[Samba] Re: What makes an account is DOMAIN ADMINISTRATOR?
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Fri Jul 25 11:36:58 GMT 2003
On Fri, 2003-07-25 at 21:54, paul wrote:
> sorry that I can't help. I'd love to see a decent explanation here.
> From my experiments I can say that only a user with UID=0 can create
> machine trust accounts (i.e. add a client to the domain), is that correct?
Yes, it its :-)
> I use LDAP as a backend and if my assumtions are correct, that would
> mean it is not possible to have one LDAP SAM for multiple samba server,
> because having a user in LDAP with uid=0 would conflict with the local
> root accounts.
That's not 100% accurate: you can use the same LDAP SAM for different
servers without conflicting with the local "root" account.
The "/etc/nsswitch.conf" file defines the order in which the system call
"getent" (which is used to retrieve information about users, groups and
hosts) will query the different naming services, like "files", "ldap" or
"nis".
You can, and should always, configure your Unix boxes to look first at
"files" (/etc/passwd, /etc/shadow and /etc/group) before looking at
network-based naming services like NIS/NIS+ or LDAP.
This is the recommended approach since if the LDAP server goes down, and
you configure "/etc/nsswitch.conf" to look at LDAP first, you'll
experience severe timeouts.
More information about the samba
mailing list