[Samba] Re: Windows->LDAP->Samba

[paul kölle]

Mont Rothstein wrote:
> I am hoping someone can tell me if I am trying something that can't be done.
Well, if I understood you corretly I'll say yes ;)

Don't make it harder than it is, there are only three parties involved

1) Windows (the client)
2) Samba ("app server")
3) LDAP (authentication backend)

Windows never talks directly to LDAP (at least not in this scenario), it
always contacts samba, PDC or not. So the windows box asks samba "hey, I
want to write to your disk..." and samba, being a sensitive piece of
software insists: "Wait a minute, tell me who you are and prove this
somehow, then I'll ask my backend if it knows you and if your proof
holds true,...".

The stupid windows client, not knowing that he speaks to the glory UNIX
world sends its usual credentials, a string like MYWORSTATION\joe and a
"secret" hash.

Now samba looks for a UNIX user joe via the normal system calls used on
unix and in its configured backend for the hash and all the other pieces
needed in the windows world and not present on a normal unix system
account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid)
come from. They need to be known to the system where samba is installed,
period.

Fortunately, linux/unix has quite a few sources where names may come
from. This is abstracted through the NSS interface and implemented by
shared libraries whose names happen to be libnss_<servicename>.so. If
you have a line like:

passwd: files ldap

in your /etc/nsswitch.conf, the system will ask libnss_files.so and
libnss_ldap.so for the names and numbers commonly known as "accounts".

In your case, you want to enable/disable/setup users in LDAP only. All
you have to do is:

1. Instruct your system to fetch unix NAMES from ldap (nss_ldap).
2. Instruct samba to fetch the windows bits from ldap (passdb backend).

couldn't stress this point of common misconception less, sorry.
 Paul