[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Where to start a migration from passwd/shadow/smbpasswd to openldap
Am Freitag 26 März 2010 14:29:04 schrieb Buchan Milne:
> On Friday, 26 March 2010 11:27:28 Götz Reinicke - IT-Koordinator wrote:
> > Buchan Milne schrieb:
>
> >> For the rgc2307 vs rfc2307bis group issue, I don't think samba
> > > supports rfc2307bis, so you should go with rfc2307 (using memberUid for
> > > denoting members of groups, holding the username, not the DN).
>
>
> > "The nss_ldap library from PADL software (http://www.padl.com) supports
> > this by enabling the library’s RFC2307bis extensions (pass the
> > --enable-rfc2307bis option to the nss_ldap configure script when
> > compiling) ..."
> >
> >
> > And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the
> > RFC 2307/RFC 2307bis.
> >
> > Or do I get something wrong?
>
> nss_ldap supports rfc2307bis, but samba does not (AFAIK). If you are using
> Samba as a Domain Controller, the groups visible on windows clients (for local
> ACLs on windows computers, rights etc.) will not align with your unix groups
IIRC that depends on the samba configuration. I.e. if you have ldapsam:trusted=yes in smb.conf your statement is true. But the default for ldapsam:trusted is "no" (at least according to the smb.conf man-page) and then samba will use the NSS Subsystem (and through that nss_ldap, if configured) to access user and group information.
So unless you use ldapsam:trusted=yes, the rfc2307bis is usable with Samba as well.
--
Ralf