[Samba] Re: Re: Simple LDAP backend question

Ryan Novosielski novosirj at umdnj.edu
Fri Jan 4 14:19:35 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jamrock wrote:
> "Ryan Novosielski" <novosirj at umdnj.edu> wrote in message
> news:477DC0F5.2020103 at umdnj.edu...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jamrock wrote:
>>> "Ryan Novosielski" <novosirj at umdnj.edu> wrote in message
>>> news:477D2C28.7070705 at umdnj.edu...
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
>>>> or can one move only the smbpasswd file to LDAP without impacting the
>>>> standard UNIX passwd file at all?
>>> Interesting question.  Just a little background info. so we are all on
> the
>>> same page.
>>>
>>> Each Samba user must have a Linux (POSIX) account in order to access the
>>> Linux machine.  It must also have some Samba (Windows) information for
> it to
>>> work as a Windows domain controller.
>>>
>>> If you use the smbldap tools to manage the addition and deletion of
> users,
>>> they will add the POSIX and the Samba user info to the LDAP directory.
> This
>>> will happen because your add user script in the smb.conf file will point
> to
>>> the relevant smbldap add user script.
>>>
>>> You would typically configure the /etc/nsswitch.conf file to tell the
> Linux
>>> machine to look for user names and passwords in the LDAP directory.
> That
>>> way the user does not need to exist in the /etc/passwd file.
>>>
>>> So far so good.
>>>
>>> I understand from what you are saying that you want to
>>> separate the POSIX (Linux) information from the Samba information.  You
> want
>>> to keep the POSIX information in the /etc/passwd file and the Samba
>>> information in the LDAP directory.  Each user's authentication
> information
>>> will be stored in both locations.
>>>
>>> To do this you should not use the add user script from the smbldap
> tools.
>>> Instead use the standard Linux "add user" command in a script to add the
>>> user.  I have done this in the past.  It adds Samba info. to LDAP and
>>> creates the user account in the /etc/passwd file.
>>>
>>> Your smb.conf file should look something like
>>>
>>> add user script = /usr/sbin/useradd -m '%u'
>>>
>>> add machine script = /usr/sbin/useradd -M '%u'
>>>
>>> add group script = /usr/sbin/groupadd '%g'
>>>
>>> Typically I use the User Manager for Domains to add and delete users.
> Not
>>> sure how things will work with other tools.
>>>
>>> I guess you can use the smbldap tools to populate the LDAP database with
> the
>>> standard Windows users and groups but use the Linux commands in the add
> user
>>> script.
>>>
>>> I haven't tried this since the early versions of Samba 3.x.  Let me know
> how
>>> it works out.
>> Sounds rather much like what I'm looking for. I really don't use the add
>> user/group script right now anyway, just add machine.
>>
>> What is seems like you're saying is that I can migrate all of the stuff
>> from /etc/passwd to LDAP and then just never change nsswitch for UNIX
>> and only make Samba use the ldap, and setting the parameters as above.
> 
> Yes.  In the early days I didn't understand how to use the smbldap scripts.
> So I ended up with that mixed configuration.
> 
>  I would not recommend it for a typical install of Samba though.  Keeping
> everyting in LDAP makes it easy to backup user information.  It also makes
> it easier to transfer user information to another server.
> 
> However, it sounds as if it is a requirement in your environment.

It may or may not end up that way. At present, those files are widely
used. However, the processes that use them may not be necessary at all.
That would require some sort of review, etc., etc. The real need at this
point is to solve a problem where the smbpasswd is too large and as a
result is open nearly all the time. I should have switched to LDAP long ago.

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHfkB2mb+gadEcsb4RAugDAJ9HMnQs3qk1u0qjpLJZ79yrKkv6wwCgr9XZ
O3jVloUuQ8/1yaAMal8V/c0=
=GH8M
-----END PGP SIGNATURE-----

More information about the samba mailing list