[Date Prev][Date Next]
Re: Unix auth via LDAP & now need to add Samba!
>I'm quite new to LDAP/OpenLDAP and just starting with Samba :)
>I've recently setup OpenLDAP 2.0.21, pam_ldap & nss_ldap and authenticate
>Unix logins via LDAP. I only have the root account in both passwd (shadow)
>and in LDAP. All other test 'user' accounts are in LDAP only.
>I created a test base dn "o=local" and used Padl's base, passwd & group
>migration scripts to build up the ldbm. I only keep the user accounts in
>LDAP under ou=People. All system accounts remain in the passwd file. All
>groups are in both the group file and LDAP under ou=Group.
Why? This duplicity certainly seems to defeat the purpose of LDAP.
>Unix passwords in LDAP are 'crypt'ed and the cn=manager,o=local password
>I have the Mandrake (8.2) Samba 2.2.3a RPM installed (it's not clear from
>the changelog if it was built with LDAP support!) and want to start using
Are the LDAP libraries in the list?
>Right from the start I want Samba to authenticate via LDAP against the
>existing People & Group ou's but am not sure how to integrate this.
You need to add sambaAccount objectclass and attributes to the appropriate
objects, typically posixAccounts.
>I've read the info on samba.idealx.org and see, like Padl, that they also
>provide some migration scripts (smbldap-tools) and a sample "Initial
>Entries" LDIF that will setup various gids amongst other things.
Make sure your not looking at something for Samba-TNG. 2.2.3a doesn't use
the built-ins entries.
>The output from both Padl's and Idealx's migration scripts doesn't seem
>straightforward to combine. Also, I'm not sure whether it's worth adding an
>additional (Samba only) ou=Computers, as proposed by Idealx. Wouldn't it be
>simpler to just stick with only ou=People & ou=Group?
But computers aren't people (yet). You don't want nt01688$ showing up
when someone does a search for someone's e-mail address. Also chopping
them off into a seperate tree makes it easier to create the ACLs, as the
PDC need full control of these guys, but shouldn't be able to remove your
>I could proceed by;
>a) manually adding Samba related objectClasses, etc. to the few test uid's
>under ou=People and adding necessary Samba groups to ou=Group or;
>b) delete my ldbm and start again using only Idealx's migration scripts or;
>c) another way suggested by you gurus ;-)
Get samba w/ldap up and running and do a smbpasswd fred, where fred is a
posix user, and watch it magically add all the required attributes for
you. And set the initial cifs password.
>For a) above I'm not sure what to add manually so I'd need help or pointers
>to a good resource.
No reason to "do" anything other than run smbpasswd.
>Also, is there a good resource to help with setting up correct ACL's in
>slapd.conf for a Unix/Samba account authentication based OpenLDAP?
>Once all is setup correctly, I will test the "Directory administrator"
>program ( http://diradmin.open-it.org/index.php ) and hopefully use it to
>create a new user template(s) to ease the process of adding combined
>Unix/Samba accounts into LDAP in the future.
>FYI, I'm not familiar with shell scripting (just bought a book which has a
>shell scripting chapter :) ).
>Sorry if I've posed too many questions. I'm most interested in feedback
>about combining integrated Unix/Samba account authentication into OpenLDAP.
>P.S. It would be nice if Webmin could administer pam_ldap'ed Unix & Samba
>accounts. Guess I'd better drop them a suggestion ;-)
Unfortunately Samba & LDAP users are still pretty few (relatively
speaking) it will take awhile for other packages to catch up.
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS