[Samba] Questions about winbind idmap ldap
Ganguly, Sapan
Sapan.Ganguly at thalesgroup.com
Wed Dec 17 17:25:25 GMT 2003
I use winbind to authenticate users on my linux machines so that I don't
have to create separate linux Ids for everyone. I store the idmap in an
LDAP database. If you want to do this too then create an LDAP database, I
use OpenLDAP. If you want to know how to do this then let me know and I'll
see if I can remember. Here is what my smb.conf looks like, it should give
you a few clues. Don't forget to put the ldap password into secrets.tdb by
'smbpasswd -w'. You do need to follow the Samba HOWTO for some of the LDAP
stuff, like where to put the samba.schema and how to initialize the LDAP
database.
# Global parameters
[global]
workgroup = NTDOMAIN
server string = REDHAT9
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
ldap suffix = dc=example,dc=com
ldap machine suffix = dc=example,dc=com
ldap user suffix = dc=example,dc=com
ldap group suffix = dc=example,dc=com
ldap idmap suffix = ou=idmap,dc=example,dc=com
ldap admin dn = cn=admin,dc=example,dc=com
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /bin/bash
winbind separator = -
winbind use default domain = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[public]
path = /public
read only = No
guest ok = Yes
/etc/nsswitch.conf should have lines that look like this -
passwd: files winbind
shadow: files
group: files winbind
My /etc/pam.d/login looks like this - (Note: pam_mkhomedir.so automatically
makes home directories, you may not want that, it puts them in 'template
homedir' which is specified in smb.conf)
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_UNIX.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_mkhomedir.so umask=0022
session optional pam_console.so
My /etc/pam.d/gdm looks like this -
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/pam.d/system-auth looks like this -
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
-----Original Message-----
From: Gints Neimanis [mailto:gints at venta.lv]
Sent: 14 December 2003 13:07
To: samba at lists.samba.org
Subject: [Samba] Questions about winbind idmap ldap
We are using W2K domain with Samba3 servers.
The implementation of samba servers with winbind authentication was
successful.
Now we are looking for winbind idmap ldap backend for distributing
winbind users ID's, and I have following question:
1. Do I need put all users from W2K domain to LDAP by hand (with export
- import tools)?
2. Or it is possible to automatically put successfully authenticated
users to LDAP directory with some of useradd script?
3. Is any other documentation excepted SAMBA3 HOWTO, with closer look to
"winbind idmap LDAP"?
Regards,
Gints Neimanis
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list