Hi, I got the following setup. I got a openLDAP server. This server is the master server for LDAP functions. I named this ldapsrv. I got a samba server with openLDAP install on it as well. This LDAP server is the slave to ldapsrv. I named this sambasrv. The sambasrv currently have the following setup in /etc/smb.conf:- passdb backend = ldapsam:ldap://ldapsrv.domain idmap backend = ldap://ldapsrv.domain add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh I want to use sambasrv's openldap directory to read off the passwords instead of reading it off the network from ldapsrv. Note that all changes have to be done on ldapsrv in order to be propogated to sambasrv. Will I have any issues if I shift the 'passdb backend' and 'idmap backend' to point to ldapsrv? Can i do the above with the smbldap_conf.pm file untouched? The smbldap_conf.pm files currently point to ldapsrv as the changes will need to be done on it. The reason I asked is that during clients authentication or connecting to the sambasrv, will it modify the ldap entries since smb.conf will point to sambasrv which is the slave LDAP. I think all changes need to start from ldapsrv. Any feedback will be great. Thanks. adrian email : achow@uwcsea.edu.sg
Adrian Chow wrote:> Hi, > > I got the following setup. > > I got a openLDAP server. This server is the master server for LDAP > functions. I named this ldapsrv. > I got a samba server with openLDAP install on it as well. This LDAP > server is the slave to ldapsrv. I named this sambasrv. > > The sambasrv currently have the following setup in /etc/smb.conf:- > passdb backend = ldapsam:ldap://ldapsrv.domain > idmap backend = ldap://ldapsrv.domain > add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' > delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' > add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' > delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' > add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m > '%u' '%g' > delete user from group script = > /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' > set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g > '%g' '%u' > add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' > shutdown script = /var/lib/samba/scripts/shutdown.sh > > I want to use sambasrv's openldap directory to read off the passwords > instead of reading it off the network from ldapsrv. Note that all > changes have to be done on ldapsrv in order to be propogated to > sambasrv. Will I have any issues if I shift the 'passdb backend' and > 'idmap backend' to point to ldapsrv? > > Can i do the above with the smbldap_conf.pm file untouched? The > smbldap_conf.pm files currently point to ldapsrv as the changes will > need to be done on it. > > The reason I asked is that during clients authentication or connecting > to the sambasrv, will it modify the ldap entries since smb.conf will > point to sambasrv which is the slave LDAP. I think all changes need > to start from ldapsrv.If you have referrals set up properly then the slave will send the modify requests up the the master that can write to the db. One note however, if you switch all references over to the slave, try a domain join in test before you roll out. My particular ldap servers are over a WAN and samba would actually time out before the account would replicate to my local slave unless I hacked a sleep in to the add machine function. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com
Hi Paul, thanks for the reply. 2 questions:- 1. In the smbldap-useradd.pl file, there are lines that are commented out. SInce my add machine script is only with "-w", and my with_smbpasswd variable in the smbldap_conf is =0, i found that it will only create a posix account on the ldap. I don't see it creating the samba portion in the ldap. Does it do it automatically? My ldap shows that the samba portion is done automatically. [However I think I have to join the domain 2 times for each machine.... don't know why the first time it joins it fails.. The second time succeeds.] 2. Can I know what happens if my refferals is not done properly and I point my passwd backend to the ldap slave server? Does it have an effect only when a machine joins the domain? Thanks. adrian ---------- Original Message ---------------------------------- From: Paul Gienger <pgienger@ae-solutions.com> Date: Wed, 16 Jun 2004 07:50:31 -0500> > >Adrian Chow wrote: > >> Hi, >> >> I got the following setup. >> >> I got a openLDAP server. This server is the master server for LDAP >> functions. I named this ldapsrv. >> I got a samba server with openLDAP install on it as well. This LDAP >> server is the slave to ldapsrv. I named this sambasrv. >> >> The sambasrv currently have the following setup in /etc/smb.conf:- >> passdb backend = ldapsam:ldap://ldapsrv.domain >> idmap backend = ldap://ldapsrv.domain >> add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' >> delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' >> add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' >> delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' >> add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m >> '%u' '%g' >> delete user from group script = >> /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' >> set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g >> '%g' '%u' >> add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' >> shutdown script = /var/lib/samba/scripts/shutdown.sh >> >> I want to use sambasrv's openldap directory to read off the passwords >> instead of reading it off the network from ldapsrv. Note that all >> changes have to be done on ldapsrv in order to be propogated to >> sambasrv. Will I have any issues if I shift the 'passdb backend' and >> 'idmap backend' to point to ldapsrv? >> >> Can i do the above with the smbldap_conf.pm file untouched? The >> smbldap_conf.pm files currently point to ldapsrv as the changes will >> need to be done on it. >> >> The reason I asked is that during clients authentication or connecting >> to the sambasrv, will it modify the ldap entries since smb.conf will >> point to sambasrv which is the slave LDAP. I think all changes need >> to start from ldapsrv. > >If you have referrals set up properly then the slave will send the >modify requests up the the master that can write to the db. One note >however, if you switch all references over to the slave, try a domain >join in test before you roll out. My particular ldap servers are over a >WAN and samba would actually time out before the account would replicate >to my local slave unless I hacked a sleep in to the add machine function. > >-- >Paul Gienger Office: 701-281-1884 >Applied Engineering Inc. Cell: 701-306-6254 >Information Systems Consultant Fax: 701-281-1322 >URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com > > >