-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Message: 35 > Date: Sat, 21 Jun 2003 15:42:41 -0300 > From: "Roberto Samarone Araujo (RSA)" <[EMAIL PROTECTED]> > Subject: [Samba] Doubts about Winbindd > To: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > I'm trying to set up a PDC using Samba on a Linux server. I need to the > linux clients, using KDE desktop, log in the PDC using the KDE login box. I > think I could use the 'winbindd' to do what I need but, I still have some > questions: >
No!!! Don't do this, you lose some features which are currently available for other network authentication setups for unix. > 1. Do I need to set up winbindd on each Linux client to log on the > Linux PDC ? Yes, but you won't (unless you run samba3 cvs on all the clients) be able to use NFS (or anything else that relies on uid's being consistent) between clients. I would not suggest trying winbind against a samba PDC unless you have a lot of samba experience ... > 2. Do I need to set up winbindd on the Linux PDC server too ? No. > 3. Using winbindd could I have only a password file on Linux PDC > server where the Linux clients will autenticate ? Yes, but there are many other ways of getting a single authentication source (either samba + pam_smb, or ldap, or nis etc). > 4. Could Win2000/XP clients be autenticate to a Linux PDC server > without I need to add the users on the Win2000/XP clients ? How ? Yes, with any samba setup supporting domain logins, just need to join the machines to the domain. But, winbind will only work against samba3, and using winbind from samba-2.2.x will mean that you will get random uid's for each user, so anything that uses uid's will not work between machines. A much better option is to implement LDAP authentication on your linux boxes, in which case you can put your samba passwords in LDAP also, in which case you can have a PDC also. Using LDAP means: - -uid's will be consistent across all your linux machines (so you can use NFS) - -you don't need to have machine accounts for desktops - -you can use things like automount maps stored in LDAP, so you have to do absolutely no client-side setup or changes for network file access (you change it in ldap, and the next time the mount point is access after being idle for more than the idle timeout it will mount the new one). - -you can route email via ldap - -you can have a shared address book accessible by any mail client (most support ldap) - -replication of your user database (aka like PDC/BDC relationships on NT) - -independant settigs for the user's shell (with winbind all use the same shell) - -being able to use disconnected authentication For information on setting up the unix side of LDAP authentication, see: http://www.mandrakesecure.net/en/docs/ldap-auth2.php For adding Windows authentication, see: http://www.mandrakesecure.net/en/docs/samba-pdc.php (but don't implement until you at least read the next one) For implementing disconnected authentication, ldap slaves, BDCs etc, see: http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php (also has links to documents on how to setup the windows clients etc) We basically have the kind of setup documented by the last document, with a few LDAP slave's (including BDC, mail server) and so far one laptop with ldap slave for disconnected authentication. We just added automount maps to our LDAP server today, and it really is very impressive! Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+9zwPrJK6UGDSBKcRAlDfAKCB+vmBa7KJ9a273Umvo4GTpAaRCACfRpjp I9K7XBGVui8Ff2vuyKG11ZU= =MrIZ -----END PGP SIGNATURE----- ****************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ****************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
