On Sun, 2002-11-24 at 17:48, Diego Rivera wrote:> Hi all!
>
> I've had a lot of success setting up Samba PDC's using the LDAP-SAM
> backend, and got password sync working between Unix (LDAP) passwords and
> Samba passwords.
>
> I can also have other Linux boxes use Winbind to auth vrs. the PDC and
> thus achieve the same password sync functionality (i.e., Samba changes
> both PAM and Samba passwords, as well as checking them). Naturally,
> this also works for Windows machines (i.e., user changes his windows
> password and his Unix password is likewise synched).
>
> This all works fine, but I have a couple of questions regarding stuff
> I've seen around here, but have not seen in "stable" versions
yet:
>
> 1) I remember seeing something like "add machine script" similar
to the
> "add user script" - or a mention to it - to allow separate
mechanics for
> Machine account adding and User account adding. How hard does anybody
> think it would be to add this config file parameter and the
> corresponding implementation? Would it be worth it seeing as this is
> likely to be included in 3.0?
>
> 2) Is it currently possible to have Samba check for machine accounts
> under a different LDAP branch than user accounts? This would ease admin
> and maintenance of the machine account set, for obvious reasons. Is
> this planned for 3.0? How hard does anybody think it would be to add
> two config parameters: "ldap user suffix" and "ldap machine
suffix" to
> allow Samba to do this? Again - is this worth it seeing as this could
> be postponed to 3.0?
Both of these are features in Samba 3.0. Samba 2.2 is being maintained
for major bugfixes only, no new features should be targeted for 2.2.
> 3) Are there any plans for calculating the user/machine SID based on the
> Unix uid? i.e., so that when Winbind gets the user list from a PDC, it
> can use PDC-provided Userid's (eliminating the first-come first-served
> UID assignment currently being used)?
We chose the UID, not the SID, in the case of winbind users, and there
are efforts to allow a consistent uid mapping between servers, however
it is also a lot more difficult than it looks at first.
> I'd like to contribute to these - but I need a couple of pointers:
>
> 1) Where do I find the implementation of the call to "add user
script"
> and the corresponding reading of the config value?
>
> 2) Where do I find the implementation of the LDAP code which uses
"ldap
> suffix", and the code which finds user/machine accounts in LDAP?
>
> 3) Any additional advice/tips?
Download and get familiar with the code in Samba 3.0 - follow functions
around, and start to get a feeling for what calls what.
If you are really interested in contributing code, then get on the
samba-technical list, browse over build.samba.org to get an idea of
where people are working, and join #samba-technical - our development
channel on irc.openprojects.net.
The LDAP code has matured significantly recently, due to some very good
feedback and patches from people like metze, who have deployed Samba in
'interesting' production environments.
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20021124/ee77d008/attachment.bin