On Sun, Feb 7, 2010 at 8:29 PM, Christopher Chan <christopher.chan at bradbury.edu.hk> wrote: > >>> Take my advice: >>> yum erase samba == uber happiness >>> >>> Get ldap working, no interop issues with the old samba version in rhel and >>> newer ms servers. Plus you will be using something forward compatible that >>> a txt edit could likely fix in the event something drastic changed in the >>> schema and search filters for example had to change. >> >> +1 >> >> We've been using nss_ldap against AD for years. It's never a problem. >> >> >> Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work? >> > > Do we lose kerberos security if one switches from samba + winbind to ldap? No, but you'll have to generate UIDs and GIDs for all AD users and groups.... That is the one thing that has stopped me from using AD LDAP for user/group management. You could use winbind to create a NIS map (sans passwords) and have Linux/Mac clients authenticate with NIS+Kerberos. That RID map feature of samba is great. -Ross