[Samba] Samba + LDAP - PDC (i.e. workgroup)

peter pan lanwanhr at yahoo.com
Tue Nov 11 13:29:03 GMT 2003 

> >
> > There's lots of howtos and mailling list posts
> about
> > creating a PDC with samba and LDAP.  What I want
> to do
> > is to continue with workgroup operation (at least
> > until all our clients are NT).
> 
> A "domain" is really only of relevance to machines
> that have joined the
> domain. For machines that aren't domain members, it
> looks like a
> workgroup with passwords sync'ed between servers
> that are domain members.
> 

So even though I'm achieving the password sync with an
LDAP directory, and all clients are workgroup mode - a
domain would still be suitable and could be properly
utilised as a domain in the future...

> >  All I essentially want
> > to do is to move the smbpasswd file on our 30 or
> so
> > servers to LDAP (after sorting out nss and PAM). 
> Can
> > I do this?
> 
> Yes. But best by turning some of your servers into
> "domain controllers",
> but this largely has no effect on clients (unless
> you join them to the
> domain).
> 

Does utilising up a PDC and BDC's cause network
traffic?  e.g. when a user logs on to their local
server (which I assume would be a member server) does
the member server need to check with the PDC for
authentication?  (Or would all remote offices need a
BDC)?

> >
> > Also we have a replicated LDAP directory provided
> by
> > our openldap servers - one master updating 29
> slaves.
> > The slaves (running samba) our not allowed to
> update
> > the master server.  Is this is a problem for
> > samba/LDAP operation?
> 
> Not necessarily.
> 

I asked this because I thought samba in some modes
needed to update the LDAP directory upon user login
(last login attributes etc).  

> > Obviously account and password
> > changes need to be done on the master server but
> this
> > is desirable for us.  I think the PDC + LDAP
> solution
> > means that the LDAP directory is written to by
> samba
> > upon each user login
> 
> I don't think this is true, why would this be
> necessary?
> 

See above.  I plan to use a custom cgi script to
perform samba user additions and password changes. 
Presumably if this was implemented samba wouldn't ever
need to write to the directory - and would only need
an LDAP acl to view the appropriate password
attributes.

> > - this wouldn't be desirable for
> > us as 30 servers on slow WAN links would be
> updated
> > every user login.  The local smbpasswd file
> doesn't
> > seem to be updated at the moment when someone logs
> in
> > - so I'm assuming a workgroup + LDAP solution
> wouldn't
> > be a problem for us in this regard.
> 
> Neither would an LDAP+domain.
> 

IF there's no extra traffic generated as a result of
PDC's/BDC's/member servers over standalone workgroup
servers (for lack of a better term) using LDAP then we
would be able to do this.

> > Also - is there any way to use a custom schema or
> > perform schema mapping?
> >
> 
> Could you be more specific?
> 

We already have an LDAP directory which uses custom
schema (i.e. no posixaccount etc).  I'd like the
option to make samba uses different attributes and
objects (I'm assuming this would be a source code
change - and I think I've found the two files).

> > I'm using samba 2.2.8a on the 29 slave servers - I
> > prefer not to update to samba 3 if it's not
> required.
> 
> It may be better to migrate to samba3. With
> samba-2.2.8a you need to
> install a different binary for LDAP support, whereas
> samba3 can be
> configured at run-time. Plus, when you do evetually
> join machines to the
> domain, you will have domain groups available.
> 
> Migrating from samba-2.2.x+ldap to samba3+ldap is
> probably more
> challenging than migrating from samba-2.2.x to
> samba3+ldap, and
> migrating from samba-2.2.x to samba-2.2.x+ldap is
> probably about the
> same, so overall you win by going straight to samba3
> (if you do your
> homework).
> 
> You can see what it would take to go from
> samba-2.2.x to
> samba-2.2.x+ldap at http://mandrakesecure.net

Fair enough.  I've built the samba 3 binary with
--ldapsam (Which I think means use the old schema). 
Some initial testing seems OK in this area (with the
workgroup model).

One quick question - I've deja'd (I still call it
that) for a solution to  specifiy more than one LDAP
server for fault tolerance.  There were some patches
for older samba's - not sure if this has now been
resolved?

Cheers for the help Buchan

Pete.

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

More information about the samba mailing list