[Samba] Internal LDAP explanation
Marc Muehlfeld
samba at marc-muehlfeld.de
Thu Apr 11 14:04:48 MDT 2013
Hello Eric,
Am 11.04.2013 19:22, schrieb Eric PEYREMORTE:
> - Can i connect to the new ldap server from a remote machine (
> ldapsearch on port 389 ) ? If no why ?
You work with it, as you did with openLDAP (authenticate against, etc.).
Have a look here, for some examples:
http://wiki.samba.org/index.php/Samba4/beyond
> - So, can i connect pam for linux users to this internal ldap, and can i
> still continue to use this ldap server for both windows / linux auth ?
Yes. See this wiki page, too.
> - Shall i use ldapsam:tdb://something ?
Where? For the migration? Yes. See
http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO
> - Can we have posix attributes like userPassword in there ?
If you migrate from samba 3.x, the attributes are transfered. But not
all. E. g. if you have mail, homePhone, and others filled, you have to
transfer them manually. I wrote a small shell script, that read them out
of the old openLDAP with ldapsearch and writes them to the new AD with
ldapmodify. It's not very difficult. But be sure to make a backup of
your AD before (or try it in a test environment before :-))!
> - I've read that we do not need to have linux user account for samba
> user account : it's not mandatory isn't it ?
No. Samba 4 only use it's own database. At filesystem level you then
only see, that files/directories are owned by UIDs/GIDs. If you want to
see usernames/groups, you have to use winbind or you get the mappings
from AD via Nslcd (via LDAP). For using Nslcd see
http://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy
Because you don't go through a openLDAP proxy, adapt the mappings to the
attributes in AD.
Regards,
Marc
More information about the samba
mailing list