap' backend. Does this exist? Regards Thomas -- Karlsruher Institut f?r Technologie (KIT) archIT [IT-Management der Fakult?t Architektur] Dipl.-Ing. Thomas Besser Geb?ude 11.40, Raum 010 | Fon +49 721 608 46024 http://www.arch.kit.edu/fakultaet/it-management.php KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft
On 30/10/2020 10:09, Thomas Besser via samba wrote:> Am 30.10.20 um 10:57 schrieb Rowland penny via samba: >> On 30/10/2020 09:20, Thomas Besser via samba wrote: >>> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD >>> member without winbind configured. UID and GID informations coming >>> from NSS (nslcd -> LDAP). LDAP and AD are in sync. >> So you will have uidNumber and gidNumber attributes in AD. > > No, AD does not have uidNumber and gidNumber. Only LDAP (separate > OpenLDAP!) does have this informations.So, that's what you get for not really reading a post, I missed that ?> > Both, AD and LDAP are provided by identity management system, so are > in sync according accounts and groups.I think we might have been here before, but why use AD and LDAP ? Why not just use AD ?> >> Ok, then I would need a winbind 'ldap' backend. Does this exist? >There is the 'idmap_ldap' winbind backend, but I do not think this will work with 'security = ADS', but then I have never tried it and there is also the problem that it is an allocating backend i.e. your users and groups will get new ID's There is also the 'idmap_nss' backend, but this will also suffer with the same problems as 'idmap_ldap' I think your best idea will be to load your users and groups in AD with the relevant uidNumber or gidNumber attributes and use this for authentication and sync passwords between your AD and your LDAP. Rowland
Am 30.10.20 um 11:30 schrieb Rowland penny via samba:> On 30/10/2020 10:09, Thomas Besser via samba wrote: >> Am 30.10.20 um 10:57 schrieb Rowland penny via samba: >>> On 30/10/2020 09:20, Thomas Besser via samba wrote: >>>> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD >>>> member without winbind configured. UID and GID informations coming >>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync. >>> So you will have uidNumber and gidNumber attributes in AD. >> >> No, AD does not have uidNumber and gidNumber. Only LDAP (separate >> OpenLDAP!) does have this informations. > > So, that's what you get for not really reading a post, I missed that ? > >> Both, AD and LDAP are provided by identity management system, so are >> in sync according accounts and groups. > > I think we might have been here before, but why use AD and LDAP ?Because they are there ;-) I'm not the admin of theses systems. In our big organization (kit.edu) these two systems are provided from the computer center having all users and groups in it.>>> Ok, then I would need a winbind 'ldap' backend. Does this exist? >> > There is the 'idmap_ldap' winbind backend, but I do not think this will > work with 'security = ADS', but then I have never tried it and there is > also the problem that it is an allocating backend i.e. your users and > groups will get new ID's > > There is also the 'idmap_nss' backend, but this will also suffer with > the same problems as 'idmap_ldap'That's the reason why I configured NSS to get this informations from LDAP until now. I don't want 'new ID's' for the users/groups in AD. I want to use the real one from LDAP. I need a winbind backend with that I can use the informations from configured NSS.> I think your best idea will be to load your users and groups in AD with > the relevant uidNumber or gidNumber attributes and use this for > authentication and sync passwords between your AD and your LDAP.No, that's no option for me. See above. Regards Thomas -- Karlsruher Institut f?r Technologie (KIT) archIT [IT-Management der Fakult?t Architektur] Dipl.-Ing. Thomas Besser Geb?ude 11.40, Raum 010 | Fon +49 721 608 46024 http://www.arch.kit.edu/fakultaet/it-management.php KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD Might help here.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Thomas Besser via samba > Verzonden: vrijdag 30 oktober 2020 11:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba as AD member & without winbind... > > Am 30.10.20 um 11:30 schrieb Rowland penny via samba: > > On 30/10/2020 10:09, Thomas Besser via samba wrote: > >> Am 30.10.20 um 10:57 schrieb Rowland penny via samba: > >>> On 30/10/2020 09:20, Thomas Besser via samba wrote: > >>>> actually we have running samba 4.5.16 under Devuan 2.0 > (Ascii) as AD > >>>> member without winbind configured. UID and GID > informations coming > >>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync. > >>> So you will have uidNumber and gidNumber attributes in AD. > >> > >> No, AD does not have uidNumber and gidNumber. Only LDAP (separate > >> OpenLDAP!) does have this informations. > > > > So, that's what you get for not really reading a post, I > missed that ???? > > > >> Both, AD and LDAP are provided by identity management > system, so are > >> in sync according accounts and groups. > > > > I think we might have been here before, but why use AD and LDAP ? > > Because they are there ;-) > > I'm not the admin of theses systems. In our big organization > (kit.edu) > these two systems are provided from the computer center > having all users > and groups in it. > > >>> Ok, then I would need a winbind 'ldap' backend. Does this exist? > >> > > There is the 'idmap_ldap' winbind backend, but I do not > think this will > > work with 'security = ADS', but then I have never tried it > and there is > > also the problem that it is an allocating backend i.e. your > users and > > groups will get new ID's > > > > There is also the 'idmap_nss' backend, but this will also > suffer with > > the same problems as 'idmap_ldap' > > That's the reason why I configured NSS to get this informations from > LDAP until now. > > I don't want 'new ID's' for the users/groups in AD. I want to use the > real one from LDAP. > > I need a winbind backend with that I can use the informations from > configured NSS. > > > I think your best idea will be to load your users and > groups in AD with > > the relevant uidNumber or gidNumber attributes and use this for > > authentication and sync passwords between your AD and your LDAP. > > No, that's no option for me. See above. > > Regards > Thomas > > -- > Karlsruher Institut f?r Technologie (KIT) > archIT [IT-Management der Fakult?t Architektur] > Dipl.-Ing. Thomas Besser > Geb?ude 11.40, Raum 010 | Fon +49 721 608 46024 > http://www.arch.kit.edu/fakultaet/it-management.php > > KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >