Need some advice please.

Tom Diehl tdiehl at rogueind.com
Sun Nov 18 21:25:04 GMT 2001


On Sun, 18 Nov 2001, Doug Douglass wrote:

> Tom,
> 
> I've been using Samba 2.2.1a + LDAP patch, on RH 7.1 with OpenLDAP 2.0.7
> (pretty sure that's the version), on a small, mixed NT, 2000, 2000 Server,
> Linux network for many months now. Search the list archives for the location
> of the the Samba 2.2.1a+LDAP source/RPM and LDAP schema files. If you can't
> find I can get you the url during the week.

I searched the list archives and did not find it. If you would not mind I would be 
grateful for the url.

> Samba 2.2.2 appears to have incomplete/broken LDAP support, so, after an
> attempted upgrade, I rolled back to 2.2.1a+LDAP and have put off the upgrade
> until things settle down.

What I have seen looking at the archives is that there appear to be multiple
problems that are in the process of being resolved. You seem to be the only
one that is talking about this actually working. :-)

> There have been some good recent threads on handling migration issues from
> Windows PDC to Samba PDC. Can't remember the subjects, but a search of the
> last month should land you some good results. There are issues with SIDs and
> RIDs that should be taken into account, particularly if you currently use
> and wish to maintain roaming profiles.

Looked through Oct and Nov to date did not see much. I most likely need to look 
further back. Sounds like a project for tomorrow. Searched on ldap and dc.
Maybe I am just not using the right search string.

> My goal for the network I manage is to perform all authentication via LDAP.
> Though the number of hosts and users is currently small, I'm basically lazy
> and didn't want to have to maintain user info all over the place :) So, when
> I upgraded our Samba PDC to use LDAP, I just added the sambaAccount
> objectClass to all the existing posixAccount LDAP entries, filled in some
> minimal, required info and off it went.

This is where I am trying to get to. I want unified login for everyone and
want to get rid of as M$ stuff as possible.

> Adding some share and application specific groups in LDAP and modifying
> smb.conf and file system permissions accordingly, have been about the only
> changes I've need to make on the server. As for Windows clients, some client
> security issues arose that were solved by adding the "Domain Users" group to
> the local "Power Users" group on each client. I also had to add a few
> individual domain accounts to other client local groups to support network
> backups.

Hummmmmm, will have to watch for that.

> As for winbind, in a Samba PDC situation, I don't think it is required (?. I
> haven't had any need to investigate its use) Just set "security=domain", and
> "password server = <netbios name of your PDC>" in the global section of each
> samba domain member server and you should be set. That being said, because
> we use LDAP for unix account management and authentication, and all my
> windows domain users currently have unix access to the machines running
> samba, the above might not be as simple as in my case.

Just a thought to try to avoid ldap. It appears to me that samba+ldap is not
ready for prime time (although I could be wrong). I agree if there is a good
samba+ldap solution this is the way to go. It would also allow me to incorporate
a postfix+ldap into my solution. I love the idea of maintaining 1 database for
all users.

> Hope this addressed some of your concerns. This list and its archives are a
> great source of info -- I learn new stuff from it every day. A lot of what
> I've said here, I've learned from others or posted as my experience when
> working with Samba, but search around as mine is certainly not a definitive
> opinion :) I also referred often to the Samba PDC FAQ/HowTo bundle when
> initially setting up my PDC.

I have read this and setting up the PDC looks easy enough it is the integration
with ldap that I have the reservations with.

Thanks for the help, it would appear I still have more research to do. :-)

-- 
......Tom		Dysfunction The Only Consistent Feature of All
tdiehl at rogueind.com	of Your Dissatisfying Relationships is You.





More information about the samba mailing list