Author: jht Date: 2005-06-10 20:05:38 +0000 (Fri, 10 Jun 2005) New Revision: 615
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=615 Log: Another update. Modified: trunk/Samba-Guide/SBE-AddingUNIXClients.xml Changeset: Modified: trunk/Samba-Guide/SBE-AddingUNIXClients.xml =================================================================== --- trunk/Samba-Guide/SBE-AddingUNIXClients.xml 2005-06-10 19:25:20 UTC (rev 614) +++ trunk/Samba-Guide/SBE-AddingUNIXClients.xml 2005-06-10 20:05:38 UTC (rev 615) @@ -465,10 +465,16 @@ If your implementation of <constant>nss_ldap</constant> is consistent with the defaults suggested by PADL (the authors), it will be located in the <filename>/etc</filename> directory. On some systems, the default location is - the <filename>/etc/openldap</filename> directory. Change the parameters inside - the file that is located on your OS so it matches <link linkend="ch9-sdmlcnf"/>. - To find the correct location of this file, you can obtain this from the - library that will be used by executing the following: + the <filename>/etc/openldap</filename> directory, however this file is intended + for use by the OpenLDAP utilities and should not really be used by the nss_ldap + utility since its content and structure serves the specific purpose of enabling + the resolution of user and group IDs via NSS. + </para> + + <para> + Change the parameters inside the file that is located on your OS so it matches + <link linkend="ch9-sdmlcnf"/>. To find the correct location of this file, you + can obtain this from the library that will be used by executing the following: <screen> &rootprompt; strings /lib/libnss_ldap* | grep ldap.conf /etc/ldap.conf @@ -476,8 +482,8 @@ </para></step> <step><para> - Configure the NSS control file so it matches the one shown - in <link linkend="ch9-sdmnss"/>. + Configure the NSS control file so it matches the one shown in + <link linkend="ch9-sdmnss"/>. </para></step> <step><para> @@ -525,7 +531,9 @@ necessary to add secondary group memberships (in the group database) if the user is already a member via primary group membership in the password database. When using winbind, it is in fact undesirable to do this because it results in - doubling up of group memberships and may break winbind under certain conditions. + doubling up of group memberships and may cause problems with winbind under certain + conditions. It is intended that these limitations with winbind will be resolved soon + after Samba-3.0.20 has been released. </para></step> <step><para> @@ -546,10 +554,18 @@ &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ -w not24get < /etc/openldap/idmap.LDIF </screen> - Samba automatically populates this LDAP directory container when it needs to. </para></step> <step><para> + Samba automatically populates the LDAP directory container when it needs to. To permit Samba + write access to the LDAP directory it is necessary to set the LDAP administrative password + in the <filename>secrets.tdb</filename> file as shown here: +<screen> +&rootprompt; smbpasswd -w not24get +</screen> + </para></step> + + <step><para> <indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm> <indexterm><primary>Domain join</primary></indexterm> The system is ready to join the domain. Execute the following: @@ -616,12 +632,12 @@ <step><para> <indexterm><primary>wbinfo</primary></indexterm> Just joining the domain is not quite enough; you must now provide a privileged set - of credentials through which <command>winbindd</command> can interact with the ADS + of credentials through which <command>winbindd</command> can interact with the domain servers. Execute the following to implant the necessary credentials: <screen> &rootprompt; wbinfo --set-auth-user=Administrator%not24get </screen> - The configuration is now ready to obtain ADS domain user and group information. + The configuration is now ready to obtain the Samba domain user and group information. </para></step> <step><para> @@ -735,7 +751,7 @@ </sect2> <sect2 id="wdcsdm"> - <title>NT4/Samba Domain with Samba Domain Member Server: Using Winbind</title> + <title>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</title> <para> You need to use this method for creating a Samba domain member server if any of the following conditions @@ -756,13 +772,10 @@ </para></listitem> </itemizedlist> - <para><indexterm> - <primary>Windows ADS Domain</primary> - </indexterm><indexterm> - <primary>Samba Domain</primary> - </indexterm><indexterm> - <primary>LDAP</primary> - </indexterm> + <para> + <indexterm><primary>Windows ADS Domain</primary></indexterm> + <indexterm><primary>Samba Domain</primary></indexterm> + <indexterm><primary>LDAP</primary></indexterm> Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style domain and/or does not use LDAP.
