Need some advice please.

[Doug Douglass]

Tom,

I've been using Samba 2.2.1a + LDAP patch, on RH 7.1 with OpenLDAP 2.0.7
(pretty sure that's the version), on a small, mixed NT, 2000, 2000 Server,
Linux network for many months now. Search the list archives for the location
of the the Samba 2.2.1a+LDAP source/RPM and LDAP schema files. If you can't
find I can get you the url during the week.

Samba 2.2.2 appears to have incomplete/broken LDAP support, so, after an
attempted upgrade, I rolled back to 2.2.1a+LDAP and have put off the upgrade
until things settle down.

There have been some good recent threads on handling migration issues from
Windows PDC to Samba PDC. Can't remember the subjects, but a search of the
last month should land you some good results. There are issues with SIDs and
RIDs that should be taken into account, particularly if you currently use
and wish to maintain roaming profiles.

My goal for the network I manage is to perform all authentication via LDAP.
Though the number of hosts and users is currently small, I'm basically lazy
and didn't want to have to maintain user info all over the place :) So, when
I upgraded our Samba PDC to use LDAP, I just added the sambaAccount
objectClass to all the existing posixAccount LDAP entries, filled in some
minimal, required info and off it went.

Adding some share and application specific groups in LDAP and modifing
smb.conf and file system permissions accordingly, have been about the only
changes I've need to make on the server. As for Windows clients, some client
security issues arose that were solved by adding the "Domain Users" group to
the local "Power Users" group on each client. I also had to add a few
individual domain accounts to other client local groups to support network
backups.

As for winbind, in a Samba PDC situation, I don't think it is required (?. I
haven't had any need to investigate its use) Just set "security=domain", and
"password server = <netbios name of your PDC>" in the global section of each
samba domain member server and you should be set. That being said, because
we use LDAP for unix account management and authentication, and all my
windows domain users currently have unix access to the machines running
samba, the above might not be as simple as in my case.

Hope this addressed some of your concerns. This list and its archives are a
great source of info -- I learn new stuff from it every day. A lot of what
I've said here, I've learned from others or posted as my experience when
working with Samba, but search around as mine is certainly not a definitive
opinion :) I also referred often to the Samba PDC FAQ/HowTo bundle when
initially setting up my PDC.

HTH,
Doug