Re: Looking for a mentor/adviser

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Paul Mooring
Date:  
To: Main PLUG discussion list
Subject: Re: Looking for a mentor/adviser
Hopefully this can explain where the confusion with LDAP is coming
from, here's 2 smb.conf files I use with clients (with any details
changed obviously) the top one is the relevant part of global for a
file server that is part of a windows domain, kerberos is needed but
not LDAP because an external password server is provided to
authenticate against. I also put a sample share section on there that
shows how to address permissions, the server still maps domain users
and groups to uid/gids but rather than having a local OpenLDAP
database it uses an external server, this is done mainly through the
nsswitch.conf file:

passwd:      compat winbind
shadow:      compat
group:       compat winbind


the second global section of smb.conf shows a samaba server acting as
a domain controller (this only acts as an NT4 domain controller
features expecting in 2003 aren't available), but you can see it does
list it's own LDAP server for authentication and uses the
smbldap-tools to manage users and groups. It's nsswitch.conf file
points to it's own local LDAP server for mapping names to uid/gids:

passwd:      files ldap
shadow:      files ldap
group:       files ldap


hope that's of some help.

=== First no LDAP file server ===

[global]
        dos charset = ASCII
        unix charset = UTF8
        display charset = UTF8
        workgroup = Domain
        realm   = Domain
        security = ADS
        server string = Samba Server %v
        password server = 10.11.12.13
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        client use spnego = yes


[extra]
        path = /exports/extra
        force user = root
        read only = No
        valid users = @"domain\user",@"domain\group"



=== Second DC with LDAP server ===

[global]

netbios name = Samba-DC
workgroup = Domain
server string = LDAP PDC [on Gentoo :: Samba server %v]
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0
bind interfaces only = yes
local master = yes
os level = 65
domain master = yes
preferred master = yes
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon drive = H:
logon home = \\%L\%U
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/log.%m
max log size = 50

log level = 3

add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap-useradd -W "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

passdb backend = ldapsam:ldap://127.0.0.1/
ldap delete dn = Yes
ldap ssl = no

ldap suffix = dc=domain
ldap admin dn = cn=Administrator,dc=domain
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=People

enable privileges = yes
ldapsam:trusted = yes

idmap uid = 10000-20000
idmap gid = 10000-20000
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss