[Samba] Setting up PDC w/ LDAP
Daniel L. Miller
dmiller at amfes.com
Tue May 27 22:45:24 GMT 2008
OK, payment in advance: :-) :-) :-)
Wait a minute, let me change currencies....
_.-'''''-._
.' _ _ '.
/ (o) (o) \
| |
| \ / |
\ '. .' /
'. `'---'` .'
'-._____.-'
_.-'''''-._
.' _ _ '.
/ (o) (o) \
| |
| \ / |
\ '. .' /
'. `'---'` .'
'-._____.-'
_.-'''''-._
.' _ _ '.
/ (o) (o) \
| |
| \ / |
\ '. .' /
'. `'---'` .'
'-._____.-'
John H Terpstra wrote:
>> Something I haven't seen in print yet - so I'll ask the question. WHEN
>> is the appropriate time to use winbind with PDC's and BDC's?
>>
>
> Winbind is needed when you have domain member servers, and to deal with SIDs
> for users of trusted foreign domains. Winbind is essential for interdomain
> trust handling.
>
> If all your clients are domain members, and you never get clients from trusted
> domains on the network, you do not need winbind. You can operate without it
> without loss of service, but you will not have use of BUILTIN groups (these
> are created and managed by winbind.
>
>
Almost there. Really....
Do I NEED those builtin groups for anything? Do I WANT those builtin
groups for anything (besides avoiding those nuisance error messages in
my samba logs)?
If a couple clients are non-domain members (laptops that periodically
plug-in) - but still no trusted domains involved - is there any need for
winbind?
> First: Do NOT use a domain name that has a '.' in it. That has unexpected
> name resolution consequences. A Samab smb.conf workgroup= parameter should
> not have a dot in it.
>
>
Ok...now that I've setup everything (again, for the nth time), do I need
to reconfigure the server and every client? Or just rename it on the
server and the change will automagically propagate?
And beyond updating my srv records, will this have other DNS consequences?
>> idmap domains = AMFESLAN.LOCAL
>> idmap alloc backend = ldap
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> idmap alloc config:range = 10000-20000
>> idmap alloc config:ldap_url = ldap://127.0.0.1
>> idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
>> idmap config AMFESLAN.LOCAL:range = 10000-20000
>> idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
>> idmap config AMFESLAN.LOCAL:ldap_base_dn =
>> ou=idmap,dc=amfeslan,dc=local
>> idmap config AMFESLAN.LOCAL:backend = ldap
>> idmap config AMFESLAN.LOCAL:default = yes
>>
>
> IDMAP is used to allocate unique UID/GID's for users from a trusted domain so
> they can access resources in our domain. IDMAP is also used to create
> BUILTIN groups.
>
Ok...that part I get. What I don't get -
1. Is the above config (other than the domain name) correct?
2. How does this config differ from my original one - since the docs
say the previous version should have worked?
--
Daniel
More information about the samba
mailing list