Hopefully this can explain where the confusion with LDAP is coming
from, here's 2 smb.conf files I use with clients (with any details
changed obviously) the top one is the relevant part of global for a
file server that is part of a windows domain, kerberos is needed but
not LDAP because an external password server is provided to
authenticate against. I also put a sample share section on there that
shows how to address permissions, the server still maps domain users
and groups to uid/gids but rather than having a local OpenLDAP
database it uses an external server, this is done mainly through the
nsswitch.conf file:
passwd: compat winbind
shadow: compat
group: compat winbind
the second global section of smb.conf shows a samaba server acting as
a domain controller (this only acts as an NT4 domain controller
features expecting in 2003 aren't available), but you can see it does
list it's own LDAP server for authentication and uses the
smbldap-tools to manage users and groups. It's nsswitch.conf file
points to it's own local LDAP server for mapping names to uid/gids:
passwd: files ldap
shadow: files ldap
group: files ldap
hope that's of some help.
=== First no LDAP file server ===
[global]
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
workgroup = Domain
realm = Domain
security = ADS
server string = Samba Server %v
password server = 10.11.12.13
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
client use spnego = yes
[extra]
path = /exports/extra
force user = root
read only = No
valid users = @"domain\user",@"domain\group"
=== Second DC with LDAP server ===
[global]
netbios name = Samba-DC
workgroup = Domain
server string = LDAP PDC [on Gentoo :: Samba server %v]
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0
bind interfaces only = yes
local master = yes
os level = 65
domain master = yes
preferred master = yes
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon drive = H:
logon home = \\%L\%U
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap-useradd -W "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
passdb backend = ldapsam:ldap://127.0.0.1/
ldap delete dn = Yes
ldap ssl = no
ldap suffix = dc=domain
ldap admin dn = cn=Administrator,dc=domain
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=People
enable privileges = yes
ldapsam:trusted = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)