[Samba] ldap clarification
dale at BriannasSaladDressing.com
Thu Oct 16 21:49:28 GMT 2008
I'm testing Samba/ldap for the first time, and I seem to be getting the
expected results. I've configured a pdc and a member server (security =
domain). Using net rpc, the member server successfully joined the
domain. The member server is using the pdc's ldap server for
authentication - no winbind used. All packages are Debian Lenny. I
still have to perform a test of joining a Windows system to the pdc.
Prior to attempting that, I want to clarify some things I've not seen
1. After using smbldap-populate, root (in ldap) has gidNumber=0 and
sambaPrimaryGroupSID ending in 512. Is that what is expected?
2. At some point in the installation of libnss-ldap and libpam-ldap on
the member server, but prior to joining the domain, an ldap entry of
sambaDomainName=<member_server_netbios_name> was made. The sambaSID
shown is its localsid. Is this entry really supposed to be here? Or is
it an extraneous entry because I should have joined the domain first?
The correct information is returned using net getdomainsid.
3. What is the preferred encryption hash for passwords? smbldap-tools
uses SSHA by default, phpLDAPAdmin wants to use crypt, and LDAP Admin
has a default of SHA1. I've stayed with SSHA, but is that the best option?
4. When using ldap for authentication on a member server, is it
necessary to prefix the domain to users and groups as is done when using
winbind? DOMAIN\"Domain Users", etc. It appears not to be required.
5. Does anyone have a resource link explaining what all the PAM options
do (e.g. pam_unix.so nullok obscure, etc.)?
Thanks in advance.
Note to Debian smbldap-tools maintainer: smbldap-password did not work
either by itself or using smbldap-useradd -P. It's probably related
to Debian Bug report logs - #483356
More information about the samba