[Samba] Setting up PDC w/ LDAP

Daniel L. Miller dmiller at amfes.com
Tue May 27 22:45:24 GMT 2008


OK, payment in advance: :-) :-) :-)

Wait a minute, let me change currencies....

        _.-'''''-._
      .'  _     _  '.
     /   (o)   (o)   \
    |                 |
    |  \           /  |
     \  '.       .'  /
      '.  `'---'`  .'
        '-._____.-'


        _.-'''''-._
      .'  _     _  '.
     /   (o)   (o)   \
    |                 |
    |  \           /  |
     \  '.       .'  /
      '.  `'---'`  .'
        '-._____.-'


        _.-'''''-._
      .'  _     _  '.
     /   (o)   (o)   \
    |                 |
    |  \           /  |
     \  '.       .'  /
      '.  `'---'`  .'
        '-._____.-'


John H Terpstra wrote:

>> Something I haven't seen in print yet - so I'll ask the question.  WHEN
>> is the appropriate time to use winbind with PDC's and BDC's?  
>>     
>
> Winbind is needed when you have domain member servers, and to deal with SIDs 
> for users of trusted foreign domains. Winbind is essential for interdomain 
> trust handling.
>
> If all your clients are domain members, and you never get clients from trusted 
> domains on the network, you do not need winbind.  You can operate without it 
> without loss of service, but you will not have use of BUILTIN groups (these 
> are created and managed by winbind.
>
>   
Almost there.  Really....

Do I NEED those builtin groups for anything?  Do I WANT those builtin 
groups for anything (besides avoiding those nuisance error messages in 
my samba logs)?

If a couple clients are non-domain members (laptops that periodically 
plug-in) - but still no trusted domains involved - is there any need for 
winbind?
> First: Do NOT use a domain name that has a '.' in it.  That has unexpected 
> name resolution consequences.  A Samab smb.conf workgroup= parameter should 
> not have a dot in it.
>
>   
Ok...now that I've setup everything (again, for the nth time), do I need 
to reconfigure the server and every client?  Or just rename it on the 
server and the change will automagically propagate?

And beyond updating my srv records, will this have other DNS consequences?
>>         idmap domains = AMFESLAN.LOCAL
>>         idmap alloc backend = ldap
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         idmap alloc config:range = 10000-20000
>>         idmap alloc config:ldap_url = ldap://127.0.0.1
>>         idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
>>         idmap config AMFESLAN.LOCAL:range = 10000-20000
>>         idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
>>         idmap config AMFESLAN.LOCAL:ldap_base_dn =
>> ou=idmap,dc=amfeslan,dc=local
>>         idmap config AMFESLAN.LOCAL:backend = ldap
>>         idmap config AMFESLAN.LOCAL:default = yes
>>     
>
> IDMAP is used to allocate unique UID/GID's for users from a trusted domain so 
> they can access resources in our domain.  IDMAP is also used to create 
> BUILTIN groups.
>   
Ok...that part I get.  What I don't get -
1.  Is the above config (other than the domain name) correct?
2.  How does this config differ from my original one - since the docs 
say the previous version should have worked?

-- 
Daniel


More information about the samba mailing list