[Samba] Samba + LDAP

Daniel L. Miller dmiller at amfes.com
Fri Oct 12 14:44:07 GMT 2007

John H Terpstra wrote:
> On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:
>> Are the IDEALX tools necessary for "complete" integration with LDAP?  Or
>> is the built-in support sufficiently advanced now?
>> Daniel
> Daniel,
> What function do you believe the IDEALX tools serve?  Why do you think these 
> scripts are needed?  What makes you think that "built-in support" might be 
> the right (or best) solution?
> Have you read the Samba documentation? Specifically, is there anything in the 
> Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there 
> is any attempt to supercede the necessity for the IDEALX tools (or an 
> alternative set of scripts that is external to Samba itself)?
> What does "complete" integration with LDAP mean to you?
> You are not the first person to ask questions like these.  It would help me to 
> write more useful documentation if I could better understand what is behind 
> the questions.
> In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" 
> they can be obtained from:
> 	http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
> 	http://www.samba.org/samba/docs/Samba3-ByExample.pdf
> The IDEALX tools are a means of creating and managing UNIX user and group 
> accounts in the LDAP directory.  Samba can then create and manage the Windows 
> (SambaSAM) account information that is necessary to support Windows network 
> activities.
> As a network administrator, I want total control over how UNIX accounts are 
> managed in my LDAP directory and I would not want this done by Samba - 
> particularly if that removes my ability to control how this is done.  Your 
> mileage may vary, but I suspect most UNIX administrators who manage Samba 
> would not want to lose control of the UNIX part of the directory.
> For example, if Samba had total control over all Windows networking (Samba) 
> accounts, and the Windows network administrator deletes a user account, but 
> the users also has vital UNIX files, how should the deletion of the UNIX 
> account information be handled?
> By keeping the LDAP administration scripts that impact the UNIX account 
> management separate from the Windows (Samba) account part, the administrator 
> can exercise greater control over.  - Just my $0.02 worth.
> Cheers,
> John T.
By "built-in support", I am referring to the ldapsam:trusted and 
ldapsam:editposix extensions - documented at:


Because using these extensions appeared to simplify my configuration, 
and inferred that they were "optimized", I thought this was the future 
of Samba+LDAP and the IDEALX scripts were a holdover from the past.  
Since I have had difficulty in getting this configuration to work 
solidly - I'm still questioning whether or not these extensions are what 
I should be using.

"Complete" integration to me means after setting the appropriate 
smb.conf parameters - and having a configured LDAP backend - no 
information is stored external to the LDAP server and standard tools for 
Samba account manipulation perform all needed functions without the need 
for manipulating the LDAP database directly.  Such account manipulation 
should be exclusive to Samba - if the UNIX accounts are also LDAP based 
then obviously the UNIX accounts MAY be impacted by such Samba 
configuration - but it should not be a requirement for any Samba 
accounts to map to UNIX - unless the administrator wants that.

How to handle account deletion is a matter of individual preference - 
both for Samba and for UNIX.  In any case, the option to either leave 
the user files intact, move them to a repository, or delete upon account 
deletion should be a simple configuration setting.

I'm still learning how all these components interconnect - I have yet to 
have a fully-functional Samba PDC, that has no errors/warnings in the 
logs, and communicates with the compatible Windows NT tools for domain 
manipulation.  I had thought that if the IDEALX tools had been 
superseded by the ldapsam:trusted extensions, that was one less item I 
had to worry about.


More information about the samba mailing list