[Samba] Samba and LDAP backend - howto docs problems?

Diego Julian Remolina dijuremo at math.gatech.edu
Wed Mar 10 19:54:50 GMT 2004

> John H Terpstra wrote:
> >>Samba's LDAP configuration exists in the smb.conf file. pam_ldap /
> >>nss_ldap's configuration exists in the ldap.conf file.
> > Samba works with OpenLDAP, Sun iPlanet (Identity Server), IBM Tivoli
> > Directory server, CA's product, Novell eDirectory, etc. So precisely how
> > do you suggest we integrate all of these plus Samba so there is no
> > duplication _AND_ so that the resulting code can be maintained?
> All the software you've listed are LDAP servers, I was referring to
> nss_ldap, an LDAP client whose config is found in /etc/ldap.conf, which
> as you explain below is required for a proper functioning Samba + LDAP
> system.
> I understand that nss_ldap runs on a number of platforms, which means it
> is reasonably safe to assume that /etc/ldap.conf will be there, and if
> it's not there, the existing LDAP config directives can be used as a
> fallback, or Samba can be taught other places to look for the system's
> LDAP config.

NOOOO it is not safe.  For example on a linux machine the original
ldap.conf that openldap uses is in /etc/openldap/ldap.conf while the one
that nss_ldap uses is in /etc/ldap.conf and if you install them both you
will see the two files are different.  So you need to link them together
or put the appropriate entries on both.

Also Solaris has its own inplementation of nss_ldap and it uses:
/var/ldap/ldap_client_file which does not resemble at all your typical

I would say the best way to do it is to let the end user know that before
they install samba, they either need to have the machine that will be
doing samba correctly configured as an ldap client or warn them that all
information uid/gid information on that machine must be the same in nis
(if that machine is part of a nis domain or locally in /etc/passwd
/etc/group) and ldap.

I noticed this problem while testing openldap/samba on my network.  My
test system is a server that is still a nis client.  And so if the ids are
not the same on things like group things break, like smbpasswd -a -m
and also other things like net groupmap add, etc because samba looks at
the  ids from nis and not the ones from ldap even if all the ldap info  is
correctly entered in the smb.conf file.

My $.2


> > In my opinion, Samba has to remain independant of ALL system tools.
> I agree, but Samba requires nss_ldap - if Samba is to maintain a
> separate LDAP config from nss_ldap, then I would say that Samba should
> not need the services of nss_ldap - it should be able to query this
> information for itself.
> > Given that Samba is Open Source software, who has responisbility to affect
> > perfect integration? How will all the projects get integrated security and
> > authentication support?
> >
> > Just remember:
> > 	- The Samba-Team is not a massive corporation
> > 	- We do not control any other project we may depend on
> >
> > So precisely HOW can we solve all these difficulties? I can not provide a
> > better answer, other than the need for Open Source and Commercial open
> > public software standards - something I am already working towards
> > privately.
> By starting to address the fact that Samba is IMHO unnecessarily
> complex. Work should be done on finding ways to simplify the config and
> the operation of Samba, by looking for duplication and over-complex
> elements, and finding elegant ways to simplify them. Samba's ability to
> perform useful things doesn't amount to anything, if it takes a PHD to
> figure out how those useful things work.
> > The HOWTO is a document that aims to expound HOW the tools can be used.
> > The Samba-3 by Example book aims to provide working solutions. It is
> > unrealistic to attempt to do both in one book. Even as it is, the HOWTO is
> > too big. The major improvement I have planned for the HOWTO is improved
> > indexing - in time this will happen. As to content - please contribute.
> I think it would be far more valuable to spend time simplifying the
> software rather than trying to add even more documentation, of which
> there is already a significant amount.
> Regards,
> Graham
> --
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list