[Samba] Fixed it myself... (ldap/winbind)
Paul Gienger
pgienger at ae-solutions.com
Fri Jun 11 13:27:14 GMT 2004
>>--------------
>>
>>I say:
>>--------------
>>First off, you are saying a lot that is "clearly false". LDAP can be used blindly in this case. All I needed is a way to avoid having winbind on system A from assigning UIDs on system B that is different. If the UIDs are not identical on all member unix servers, it screws up permissions on issues like NFS, which still has applications in my world.
>>
>>
>----
>That is the point of LDAP - you set it up to maintain your unix accounts
>and the member machines use it for authentication. Therefore, 1 user, 1
>account on all machines that use LDAP for authentication. The
>alternative to LDAP for this is NIS and that is not convergent with
>samba.
>
>
Excuse me, but the assumption that LDAP = posix account repository is so
false it isn't even funny. Definition obtainable by STFW:
*LDAP* - Acronym for Lightweight Directory Access Protocol. It is a
protocol for accessing information directories such as organizations,
individuals, phone numbers, and addresses. It is based on the X.500
directory protocols,
That doesn't say much about storing my account information. And just so
we're all clear on what X.500 is:
An ISO <http://www.webopedia.com/TERM/X/ISO.html> and ITU
<http://www.webopedia.com/TERM/X/ITU.html> standard that defines how
global directories should be structured. X.500 directories are
hierarchical <http://www.webopedia.com/TERM/X/hierarchical.html> with
different levels for each category of information, such as country,
state, and city
That being said,
We do lots of things with our ldap structure that has really nothing to
do with authenticating users, the easiest to explain being storing
automount information. Sun uses it for storing lots of crap for general
system configuration. Some people use it for DNS. Storing SID->UID
mappings is no different since pam/nsswitch doesn't look directly at the
idmap object at all to figure out what users are what number, it relies
on the nss/pam winbind module for that, which 'can' use LDAP as a data
store. LDAP is just a network distributed information database, which
happens to be used a lot for account management.
If you're going to come off like a pompus ass, please use a technically
valid argument. Just because someone doesn't search the archives, which
by the way, doesn't have a search feature, and I'm pretty sure didn't
include an ldif for a working idmap backend in the last couple of
months, isn't a good reason to go on a flame war.
--
Paul Gienger Office:
Applied Engineering Inc. Cell:
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:pgienger at ae-solutions.com
More information about the samba
mailing list