[Samba] Centrally stored policies with group settings

Rodger Etz-Brown etz-brown at univention.de
Mon Aug 19 23:43:01 GMT 2002

On Mon, 2002-08-19 at 21:17, Matt.Gregory at ctimi.com wrote:
> Go and read about setting up Directories in LDAP, remote authentication 
> via LDAP with Samba (Capter 11 in the Samba howto).

Did that. See below.
> It souds like your best bet is to create an LDAP server with replication 
> (for failover) and a directory service for the groups.  You can then store 
> all your unix accounts in LDAP and have Samba authenticate from that 
> server as well.  There are lots of howtos available for configuring 
> windows clients to log into LDAP directories as well.

We have been doing this for quite some time now. But this still doesn't
enable us to tell the Win clients which groups a user belongs to at
login time so the policiy files will be applied based on GROUPS. BTW,
there is no problem using XFS and ACLs for example, which we are doing
as well. 

But this still doesn't solve the issue of not being able to tell Win NT
4.0 Wrkst which groups a user belongs to at login time. Especially as we
are talking 'pure GNU/Linux/Samba/LDAP - NO Windows DCs'.

> The other choice is, of cource, to stay with Windows NT domains.  I would 
> highly push the LDAP solution however, since it's pretty-much becomming 
> the standard (Windows Directory Services in 2K Advanced Server is LDAP v3 
> compliant).

<OT> OpenLDAP and AD interact fine here. With a bit of tweaking this is
a very sexy solution.At least as sexy as interacting with proprietary
S/W can be :) </OT>

Matt, may be I am missing something in what you tried to tell me. If so,
let me know off list.

Many thanks anyway.


Rodger Etz-Brown <etz-brown at univention.de> fon:   +49 421 22 08 114 
                                           fax:   +49 421 22 08 115
univention_ GmbH http://www.univention.de/ mobil: +49 179 54 22 947

More information about the samba mailing list