[Samba] Samba + LDAP - PDC (i.e. workgroup)
peter pan
lanwanhr at yahoo.com
Tue Nov 11 13:29:03 GMT 2003
> >
> > There's lots of howtos and mailling list posts
> about
> > creating a PDC with samba and LDAP. What I want
> to do
> > is to continue with workgroup operation (at least
> > until all our clients are NT).
>
> A "domain" is really only of relevance to machines
> that have joined the
> domain. For machines that aren't domain members, it
> looks like a
> workgroup with passwords sync'ed between servers
> that are domain members.
>
So even though I'm achieving the password sync with an
LDAP directory, and all clients are workgroup mode - a
domain would still be suitable and could be properly
utilised as a domain in the future...
> > All I essentially want
> > to do is to move the smbpasswd file on our 30 or
> so
> > servers to LDAP (after sorting out nss and PAM).
> Can
> > I do this?
>
> Yes. But best by turning some of your servers into
> "domain controllers",
> but this largely has no effect on clients (unless
> you join them to the
> domain).
>
Does utilising up a PDC and BDC's cause network
traffic? e.g. when a user logs on to their local
server (which I assume would be a member server) does
the member server need to check with the PDC for
authentication? (Or would all remote offices need a
BDC)?
> >
> > Also we have a replicated LDAP directory provided
> by
> > our openldap servers - one master updating 29
> slaves.
> > The slaves (running samba) our not allowed to
> update
> > the master server. Is this is a problem for
> > samba/LDAP operation?
>
> Not necessarily.
>
I asked this because I thought samba in some modes
needed to update the LDAP directory upon user login
(last login attributes etc).
> > Obviously account and password
> > changes need to be done on the master server but
> this
> > is desirable for us. I think the PDC + LDAP
> solution
> > means that the LDAP directory is written to by
> samba
> > upon each user login
>
> I don't think this is true, why would this be
> necessary?
>
See above. I plan to use a custom cgi script to
perform samba user additions and password changes.
Presumably if this was implemented samba wouldn't ever
need to write to the directory - and would only need
an LDAP acl to view the appropriate password
attributes.
> > - this wouldn't be desirable for
> > us as 30 servers on slow WAN links would be
> updated
> > every user login. The local smbpasswd file
> doesn't
> > seem to be updated at the moment when someone logs
> in
> > - so I'm assuming a workgroup + LDAP solution
> wouldn't
> > be a problem for us in this regard.
>
> Neither would an LDAP+domain.
>
IF there's no extra traffic generated as a result of
PDC's/BDC's/member servers over standalone workgroup
servers (for lack of a better term) using LDAP then we
would be able to do this.
> > Also - is there any way to use a custom schema or
> > perform schema mapping?
> >
>
> Could you be more specific?
>
We already have an LDAP directory which uses custom
schema (i.e. no posixaccount etc). I'd like the
option to make samba uses different attributes and
objects (I'm assuming this would be a source code
change - and I think I've found the two files).
> > I'm using samba 2.2.8a on the 29 slave servers - I
> > prefer not to update to samba 3 if it's not
> required.
>
> It may be better to migrate to samba3. With
> samba-2.2.8a you need to
> install a different binary for LDAP support, whereas
> samba3 can be
> configured at run-time. Plus, when you do evetually
> join machines to the
> domain, you will have domain groups available.
>
> Migrating from samba-2.2.x+ldap to samba3+ldap is
> probably more
> challenging than migrating from samba-2.2.x to
> samba3+ldap, and
> migrating from samba-2.2.x to samba-2.2.x+ldap is
> probably about the
> same, so overall you win by going straight to samba3
> (if you do your
> homework).
>
> You can see what it would take to go from
> samba-2.2.x to
> samba-2.2.x+ldap at http://mandrakesecure.net
Fair enough. I've built the samba 3 binary with
--ldapsam (Which I think means use the old schema).
Some initial testing seems OK in this area (with the
workgroup model).
One quick question - I've deja'd (I still call it
that) for a solution to specifiy more than one LDAP
server for fault tolerance. There were some patches
for older samba's - not sure if this has now been
resolved?
Cheers for the help Buchan
Pete.
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
More information about the samba
mailing list