Looking for a mentor/adviser
Craig White
craigwhite at azapple.com
Mon Feb 1 17:04:17 MST 2010
On Mon, 2010-02-01 at 13:26 -0700, Paul Mooring wrote:
> Hopefully this can explain where the confusion with LDAP is coming
> from, here's 2 smb.conf files I use with clients (with any details
> changed obviously) the top one is the relevant part of global for a
> file server that is part of a windows domain, kerberos is needed but
> not LDAP because an external password server is provided to
> authenticate against. I also put a sample share section on there that
> shows how to address permissions, the server still maps domain users
> and groups to uid/gids but rather than having a local OpenLDAP
> database it uses an external server, this is done mainly through the
> nsswitch.conf file:
>
> passwd: compat winbind
> shadow: compat
> group: compat winbind
>
> the second global section of smb.conf shows a samaba server acting as
> a domain controller (this only acts as an NT4 domain controller
> features expecting in 2003 aren't available), but you can see it does
> list it's own LDAP server for authentication and uses the
> smbldap-tools to manage users and groups. It's nsswitch.conf file
> points to it's own local LDAP server for mapping names to uid/gids:
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> hope that's of some help.
>
> === First no LDAP file server ===
>
> [global]
> dos charset = ASCII
> unix charset = UTF8
> display charset = UTF8
> workgroup = Domain
> realm = Domain
> security = ADS
> server string = Samba Server %v
> password server = 10.11.12.13
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> client use spnego = yes
>
> [extra]
> path = /exports/extra
> force user = root
> read only = No
> valid users = @"domain\user",@"domain\group"
>
>
> === Second DC with LDAP server ===
>
> [global]
>
> netbios name = Samba-DC
> workgroup = Domain
> server string = LDAP PDC [on Gentoo :: Samba server %v]
> security = user
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> interfaces = lo eth0
> bind interfaces only = yes
> local master = yes
> os level = 65
> domain master = yes
> preferred master = yes
> null passwords = no
> hide unreadable = yes
> hide dot files = yes
> domain logons = yes
> logon drive = H:
> logon home = \\%L\%U
> wins support = yes
> name resolve order = wins lmhosts host bcast
> dns proxy = no
> time server = yes
> log file = /var/log/samba/log.%m
> max log size = 50
>
> log level = 3
>
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> ldap delete dn = Yes
> add machine script = /usr/sbin/smbldap-useradd -W "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap delete dn = Yes
> ldap ssl = no
>
> ldap suffix = dc=domain
> ldap admin dn = cn=Administrator,dc=domain
> ldap group suffix = ou=Groups
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=People
>
> enable privileges = yes
> ldapsam:trusted = yes
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
----
yes of course.
just a simple comment...
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 is necessary
only for older 2.4 kernels and not for current or reasonably current 2.6
kernels and may actually be counter productive. That configuration was
part of original Samba recommendations from a long time ago and many
sample files still include it but clearly should not.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the PLUG-discuss
mailing list