-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Message: 35
> Date: Sat, 21 Jun 2003 15:42:41 -0300
> From: "Roberto Samarone Araujo (RSA)" <rsa@iesam.com.br>
> Subject: [Samba] Doubts about Winbindd
> To: <samba@lists.samba.org>
> Message-ID: <000001c33977$25b7cd80$9affff0a@inpa.gov.br>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> I'm trying to set up a PDC using Samba on a Linux server. I need
to the> linux clients, using KDE desktop, log in the PDC using the KDE login
box. I> think I could use the 'winbindd' to do what I need but, I still
have some
> questions:
>
No!!! Don't do this, you lose some features which are currently
available for other network authentication setups for unix.
> 1. Do I need to set up winbindd on each Linux client to log on the
> Linux PDC ?
Yes, but you won't (unless you run samba3 cvs on all the clients) be
able to use NFS (or anything else that relies on uid's being consistent)
between clients. I would not suggest trying winbind against a samba PDC
unless you have a lot of samba experience ...
> 2. Do I need to set up winbindd on the Linux PDC server too ?
No.
> 3. Using winbindd could I have only a password file on Linux PDC
> server where the Linux clients will autenticate ?
Yes, but there are many other ways of getting a single authentication
source (either samba + pam_smb, or ldap, or nis etc).
> 4. Could Win2000/XP clients be autenticate to a Linux PDC server
> without I need to add the users on the Win2000/XP clients ? How ?
Yes, with any samba setup supporting domain logins, just need to join
the machines to the domain.
But, winbind will only work against samba3, and using winbind from
samba-2.2.x will mean that you will get random uid's for each user, so
anything that uses uid's will not work between machines.
A much better option is to implement LDAP authentication on your linux
boxes, in which case you can put your samba passwords in LDAP also, in
which case you can have a PDC also.
Using LDAP means:
- -uid's will be consistent across all your linux machines (so you can use
NFS)
- -you don't need to have machine accounts for desktops
- -you can use things like automount maps stored in LDAP, so you have to
do absolutely no client-side setup or changes for network file access
(you change it in ldap, and the next time the mount point is access
after being idle for more than the idle timeout it will mount the new one).
- -you can route email via ldap
- -you can have a shared address book accessible by any mail client (most
support ldap)
- -replication of your user database (aka like PDC/BDC relationships on NT)
- -independant settigs for the user's shell (with winbind all use the same
shell)
- -being able to use disconnected authentication
For information on setting up the unix side of LDAP authentication, see:
http://www.mandrakesecure.net/en/docs/ldap-auth2.php
For adding Windows authentication, see:
http://www.mandrakesecure.net/en/docs/samba-pdc.php
(but don't implement until you at least read the next one)
For implementing disconnected authentication, ldap slaves, BDCs etc, see:
http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
(also has links to documents on how to setup the windows clients etc)
We basically have the kind of setup documented by the last document,
with a few LDAP slave's (including BDC, mail server) and so far one
laptop with ldap slave for disconnected authentication. We just added
automount maps to our LDAP server today, and it really is very impressive!
Regards,
Buchan
- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+9zwPrJK6UGDSBKcRAlDfAKCB+vmBa7KJ9a273Umvo4GTpAaRCACfRpjp
I9K7XBGVui8Ff2vuyKG11ZU=MrIZ
-----END PGP SIGNATURE-----
******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to info@cae.co.za for a copy.
******************************************************************