[Samba] ldap clarification

Dale Schroeder dale at BriannasSaladDressing.com
Thu Oct 16 21:49:28 GMT 2008

I'm testing Samba/ldap for the first time, and I seem to be getting the 
expected results.  I've configured a pdc and a member server (security = 
domain).  Using net rpc, the member server successfully joined the 
domain.  The member server is using the pdc's ldap server for 
authentication - no winbind used.  All packages are Debian Lenny.  I 
still have to perform a test of joining a Windows system to the pdc.  
Prior to attempting that, I want to clarify some things I've not seen 
mentioned previously.

1. After using smbldap-populate, root (in ldap) has gidNumber=0 and 
sambaPrimaryGroupSID ending in 512.  Is that what is expected?

2. At some point in the installation of libnss-ldap and libpam-ldap on 
the member server, but prior to joining the domain, an ldap entry of 
sambaDomainName=<member_server_netbios_name> was made.  The sambaSID 
shown is its localsid.  Is this entry really supposed to be here?  Or is 
it an extraneous entry because I should have joined the domain first?  
The correct information is returned using net getdomainsid.

3. What is the preferred encryption hash for passwords?  smbldap-tools 
uses SSHA by default, phpLDAPAdmin wants to use crypt, and LDAP Admin 
has a default of SHA1.  I've stayed with SSHA, but is that the best option?

4. When using ldap for authentication on a member server, is it 
necessary to prefix the domain to users and groups as is done when using 
winbind? DOMAIN\"Domain Users", etc.  It appears not to be required.

5.  Does anyone have a resource link explaining what all the PAM options 
do (e.g. pam_unix.so nullok obscure, etc.)?

Thanks in advance.

Note to Debian smbldap-tools maintainer:  smbldap-password did not work 
either by itself or using smbldap-useradd -P.  It's probably related 
to Debian Bug report logs - #483356 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483356> .

More information about the samba mailing list