[Samba] Problem w/ Samba 3 & LDAP

Ted Wisniewski ted at ness.plymouth.edu
Fri Apr 2 14:14:34 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 02 April 2004 12:16 am, Craig White wrote:
> On Thu, 2004-04-01 at 16:40, Ted Wisniewski wrote:
> > 	Ldapsearch was being a pain, so just grabbed the info from a "slapcat"
> > instead, which was simpler.
>
> ---
> crutches - life with LDAP is infinitely easier when you can get command
> of the ldap queries from the command line. That sharpens your
> understanding and skills of using LDAP.
> ---

	Well,  sometimes the best way is the simple way.   Ldapsearch has a lot of 
arguments to type to get a simple result.  Besides, it asks for a 
password.  ;->


> > 	So, now that I know what my "problem" is/was....  I am able
> > to move forward.  The only issue I have now is that I have 9000 users
> > that I want to be able to log onto multiple domains.  By having
> > to have the SID match the domain....  It presents a problem...
> >
> > I only want one password database to maintain...  I guess I could get
> > clever with LDAP replication and have multiple LDAP's...   This is a less
> > than Ideal solution.   At this time I have large smbpasswd files that I
> > would like to not use.   I guess my ideal solution would look like:
> >
> >               /--- Domain A
> >              /
> > LDAP -------+
> >              \
> >               \--- Domain B
> >
> >
> > Since we use a web based password changer,  I could have a separate
> > LDAP per Domain.   I guess, in my ideal world I would have an LDAP
> > with multiple sambaSID's, each samba server would just pick the one
> > out of the LDAP that was appropriate to that Domain.   I realize
> > that the current schema does not allow for this and that samba is not set
> > up to handle it either.   Any ides on how to accomplish something similar
> > without that ability.
>
> ----
> ahh - the million dollar question.
>
> Don't you want users to be able to change their password using the
> typical Windows change password tool instead of requiring them to change
> it via http? What about UserMgr.exe?

	No.  We are forcing all users to do password changes inside the campus 
portal.  This was a decision made to simplify support and drive people into 
using the portal.  Good or bad, it was the decision made.

>
> Anyway, if your LDAP skills are strong enough (I suspect not), you can
> use replication to have each PDC run the master of the primary Domain it
> is serving up and become a slave on the domains that it is not. Together
> with winbindd, this should prove to be the most flexible - of course you
> must set up 'trusts' between the various domains.

	LDAP itself is a cake walk.  The hard part is finding the best way to support 
what we have, with all the limitations that comes along with what we have.   
I'll admit this is the first time integrating it with Samba.   I want to 
seemlessly change everything from using smbpaswd files (historical, we used 
them before there was anything else) to LDAP and to simplify our backend.  If 
it is not seemless, I have unhappy users.  

> LDAP is the tiger that you apparently don't want to ride but I have
> found it to be quite predictable.

	Actually I am pushing LDAP, I have been using it in some form for about 4 
years.  Thanks for the advice, though you could lose the condescending tone.

Ted

- -- 
| Ted Wisniewski                    E-Mail: ted at mail.plymouth.edu        |
| Manager, Systems Group            WEB:    http://oz.plymouth.edu/~ted/ |
| Information Technology Services					 |
| Plymouth State University         Phone:  (603) 535-2661               |
| Plymouth NH, 03264                Fax:    (603) 535-2263               |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFAbXVKLoXjVqfQ0u4RAj1UAKDDBkWto7KxEwwXOJxTd9h51LQSCgCeM0ug
NSzVK3mK85pFgeZ9ksm13q4=
=8m1R
-----END PGP SIGNATURE-----



More information about the samba mailing list