[Samba] Re: Simple LDAP backend question
Ryan Novosielski
novosirj at umdnj.edu
Fri Jan 4 05:15:33 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jamrock wrote:
> "Ryan Novosielski" <novosirj at umdnj.edu> wrote in message
> news:477D2C28.7070705 at umdnj.edu...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
>> or can one move only the smbpasswd file to LDAP without impacting the
>> standard UNIX passwd file at all?
>
> Interesting question. Just a little background info. so we are all on the
> same page.
>
> Each Samba user must have a Linux (POSIX) account in order to access the
> Linux machine. It must also have some Samba (Windows) information for it to
> work as a Windows domain controller.
>
> If you use the smbldap tools to manage the addition and deletion of users,
> they will add the POSIX and the Samba user info to the LDAP directory. This
> will happen because your add user script in the smb.conf file will point to
> the relevant smbldap add user script.
>
> You would typically configure the /etc/nsswitch.conf file to tell the Linux
> machine to look for user names and passwords in the LDAP directory. That
> way the user does not need to exist in the /etc/passwd file.
>
> So far so good.
>
> I understand from what you are saying that you want to
> separate the POSIX (Linux) information from the Samba information. You want
> to keep the POSIX information in the /etc/passwd file and the Samba
> information in the LDAP directory. Each user's authentication information
> will be stored in both locations.
>
> To do this you should not use the add user script from the smbldap tools.
> Instead use the standard Linux "add user" command in a script to add the
> user. I have done this in the past. It adds Samba info. to LDAP and
> creates the user account in the /etc/passwd file.
>
> Your smb.conf file should look something like
>
> add user script = /usr/sbin/useradd -m '%u'
>
> add machine script = /usr/sbin/useradd -M '%u'
>
> add group script = /usr/sbin/groupadd '%g'
>
> Typically I use the User Manager for Domains to add and delete users. Not
> sure how things will work with other tools.
>
> I guess you can use the smbldap tools to populate the LDAP database with the
> standard Windows users and groups but use the Linux commands in the add user
> script.
>
> I haven't tried this since the early versions of Samba 3.x. Let me know how
> it works out.
Sounds rather much like what I'm looking for. I really don't use the add
user/group script right now anyway, just add machine.
What is seems like you're saying is that I can migrate all of the stuff
from /etc/passwd to LDAP and then just never change nsswitch for UNIX
and only make Samba use the ldap, and setting the parameters as above.
- --
---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
|$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHfcD1mb+gadEcsb4RAoU/AKCuF+4gO9FQMxQ8a3SyKv8giqLe6QCg4SYJ
vimuQInaWkyU5fv9L2/ZSic=
=rrvN
-----END PGP SIGNATURE-----
More information about the samba
mailing list