-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Message: 15
Date: Wed, 8 Oct 2003 10:15:51 -0400
From: Jake Dalton [EMAIL PROTECTED]
Subject: [Samba] Samba3 PDC + LDAP + winbindd?
To: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
Hi,
I'm trying to set up a single sign-on system across both linux and windows
with a Samba3 PDC and OpenLDAP backend. I've been trying to follow the
documentation included with Samba3 but I don't seem to be having much
success.
The basic idea is to use nss_ldap/pam_ldap/NFS on the linux clients, and
authenticate the Windows machines to samba. There is no reason your
linux clients need to know anything about samba (unless they are service
files to windows clients, but then all you need to do is join them to
the domain).
So I have few questions.
#1: What services are necessary for this to work? I know smbd, nmbd and
slapd are for sure required. But I can't figure out whether winbindd
should
be running with this system or not. As far as I understand, it is.
It will
provide the ability for domain users to log into linux systems with their
domain credentials.
Winbind is there to map identities present on Windows Domain Controllers
to Unix uids and gids. Since samba already does this (well, ther
reverse), you don't need winbind. Winbind is primarily useful when you
*aren't* using samba as a domain controller, and would be run on the
client systems.
#2: How do the idmap mappings get created? I have the ldap idmap suffix
option set to a valid location but I've never seen any entries get put in
there.
You don't need this.
#3: What constitutes a domain group in ldapsam? From what I can
tell, the
sambaGroupMapping object class indicates a domain group. But every domain
group needs to map to a posixGroup objectclass entry. So if every domain
group has a one-to-one mapping to a group gid, why is there a need for
winbindd to generate mappings for domain groups?
There isn't. nss_ldap will give you the groups as they are in LDAP.
#4: Is there an easy way to test the smbd+slapd configuration? I want to
make sure that those two are configured and working correctly before I
start
expanding the configuration to adding other machines to the domain.
Join one machine to the domain, and test things like ACLs on the client.
#5: When I run wbinfo -u or wbinfo -g both return with Error looking up
domain [users|groups] but if I tried wbinfo -n testuser I actually
get a
SID back. What could cause this?
But you don't need this to work.
Any help would be appreciated. If someone has samba3 PDC + OpenLDAP
system
set up, a dump in ldif format (with sensitive info removed) of the ldap
directory would be a great help, as well as sample smb.conf's or any other
suggestions.
I think you're probably more in need on docs on the nss_ldap/pam_ldap
side, please see the documents at http://mandrakesecure.net which cover
a few issues which may be of interest (but don't cover samba3 yet ...)
Regards,
Buchan
- --
|--Another happy Mandrake Club member--|
Buchan MilneMechanical Engineer, Network Manager
Cellphone * Work+27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/hUGirJK6UGDSBKcRAlTfAJ95WPICQVSJ64maD8Eg3g6wNZdvegCeNx+W
WybrP8jRaQyJ2oLryz3eEm8=
=cPTQ
-END PGP SIGNATURE-
*
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy.
*
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba