On 11/05/2013 10:34 AM, maikcat wrote:
>
> hello all,
>
> i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently
> use openldap with ppolicy for authorization & authentication.
>
> i Was asked if i could use the existing customers AD infrustructure
> instead of openldap,
> i successfully managed to read AD users by adding unix attributes to AD
> and configure nss_ldap module for user authorization
> and kerberos for authentication.
>
> the problem is that in my current openldap setup i use the host
> attribute to filter which user can login where,
> my first question is if anyone tried to achive the same functionality
> with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for
> auth)?
>
> i also tried to use winbind but i faced different problems...
>
> although i managed to join the linux server on domain, retrieve user
> list via wbinfo -u (net ads testjoing reports ok, kinit with a domain
> user also reports ok)
> i cant get userlist via getent (i added winbind to nssswitch file).
>
> my second question is if winbind can achieve my current functionality?
>


I usually add enum groups and enum users in the winbind section of smb.conf.
And I set default domain as well.

I'm away from the office right now... I can post more exact details.

Mine works... I can use getent passwd and see my AD accounts.

About the only I don't like is that every platform gets a different uid mapping
for the same user. One solution is to use something else like NIS to enforce a
uid and effectively "smash" the two together. So AD can be used for the
password, and NIS is strictly there to keep the uid's in line across platforms
(which matters quite a bit).