[Samba] Samba + LDAP - PDC (i.e. workgroup)

Wed Nov 5 15:47:19 GMT 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Message: 9
> Date: Wed, 5 Nov 2003 00:58:21 -0800 (PST)
> From: peter pan <lanwanhr at yahoo.com>
> Subject: [Samba] Samba + LDAP - PDC (i.e. workgroup)
> To: samba at lists.samba.org
> Message-ID: <20031105085821.95690.qmail at web13304.mail.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> There's lots of howtos and mailling list posts about
> creating a PDC with samba and LDAP.  What I want to do
> is to continue with workgroup operation (at least
> until all our clients are NT).

A "domain" is really only of relevance to machines that have joined the
domain. For machines that aren't domain members, it looks like a
workgroup with passwords sync'ed between servers that are domain members.

>  All I essentially want
> to do is to move the smbpasswd file on our 30 or so
> servers to LDAP (after sorting out nss and PAM).  Can
> I do this?

Yes. But best by turning some of your servers into "domain controllers",
but this largely has no effect on clients (unless you join them to the
domain).

>
> Also we have a replicated LDAP directory provided by
> our openldap servers - one master updating 29 slaves.
> The slaves (running samba) our not allowed to update
> the master server.  Is this is a problem for
> samba/LDAP operation?

Not necessarily.

> Obviously account and password
> changes need to be done on the master server but this
> is desirable for us.  I think the PDC + LDAP solution
> means that the LDAP directory is written to by samba
> upon each user login

I don't think this is true, why would this be necessary?

> - this wouldn't be desirable for
> us as 30 servers on slow WAN links would be updated
> every user login.  The local smbpasswd file doesn't
> seem to be updated at the moment when someone logs in
> - so I'm assuming a workgroup + LDAP solution wouldn't
> be a problem for us in this regard.

Neither would an LDAP+domain.

> Also - is there any way to use a custom schema or
> perform schema mapping?
>

Could you be more specific?

> I'm using samba 2.2.8a on the 29 slave servers - I
> prefer not to update to samba 3 if it's not required.

It may be better to migrate to samba3. With samba-2.2.8a you need to
install a different binary for LDAP support, whereas samba3 can be
configured at run-time. Plus, when you do evetually join machines to the
domain, you will have domain groups available.

Migrating from samba-2.2.x+ldap to samba3+ldap is probably more
challenging than migrating from samba-2.2.x to samba3+ldap, and
migrating from samba-2.2.x to samba-2.2.x+ldap is probably about the
same, so overall you win by going straight to samba3 (if you do your
homework).

You can see what it would take to go from samba-2.2.x to
samba-2.2.x+ldap at http://mandrakesecure.net

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/qRuGrJK6UGDSBKcRAkIzAJ4xNt1j2t6Qq+DLvO7xV6P9b3hETACglukN
sRrtTEJNrQnPqjb3U3P4lw8=
=AykG
-----END PGP SIGNATURE-----

*****************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to info at cae.co.za for a copy.
*****************************************************************