[Samba] Multiple samba servers with LDAP
giuseppe pasqualotto
giuseppe.pasqualotto at unifi.it
Mon Mar 7 15:29:42 GMT 2005
cooper mail wrote:
>Craig,
> Thanks for the response. I have read both the HowTo and the By
>Example. Neither covers much in regard to my situation. I have NO
>windows servers, only samba servers.
>
>I am using LDAP, nss_ldap, and pam_ldap to handle the local unix
>accounts. The samba PDC is also using ldap as its passdb backend.
>Every thing is working fine at this time. I have tried both of the
>setups I have mentioned, and both work. I am just wondering what is
>the recomended/best practice setup.
>
>
>I am not using windbind at this time. I read in another post from
>Jerry, that the only reason I would need windbind, in my scenario, is
>if I had a trust relationship with another domain. I do not.
>
>Thanks,
>
>cooper
>
>On Sun, 06 Mar 2005 21:23:27 -0700, Craig White <craigwhite at azapple.com> wrote:
>
>
>>On Sun, 2005-03-06 at 21:23 -0500, cooper mail wrote:
>>
>>
>>>I was wondering what the best practice is for setting up several SAMBA
>>>servers in a SAMBA domain all on the same LAN. Here is what I am
>>>looking at
>>>
>>>PDC: LDAP, Samba, nss_ldap, pam_ldap
>>>Member1: Samba, nss_ldap, pam_ldap
>>>Member2: Samba, nss_ldap, pam_ldap
>>>Member . . . .
>>>
>>>Should I set the member servers up with:
>>>Security = domain
>>>and join the severs with net rpc join
>>>
>>>or, whould it be better to set them up with:
>>>passdb backend = ldapsam:ldap://pdc.domain.com
>>>security = server
>>>
>>>Do you see where I am going? If you need more details to answer, let me know.
>>>
>>>
>>----
>>You should probably consult both the HOWTO and more specifically, the BY
>>EXAMPLE documentation for discussions about this as only you can decide
>>the value of this.
>>
>>Nowhere did you mention winbindd...
>>
>>Given local unix accounts are necessary for samba connections, I would
>>think an overall strategy should be thought out carefully.
>>
>>Craig
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
I was in the same situation and I chose to build up a central Samba/LDAP
in one domain with other Samba/LDAP authenticating user against the
first one.
The solution is to provide different user configuration in every single
Samba/LDAP, managing
centrally the account and the password repository for all users.
You have many Samba/PDC server but only one is delegated to
authenticated users
in the domain. You have to set the global directive in smb.conf
"security=server" and add
"password server=server name or server ip".
Then, when a Windows client connects to a Samba/LDAP it cans retrive
personal account informations
but the password validation is a challenge between the two Samba/LDAP
servers (the first,
receiving and opening a client connection, and the second you set in
smb.conf "password server" directive)
Giuseppe
More information about the samba
mailing list