[Samba] Ldap Users only?

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Dec 20 18:30:03 MST 2010

Your example is a text-book case of why you would use domains.   I am not
sure why it would be unacceptable-  since you already have a samba machine
and, from the user POV, the login process is practically the same.   The
LDAP component is for the samba backend-  you would need an LDAP backend for
samba if you have more than one domain controller, and you might want to use
LDAP backend for samba if you are already using LDAP for other stuff.   

But since windows domain model is unacceptable, the only other solution I
can think of is the use Kerberos.    You can configure XP machines to use
Kerberos authentication, and then configure your linux server as a Kerberos
server. You would have to look on support.microsoft.com for instructions for
the XP side of things.    Although I am then not sure how you would
configure samba to use Kerberos authentication as well.  Maybe if you
configure plaintext auth in samba so it can use the OS level authentication 

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Christ Schlacta
Sent: Sunday, December 19, 2010 10:28 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Ldap Users only?

firstly, I'd like to apologize, somehow we ended up off-list.

my setup looks like this:
Density: Massive file storage
rebirth: Media server (most files come from density, but it has a share 
for local files, too)
faithful: backup server (handles backups from density, rebirth, and 
other systems)  smb shares are used for laptops and desktops
(a bunch of laptops and desktops): Joining these systems to the domain 
is inconvenient, awkward, and not going to happen because we have a 
small family household, and most of them are non-techie.

the trick is, each time we change a password on a laptop or desktop, we 
have to change the corresponding passwords on all the systems.  since 
each user only uses 1-2 laptops and a desktop (my wife and I have a 
laptop and netbook each), that's simple.  Changing the server passwords 
requires logging into 3 servers over ssh, typing their old and new 
passwords, then changing their samba passwords.
I want to store all the usernames and passwords for the servers in the 
ldap directory, so that users can update their passwords once.
as I stated above, joining the end user systems to a domain is 
UNACCEPTABLE, and with one of the servers set to be master browser, I 
can set all of the systems to join the "workgroup" aarcane.info, and all 
the systems show up on the network view in windows 7 (and windows XP, 
and linux, and mac also.).

All I can find is howtos on using samba as an ldap-backed domain controller.
thanks, again, tms3 and everyone else for any help.

On 12/19/2010 18:20, tms3 at tms3.com wrote:
> On Sunday 19/12/2010 at 5:54 pm, Christ Schlacta wrote:
>> actually, it's because we have a few samba servers here, it's just a 
>> home,
> Honestly, I have a lab/cloud at home.  I can't for the life of me even 
> contemplate running them with out full Samba/LDAP domain mode...well, 
> I've converted over to Samba4 since August, but it is by far the 
> easiest way to manage things.
>> but different machines use samba for different reasons.  as such, 
>> it's a pain in the butt to have to change passwords on all systems.  
>> I'm aware that we'd need to have matching unix accounts, and the plan 
>> is to use 10K+ UIDs for samba users to make logging into the shell a 
>> simple matter as well.  What's bugging me at the moment, is that in 
>> workgroup mode, it uses the HOSTNAME
> HOSTNAME is a NETBios name, and it is based on that whole host of 
> protocols/services.  It has NOTHING to do with DNS names, or machine 
> names.
>> for the domain name..  but there are several different hosts..  can I 
>> just use the workgroup name and have it work?  will it be smart 
>> enough to say "I'm not in domain mode, so the domain doesn't matter," 
>> or will I need to add a user for each host, thus mitigating any benefit?
> It would perhaps be better if you laid out what you have and are 
> doing.  I'm having a tough time understanding what you are 
> doing/having issues with.
>> On 12/19/2010 17:37, tms3 at tms3.com wrote:
>>     On Sunday 19/12/2010 at 5:02 pm, Christ Schlacta wrote:
>>         X-SpamDetect-Info: ------------- Start ASpam results
>>         ---------------
>>         X-SpamDetect-Info: This message may be spam. This message
>>         BODY has been altered to show you the spam information
>>         X-SpamDetect: ***: 3.8 sd=3.8 [96]12%-6.0(Accept Orbs)
>>         [212]87%5.6(!46,60) [129]44%-0.0(from_return_nomatch)
>>         [27]46%-0.0(X-LangGuess:English)
>>         X-SpamDetect-Info: ------------- End ASpam results
>>         -----------------
>>         how to do only users from ldap?
>>     Same way as domain mode...I'm assuming for workstation users to
>>     have access to smb shares????
>>     You don't need to add machines to the domain, though why you
>>     wouldn't want to I don't know.  Then you need to have pam
>>     authentication of something in ldap. smbldap tools make password
>>     syncronization easy.
>>         i'm not running in domain mode, I'd
>>         just like to be able to have the same username and password
>>         for users
>>         from ldap. there are no machines, and nothing else, just
>>         users and
>>         groups. all the guides I find have machines in ldap too, and
>>         require
>>         domain mode, I'm not sure which pieces need tobe changed.
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list