[Samba] Samba PDC+LDAP on FreeBSD

jpulz at frm2.tu-muenchen.de jpulz at frm2.tu-muenchen.de
Wed Jan 22 12:47:00 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 22 Jan 2003, Ronan Waide wrote:

> On January 22, lskuo at fgs.org.tw said:
> > 1. What packages/ports do I need to install? Because most papers of LDAP
> > online I could find mentioned little about Openssl. However, as I know,
> > it's necessary for the option "ldap ssl = start_tls" in Samba . Also, I
> > didn't find any ports of nss_ldap, but nss_ldap was mentioned by all
> > samba+LDAP combination. What's wrong with that? nss_ladp didn't support
> > FreeBSD? Without nss_ladp, can I still achieve my goal: Samba+ LDAP as PDC?
>
> FreeBSD doesn't support NSS, as I understand it. What the nss_*
> modules do is act as lookup sources when the system needs to identify
> a user, host, password, group, etc. So on a Linux system, for example,
> you can instruct the system to first look in files (/etc/passwd, etc)
> then try LDAP, and so on until a match is found or the sources are
> exhausted.
>
> In the case of Samba, this facility is not strictly necessary; Samba's
> requirement for working NSS support is solely so it can look up a Unix
> account or Group to match the SMB account or group information. You
> can get around this by either creating Unix accounts for all your
> Samba users, or using one of the non-unix account backends (ldap_nua,
> in your case). Note, as far as I know the _nua backends are only
> available in Samba 3.
>
> > 2. Individual configuration/setting for every package.
>
> Tall order. Do you have a working LDAP setup already? You seem to have
> a working Samba setup, so what you want is to migrate the information
> in that into LDAP. I can't help you with that, since I've not done
> it. I'd suggest browsing the mailing list archives.
>
> > 3. How to start every service?
>
> Again, a tall order. I'm not a FreeBSD user, so I can't really help
> you on this.
>

hi,

i've done here exactly what you want to do.
all these things are a littly bit tricky of course of the lagging support
for nss in FreeBSD.

i've installed OpenLDAP-2.1.8 manually from source (NOT from ports!!!)
samba is version 2.2.7 also from spurce (NOT from ports!!!)

everything compiled perfectly and is running without problems. the only
disadvantage is that OpenLDAP syslog support isn't working with FreeBSD.
but i had no time to get deeper in it to find the problem.

for migration of the old accounts (computer and user) i used the
LDAP-Migrationtools from www.padl.com

for this to work you need perl-ldap from the ports-tree.

i made some minor changes to the migrationtools to work properly. (some
atrribute types are spelled wrong)

the main disadvatage for me is, that every user or computer in the ldap
tree MUST have a entry in the system password database!!!
also new is, that together with the ldap-backend every computer-account
MUST have a unique UID. if you have computer-accounts sharing the same UID
but a have different name (as i had) samba is looking up the computers
name in the LDAP tree but only for normal operations it is done in this way. if
you want to join a domain, it modifies the computer-account via the UID
that is found for the computers-name. so if you have computer-accounts
sharing the same UID, it modifies the first matching UID found, and didn't
check if the name is correct or not.
the first time this confused me a lot.

also you have to generate the right 'rid' and 'primaryGroupID' for every
account. this very important if you use the samba together with ldap.

the next thing i found is, that variable substitution isn't working with
ldap. if is set "smbHome: \\SAMBA_SERVER\%U" or "profilePath:
\\SAMBA_SERVER\profiles\%U" the samba lookup returns exactly these values,
without replacing the '%U' with the users name..

okay, thats all for the moment. i hope i didn't forget something
important. if there are questions, feel free to ask.

joerg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+LpLASPOsGF+KA+MRAnGNAJ4yv/THt3r4ANfhzU395JQ4kmNixgCeJD2J
sZoUNmTKC3M4oJ8y6NNY7+M=
=YquR
-----END PGP SIGNATURE-----

More information about the samba mailing list