About ldapsam:editposix
simo
idra at samba.org
Thu Mar 2 20:19:09 GMT 2006
On Thu, 2006-03-02 at 20:48 +0100, Stéphane Purnelle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Volker Lendecke a écrit :
> > On Thu, Mar 02, 2006 at 02:22:15PM +0100, Stéphane Purnelle wrote:
> >> http://ftp.easynet.be/samba/docs/man/Samba3-ByExample/happy.html#sbeidealx
> >>
> >>
> >> Why you don't use these attribute ?
> >
> > Simo described it correctly. This is mainly a code duplication and
> > responsibility issue. The mess we have in the released versions
> > severely needed to be fixed. Now winbind is responsible for
> > allocating uids/gids, and passdb itself does the RIDs.
> >
> > Volker
> Actually, I have a PDC which use nss_ldap & pam_ldap for posix account
> and idealx-tools for manage user/machine and groups account coupled
> with webmin. I never used winbind for that and the nested group
> functionnality is not used !
>
> Now, I think that there are two parts that this new functionnality
> (ldapsam:editposix) ask :
> - - admin using internal tools of samba (net, pdbedit, ...)
> - - admin using external tools (smbldap-tools, ldapscript, ...)
>
> Be carrefull if admin use internal and external tools, is the problem
> that you point ?
This extension has been tought so that you do need to use "external"
tools with this configuration, and you need to be careful to do that.
(usrmgr.exe is not considered external btw).
You can continue to use the external tools of preference and not enable
ldapsam:editposix, which also requires ldapsam:trusted and that means
stricter rules apply anyway on the things you can do to your ldap tree
(eg you must have all your posix accounts in ldap, the guest being one
of them or smbd will not even start).
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list