Samba and getpwnam() quest. - Was: Re: NIS+ solutions ? [was: A question
about Auth Backends]
Kervin Pierre
kpierre at fit.edu
Thu Mar 29 19:54:14 GMT 2001
First, I have a question.
Why does samba seem insist on having a /etc/passwd file to check
uid<->username mapping, instead of using something like getpwnam() and
friends?
I am definately not an expert UNIX programmer, but that's what seems to
happen as far as I can tell. We use LDAP for authentication on our
samba server, and samba is set to do authenication=domain. Samba would
NOT need to know about LDAP, just as other programs don't, if it used
the getpwnam() functions and friends. Am I missing a something or is
this correct. I say this because the only way to get samba to work is
to have a copy of the /etc/passwd file on the server. To do this we
have a cron job run every 10 minutes to dump the entire LDAP database in
a /etc/passwd file format and scp this to the samba server. Needless to
say, this will not scale.
Someone, please give me some insight on this problem.
Now, about the ldap setup.
I was tasked to do this last summer. We use iPlanet LDAP server which
comes with a nt-synch program for Windows NT. Note that the nt-synch
program will NOT be in iPlanet LDAP server 5.0 which is in beta right
now, or so I've been told. Iplanet is instead pushing their meta
directory product for this. A free 20,000 user licence for iplanet DS
comes with Solaris 8. Check the iplanet newsgroups for more info
http://developer.iplanet.com/support/newsgroups/index.html . I've heard
OpenLDAP will work, but I haven't used it. An important link is
http://www.padl.com/tools.html
Earlier I was looking for people interested in developing an open source
version of nt-synch. The iplanet program is buggy and only works with
iplanetDS. Worse yet, it's scheduled to go away. An ldap-nt-synch
program does not look very difficult ( famous last words : ) On the MS
side we have password filters
http://msdn.microsoft.com/library/psdk/logauth/pswd_portal_9tph.htm , on
the ldap server side we'd need a 'plugin'. I'm not sure if OpenLDAP
supports these, but iPlanet does. The plugin would catch changes to the
userpassword attribute and convey this to a service on the NT server,
etc.
A problem we run into was that different OSes use different LDAP
schemas. Some, like irix are very configurable, some like Solaris
aren't. IRIX does not like the way iplanet encodes their userpassword
attribute (they put the crypt type in curly braces at the beginning of
the attribute value), and we have a ugly hack to handle this (a cron job
that syncs the userpassword value, san prefix to a new attribute that
irix uses, every 10 minutes)
If you have any questions feel free to drop me a line. I have a bunch
of scripts written to make user administration on the ldap database
easier from the command line. I also have a php website to do the user
administration by running queries on the ldap server, though I'm in the
process of rewriting it right now.
-Kervin
Peter Kunst wrote:
>
> Doug Marcey wrote:
>
> > How do you use LDAP for your win domain logons? Do you use samba?
> > Or are you using Win 2000?
>
> We share the internal network between two offices, the "other"
> side is mainly NT boxes using iPlanet-LDAP and an NT PDC. Don't
> know how this is integrated, but i may take a deeper look.
> "my" side of the internal net is real mixed: SunOS, HPUX, AIX,
> Linux, NT, W2K and auths against NIS+ (but not the NTs/W2Ks).
>
> What about integrating NIS+/samba tables into LDAP (both) ?
>
> Cheers, Peter
More information about the samba-ntdom
mailing list