Hi, is it possible to realize the following scenario? And if yes: how? ;)
The current setup is as follows: We have a Samba 3 server on a linux machine as PDC and an OpenLDAP server as passdb backend (on the same host). All users and groups were inserted via the SMBLDAP tools by IDEALX. So far, so good. Everything runs fine. Now our plan is it to use another, external LDAP server for pure authentication. This means the external LDAP server should _NOT_ contain the (most) Samba schema attributes for the users. The idea behind this is that we will soon have one single user-database for all campus-users (students and employees) at our campus and if a user is registered there he should gain access to our samba domain as well. But as there might be several other samba domains on our campus we cannot store those samba schema attributes in the "master LDAP" (for example the users profile is at a different location in another domain). The only way out i can think of (other proposals are welcome!) is that Samba accesses two different LDAP-servers. The first one only for authentication (does the user exist at all? and did he provide the correct password?) and the second one for the storage of all his domain-specific attributes like "where is my homedrive?", "where is my profile located" and so on. If the user was authenticated successfully but doesn't exist in the local LDAP server, the "add user script" will add him. Perhaps the "password server" configuration directive could be the solution but as i read the manpage some questions arise: 1. How exactly does samba authenticate a user if an LDAP server was entered? What attributes are checked? 2. Specifying the "password server" option only works with security = [ads|domain|server]. Is it still possible that samba works as a primary domain controller afterwards? I believe this is a very complex problem and i will be very happy if anyone has anything to say about it. :-) If there are any questions, feel free to ask! Maybe i wasn't exactly enough. :) mfg, Oliver Heering Medienzentrum der Universität Dortmund http://www.medienzentrum.uni-dortmund.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
