Hi all,
I mailed you lot about samba and and pam and ldap and stuff a while ago.
Thought I'd follow up on that. We managed to get it working. It's
actually not hard at all, but there's a couple of caveats. The way we went
was to completely forget about ldap support in samba, because it would
have meant an even-more-"experimental" release of samba, and they were
planning to change their current ldap schema - so stuff would certainly
have broken. Instead we went the pam way. We built samba with pam support.
Then, after a little bit of fiddling, we managed to get pam_ldap to work
with some other services which were a little easier to test than samba
(hint, in your config files in /etc/pam.d remove any lines that are not
referring to pam_ldap. We found that trying to mix authentication methods
when we wanted only the one password database was causing things to break,
other than that the sample config files in the pam_ldap source
distribution work brilliantly). We also found that using the shadow
options in the ldap database was a bad move (sufficiently bad as to render
all ldap authenticated services unusable for a while), but YMMV. So,
after removing the shadow options and getting a few other services to grok
the new pam setup we then tried samba. No go first off. I actually spoke
to Andrew Tridgell about this, and he said that I should be testing
against the smbcilent software that comes with samba. We did that and it
worked first go. Anyway, it turns out that the problem was actually a very
obvious one. Samba won't act as a PDC to a Windows NT /server/. We then
hunted down some computers we could infect with windows 95 and 98. We
found our bosses notebook computer, which had a win98 partition on it
already. Plugged it in, set it up and inside of an hour we had samba doing
file sharing, PDCing and profiles, all authenticated against our ldap
database. I didn't get around to setting up passwd sync to point to
ldappasswd, but that's ok. We can do that later, but we'll probably end up
making a web page to allow users to do all that stuff.
But yeah, this thing was a real success story for us. We also got sendmail
to take its user database out of samba and do mail referring and stuff. We
had imap, radius, samba and ftp all workign off the same database. And
accross multiple computers too. And as an added bonus, outlook express and
ns mail are using it as an address book too.
Anyway, thought some of you might be interested. Mail me if you want
details, I think we backed up all the config files, so it shouldn't be too
difficult to replicate the setup.
James.
--
"I like cats too. Let's exchange recipes." - unknown.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
