> > > > There's lots of howtos and mailling list posts > about > > creating a PDC with samba and LDAP. What I want > to do > > is to continue with workgroup operation (at least > > until all our clients are NT). > > A "domain" is really only of relevance to machines > that have joined the > domain. For machines that aren't domain members, it > looks like a > workgroup with passwords sync'ed between servers > that are domain members. >
So even though I'm achieving the password sync with an LDAP directory, and all clients are workgroup mode - a domain would still be suitable and could be properly utilised as a domain in the future... > > All I essentially want > > to do is to move the smbpasswd file on our 30 or > so > > servers to LDAP (after sorting out nss and PAM). > Can > > I do this? > > Yes. But best by turning some of your servers into > "domain controllers", > but this largely has no effect on clients (unless > you join them to the > domain). > Does utilising up a PDC and BDC's cause network traffic? e.g. when a user logs on to their local server (which I assume would be a member server) does the member server need to check with the PDC for authentication? (Or would all remote offices need a BDC)? > > > > Also we have a replicated LDAP directory provided > by > > our openldap servers - one master updating 29 > slaves. > > The slaves (running samba) our not allowed to > update > > the master server. Is this is a problem for > > samba/LDAP operation? > > Not necessarily. > I asked this because I thought samba in some modes needed to update the LDAP directory upon user login (last login attributes etc). > > Obviously account and password > > changes need to be done on the master server but > this > > is desirable for us. I think the PDC + LDAP > solution > > means that the LDAP directory is written to by > samba > > upon each user login > > I don't think this is true, why would this be > necessary? > See above. I plan to use a custom cgi script to perform samba user additions and password changes. Presumably if this was implemented samba wouldn't ever need to write to the directory - and would only need an LDAP acl to view the appropriate password attributes. > > - this wouldn't be desirable for > > us as 30 servers on slow WAN links would be > updated > > every user login. The local smbpasswd file > doesn't > > seem to be updated at the moment when someone logs > in > > - so I'm assuming a workgroup + LDAP solution > wouldn't > > be a problem for us in this regard. > > Neither would an LDAP+domain. > IF there's no extra traffic generated as a result of PDC's/BDC's/member servers over standalone workgroup servers (for lack of a better term) using LDAP then we would be able to do this. > > Also - is there any way to use a custom schema or > > perform schema mapping? > > > > Could you be more specific? > We already have an LDAP directory which uses custom schema (i.e. no posixaccount etc). I'd like the option to make samba uses different attributes and objects (I'm assuming this would be a source code change - and I think I've found the two files). > > I'm using samba 2.2.8a on the 29 slave servers - I > > prefer not to update to samba 3 if it's not > required. > > It may be better to migrate to samba3. With > samba-2.2.8a you need to > install a different binary for LDAP support, whereas > samba3 can be > configured at run-time. Plus, when you do evetually > join machines to the > domain, you will have domain groups available. > > Migrating from samba-2.2.x+ldap to samba3+ldap is > probably more > challenging than migrating from samba-2.2.x to > samba3+ldap, and > migrating from samba-2.2.x to samba-2.2.x+ldap is > probably about the > same, so overall you win by going straight to samba3 > (if you do your > homework). > > You can see what it would take to go from > samba-2.2.x to > samba-2.2.x+ldap at http://mandrakesecure.net Fair enough. I've built the samba 3 binary with --ldapsam (Which I think means use the old schema). Some initial testing seems OK in this area (with the workgroup model). One quick question - I've deja'd (I still call it that) for a solution to specifiy more than one LDAP server for fault tolerance. There were some patches for older samba's - not sure if this has now been resolved? Cheers for the help Buchan Pete. __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
