[Samba] Re: Simple LDAP backend question

Ryan Novosielski novosirj at umdnj.edu
Fri Jan 4 05:15:33 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jamrock wrote:
> "Ryan Novosielski" <novosirj at umdnj.edu> wrote in message
> news:477D2C28.7070705 at umdnj.edu...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
>> or can one move only the smbpasswd file to LDAP without impacting the
>> standard UNIX passwd file at all?
> 
> Interesting question.  Just a little background info. so we are all on the
> same page.
> 
> Each Samba user must have a Linux (POSIX) account in order to access the
> Linux machine.  It must also have some Samba (Windows) information for it to
> work as a Windows domain controller.
> 
> If you use the smbldap tools to manage the addition and deletion of users,
> they will add the POSIX and the Samba user info to the LDAP directory.  This
> will happen because your add user script in the smb.conf file will point to
> the relevant smbldap add user script.
> 
> You would typically configure the /etc/nsswitch.conf file to tell the Linux
> machine to look for user names and passwords in the LDAP directory.  That
> way the user does not need to exist in the /etc/passwd file.
> 
> So far so good.
> 
> I understand from what you are saying that you want to
> separate the POSIX (Linux) information from the Samba information.  You want
> to keep the POSIX information in the /etc/passwd file and the Samba
> information in the LDAP directory.  Each user's authentication information
> will be stored in both locations.
> 
> To do this you should not use the add user script from the smbldap tools.
> Instead use the standard Linux "add user" command in a script to add the
> user.  I have done this in the past.  It adds Samba info. to LDAP and
> creates the user account in the /etc/passwd file.
> 
> Your smb.conf file should look something like
> 
> add user script = /usr/sbin/useradd -m '%u'
> 
> add machine script = /usr/sbin/useradd -M '%u'
> 
> add group script = /usr/sbin/groupadd '%g'
> 
> Typically I use the User Manager for Domains to add and delete users.  Not
> sure how things will work with other tools.
> 
> I guess you can use the smbldap tools to populate the LDAP database with the
> standard Windows users and groups but use the Linux commands in the add user
> script.
> 
> I haven't tried this since the early versions of Samba 3.x.  Let me know how
> it works out.

Sounds rather much like what I'm looking for. I really don't use the add
user/group script right now anyway, just add machine.

What is seems like you're saying is that I can migrate all of the stuff
from /etc/passwd to LDAP and then just never change nsswitch for UNIX
and only make Samba use the ldap, and setting the parameters as above.

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHfcD1mb+gadEcsb4RAoU/AKCuF+4gO9FQMxQ8a3SyKv8giqLe6QCg4SYJ
vimuQInaWkyU5fv9L2/ZSic=
=rrvN
-----END PGP SIGNATURE-----

More information about the samba mailing list