[Samba] Samba3, LDAP and FreeBSD 4.8 : need for NSS ?

Antoine Jacoutot ajacoutot at lphp.org
Tue Sep 16 20:59:51 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 16 September 2003 22:35, Jérôme Fenal wrote:
> Hi all,
> another French guy learning, don't bash me too hard... ;-)

T'inquiètes, ça fait 2 semaines que je suis dessus :)

> In fact, I'm in need of a confirmation : I'm on the way to create a
> Samba3+LDAP (new schemas) PDC server (no migration from NT4 nor 2K, only
> from an old Samba 2.0 with security=user using /etc/passwd, ie. no encrypt
> password).
> This Samba3 should be hosted on a FreeBSD 4.8 (ie. pam_ldap can work, I
> tested it today, but no NSS available).
> I've read many docs, including the HEAD Samba HOWTO collection, HOWTO from
> Ignacio Coupeau (worth a read), old one from IdealX (which disapeared last
> week, I still have a hardcopy), and many others.
> The OpenLDAP 2.1 is up, with a few accounts populated (with both
> sambaSamAccount & posixAccount objectclasses). PAM_LDAP auth works.
> Then comes the integration with Samba. I have not yet began the work of
> integrating Samba to LDAP (I'm learning LDAP).
> Here's my question : does Samba3 need a Unix account (in /etc/passwd) in
> addition to the one in the LDAP directory ?
> I believe the answer is yes (since FreeBSD 4.8 doesn't have NSS, and PAM is
> only for authentication), but may someone confirm because I lose the few
> last hair I have ;-? Or, before the server is migrated to FreeBSD 5.1
> (-CURRENT), which should undoubtely lessen the need for a firm answer.
> Best regards, and thanks for the job for so many years (I live happily with
> Samba since 1996, in production since 1998).

OK, so basically, you do NOT need nss_ldap to use samba-3.0 with LDAP, but you 
DO need Unix accounts (if not using nss). So, you do not need any 
posixAccount object class entries in your LDAP since this is for 
authenticating Unix users (accept if you need it).
I just built a FreeBSD-5.1 + nss_ldap + pam_ldap and samba-3.0 as a PDC. It 
works great. If you don't want to use 5.1, which I can understand, what I 
recommend you is to use Unix accounts and pdbedit to ass the samba users, you 
will almost have nothing to populate LDAP with, samba will take care of it. 
Basically, you just need a base.ldif file with your domain/organisation, some 
groups (users, computers, admins and guest) and some ou to add your 
users/computers into.
If you need help, please do not hesitate, I've spent the last 2 weeks on the 
subject :)

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/Z3nHY3Hnhkr+5cQRAga0AJwMXGYMix2nPrrJLA/0ioVFn9lXxQCbB1Li
SsE9un/nLd9ijw/30EgFLWU=
=i/u3
-----END PGP SIGNATURE-----




More information about the samba mailing list