[Samba] Samba, LDAP, PDC and udding users

Andrew Bartlett abartlet at samba.org
Sun Nov 24 09:52:01 GMT 2002 

On Sun, 2002-11-24 at 17:48, Diego Rivera wrote:
> Hi all!
> 
> I've had a lot of success setting up Samba PDC's using the LDAP-SAM
> backend, and got password sync working between Unix (LDAP) passwords and
> Samba passwords.
> 
> I can also have other Linux boxes use Winbind to auth vrs. the PDC and
> thus achieve the same password sync functionality (i.e., Samba changes
> both PAM and Samba passwords, as well as checking them).  Naturally,
> this also works for Windows machines (i.e., user changes his windows
> password and his Unix password is likewise synched).
> 
> This all works fine, but I have a couple of questions regarding stuff
> I've seen around here, but have not seen in "stable" versions yet:
> 
> 1) I remember seeing something like "add machine script" similar to the
> "add user script" - or a mention to it - to allow separate mechanics for
> Machine account adding and User account adding.  How hard does anybody
> think it would be to add this config file parameter and the
> corresponding implementation?  Would it be worth it seeing as this is
> likely to be included in 3.0?
> 
> 2) Is it currently possible to have Samba check for machine accounts
> under a different LDAP branch than user accounts?  This would ease admin
> and maintenance of the machine account set, for obvious reasons.  Is
> this planned for 3.0?  How hard does anybody think it would be to add
> two config parameters: "ldap user suffix" and "ldap machine suffix" to
> allow Samba to do this?  Again - is this worth it seeing as this could
> be postponed to 3.0?

Both of these are features in Samba 3.0.  Samba 2.2 is being maintained
for major bugfixes only, no new features should be targeted for 2.2.

> 3) Are there any plans for calculating the user/machine SID based on the
> Unix uid?  i.e., so that when Winbind gets the user list from a PDC, it
> can use PDC-provided Userid's (eliminating the first-come first-served
> UID assignment currently being used)?

We chose the UID, not the SID, in the case of winbind users, and there
are efforts to allow a consistent uid mapping between servers, however
it is also a lot more difficult than it looks at first.  

> I'd like to contribute to these - but I need a couple of pointers:
> 
> 1) Where do I find the implementation of the call to "add user script"
> and the corresponding reading of the config value?
> 
> 2) Where do I find the implementation of the LDAP code which uses "ldap
> suffix", and the code which finds user/machine accounts in LDAP?
> 
> 3) Any additional advice/tips?

Download and get familiar with the code in Samba 3.0 - follow functions
around, and start to get a feeling for what calls what.

If you are really interested in contributing code, then get on the
samba-technical list, browse over build.samba.org to get an idea of
where people are working, and join #samba-technical - our development
channel on irc.openprojects.net.

The LDAP code has matured significantly recently, due to some very good
feedback and patches from people like metze, who have deployed Samba in 
'interesting' production environments.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021124/ee77d008/attachment.bin

More information about the samba mailing list