[Samba] Re: security = user, LDAP, and adding users to ACLs
Stephane Russell
stephane.russell at prodigeinfo.com
Wed Dec 12 03:20:25 GMT 2007
Except for the ldap.conf file, my machine was well configured. But I
learned that nsswitch is not yet fully implemented in DragonFly BSD, the
OS I use. So I guess this is why it won't work. Fortunatly, Samba works
great as a simple print/file manager, but it's not fully fonctionnal
here as a domain server.
Thanks for the answer.
SR
Nelson Vale a écrit :
> If your Samba is running as a PDC, and you are logged in the samba domain, you
> are able to list the LDAP users in the shares or files security tab, and you
> don't need winbind. All you need is nsswitch.conf configured with:
>
> # /etc/nsswitch.conf
> #
>
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
>
> Plus ldap.conf like:
>
> bindpw xxxxxxxx
> binddn xxxxxxxxxxx
> uri ldap://xxx.xxx.xxx.xxx
> base dc=local,dc=loc
> rootbinddn xxxxxxxxxxxxxxxxxxxxx
> host 127.0.0.1
> ldap_version 3
> scope one
> ssl no
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password md5
> nss_base_passwd dc=local,dc=loc?sub
> nss_base_shadow dc=local,dc=loc?sub
> nss_base_group ou=Groups,dc=local,dc=loc?one
>
>
>
> In smb.conf you need to put something like:
>
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> ldap suffix = dc=local,dc=loc
> ldap admin dn = cn=xxxxxxxxxxxxxxxxxxxxxx
> ldap idmap suffix = ou=Idmap
>
>
> Your LDAP must also have the default samba Domain Groups.
>
>
> Em Thursday 06 December 2007 20:29, o Shammah Chancellor escreveu:
>> Hi,
>>
>> Problem:
>>
>> I seem to be able to add users to ACLs from windows due to an "Name Not
>> Found" error when looking up a username. According to what I have been
>> able to find, you cannot browse users on a samba server from windows
>> without winbind and "security = domain/ads". However, winbind does not
>> have any place in my environment aside from remedying this problem. Is
>> there some alternative to enable this feature, or method of setting up
>> winbind that is innocuous in my environment while maintaining "security
>> = user"?
>>
>> Background on the Environment:
>>
>> I am running Samba 3.0.25c on Solaris 10u4 with "security = user". I
>> am using the vfs object "zfsacl" to enable ACL support on my zfs
>> filesystem. We use LDAP as a password backend, which also stores
>> sambaSIDs for every user. SIDs and unix UIDs are synchronized across
>> all the samba servers because they all use the same LDAP backend.
>>
>> Thanks in advance!
More information about the samba
mailing list