Looking for a mentor/adviser

Paul Mooring drpppr242 at gmail.com
Mon Feb 1 13:26:45 MST 2010 

Hopefully this can explain where the confusion with LDAP is coming
from, here's 2 smb.conf files I use with clients (with any details
changed obviously) the top one is the relevant part of global for a
file server that is part of a windows domain, kerberos is needed but
not LDAP because an external password server is provided to
authenticate against. I also put a sample share section on there that
shows how to address permissions, the server still maps domain users
and groups to uid/gids but rather than having a local OpenLDAP
database it uses an external server, this is done mainly through the
nsswitch.conf file:

passwd:      compat winbind
shadow:      compat
group:       compat winbind

the second global section of smb.conf shows a samaba server acting as
a domain controller (this only acts as an NT4 domain controller
features expecting in 2003 aren't available), but you can see it does
list it's own LDAP server for authentication and uses the
smbldap-tools to manage users and groups. It's nsswitch.conf file
points to it's own local LDAP server for mapping names to uid/gids:

passwd:      files ldap
shadow:      files ldap
group:       files ldap

hope that's of some help.

=== First no LDAP file server ===

[global]
        dos charset = ASCII
        unix charset = UTF8
        display charset = UTF8
        workgroup = Domain
        realm   = Domain
        security = ADS
        server string = Samba Server %v
        password server = 10.11.12.13
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        client use spnego = yes

[extra]
        path = /exports/extra
        force user = root
        read only = No
        valid users = @"domain\user",@"domain\group"


=== Second DC with LDAP server ===

[global]

  netbios name = Samba-DC
  workgroup = Domain
  server string = LDAP PDC [on Gentoo :: Samba server %v]
  security = user
  encrypt passwords = yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  interfaces = lo eth0
  bind interfaces only = yes
  local master = yes
  os level = 65
  domain master = yes
  preferred master = yes
  null passwords = no
  hide unreadable = yes
  hide dot files = yes
  domain logons = yes
  logon drive = H:
  logon home = \\%L\%U
  wins support = yes
  name resolve order = wins lmhosts host bcast
  dns proxy = no
  time server = yes
  log file = /var/log/samba/log.%m
  max log size = 50

  log level = 3

 add user script = /usr/sbin/smbldap-useradd -m "%u"
 ldap delete dn = Yes
 add machine script = /usr/sbin/smbldap-useradd -W "%u"
 add group script = /usr/sbin/smbldap-groupadd -p "%g"
 add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
 delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
 set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

  passdb backend = ldapsam:ldap://127.0.0.1/
  ldap delete dn = Yes
  ldap ssl = no

  ldap suffix = dc=domain
  ldap admin dn = cn=Administrator,dc=domain
  ldap group suffix = ou=Groups
  ldap user suffix = ou=People
  ldap machine suffix = ou=Computers
  ldap idmap suffix = ou=People

  enable privileges = yes
  ldapsam:trusted = yes

  idmap uid = 10000-20000
  idmap gid = 10000-20000

More information about the PLUG-discuss mailing list