[Samba] Re: Re: Simple LDAP backend question

[Jamrock]

"Ryan Novosielski" <novosirj at umdnj.edu> wrote in message
news:477DC0F5.2020103 at umdnj.edu...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jamrock wrote:
> > "Ryan Novosielski" <novosirj at umdnj.edu> wrote in message
> > news:477D2C28.7070705 at umdnj.edu...
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
> >> or can one move only the smbpasswd file to LDAP without impacting the
> >> standard UNIX passwd file at all?
> >
> > Interesting question.  Just a little background info. so we are all on
the
> > same page.
> >
> > Each Samba user must have a Linux (POSIX) account in order to access the
> > Linux machine.  It must also have some Samba (Windows) information for
it to
> > work as a Windows domain controller.
> >
> > If you use the smbldap tools to manage the addition and deletion of
users,
> > they will add the POSIX and the Samba user info to the LDAP directory.
This
> > will happen because your add user script in the smb.conf file will point
to
> > the relevant smbldap add user script.
> >
> > You would typically configure the /etc/nsswitch.conf file to tell the
Linux
> > machine to look for user names and passwords in the LDAP directory.
That
> > way the user does not need to exist in the /etc/passwd file.
> >
> > So far so good.
> >
> > I understand from what you are saying that you want to
> > separate the POSIX (Linux) information from the Samba information.  You
want
> > to keep the POSIX information in the /etc/passwd file and the Samba
> > information in the LDAP directory.  Each user's authentication
information
> > will be stored in both locations.
> >
> > To do this you should not use the add user script from the smbldap
tools.
> > Instead use the standard Linux "add user" command in a script to add the
> > user.  I have done this in the past.  It adds Samba info. to LDAP and
> > creates the user account in the /etc/passwd file.
> >
> > Your smb.conf file should look something like
> >
> > add user script = /usr/sbin/useradd -m '%u'
> >
> > add machine script = /usr/sbin/useradd -M '%u'
> >
> > add group script = /usr/sbin/groupadd '%g'
> >
> > Typically I use the User Manager for Domains to add and delete users.
Not
> > sure how things will work with other tools.
> >
> > I guess you can use the smbldap tools to populate the LDAP database with
the
> > standard Windows users and groups but use the Linux commands in the add
user
> > script.
> >
> > I haven't tried this since the early versions of Samba 3.x.  Let me know
how
> > it works out.
>
> Sounds rather much like what I'm looking for. I really don't use the add
> user/group script right now anyway, just add machine.
>
> What is seems like you're saying is that I can migrate all of the stuff
> from /etc/passwd to LDAP and then just never change nsswitch for UNIX
> and only make Samba use the ldap, and setting the parameters as above.

Yes.  In the early days I didn't understand how to use the smbldap scripts.
So I ended up with that mixed configuration.

 I would not recommend it for a typical install of Samba though.  Keeping
everyting in LDAP makes it easy to backup user information.  It also makes
it easier to transfer user information to another server.

However, it sounds as if it is a requirement in your environment.