samba - Sep 2003 - Samba3, LDAP and FreeBSD 4.8 : need for NSS ?

Hi all,
another French guy learning, don't bash me too hard... ;-)
In fact, I'm in need of a confirmation : I'm on the way to create a
Samba3+LDAP
(new schemas) PDC server (no migration from NT4 nor 2K, only from an old Samba
2.0
with security=user using /etc/passwd, ie. no encrypt password).
This Samba3 should be hosted on a FreeBSD 4.8 (ie. pam_ldap can work, I tested
it
today, but no NSS available).
I've read many docs, including the HEAD Samba HOWTO collection, HOWTO from
Ignacio
Coupeau (worth a read), old one from IdealX (which disapeared last week, I still
have a hardcopy), and many others.
The OpenLDAP 2.1 is up, with a few accounts populated (with both sambaSamAccount
&
posixAccount objectclasses). PAM_LDAP auth works.
Then comes the integration with Samba. I have not yet began the work of 
integrating Samba to LDAP (I'm learning LDAP).
Here's my question : does Samba3 need a Unix account (in /etc/passwd) in
addition
to the one in the LDAP directory ?
I believe the answer is yes (since FreeBSD 4.8 doesn't have NSS, and PAM is
only
for authentication), but may someone confirm because I lose the few
last hair I have ;-? Or, before the server is migrated to FreeBSD 5.1
(-CURRENT),
which should undoubtely lessen the need for a firm answer.
Best regards, and thanks for the job for so many years (I live happily with
Samba
since 1996, in production since 1998).
J?r?me


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. LogicaCMG
**********************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 16 September 2003 22:35, J?r?me Fenal wrote:
> Hi all,
> another French guy learning, don't bash me too hard... ;-)
T'inqui?tes, ?a fait 2 semaines que je suis dessus :)
> In fact, I'm in need of a confirmation : I'm on the way to create a
> Samba3+LDAP (new schemas) PDC server (no migration from NT4 nor 2K, only
> from an old Samba 2.0 with security=user using /etc/passwd, ie. no encrypt
> password).
> This Samba3 should be hosted on a FreeBSD 4.8 (ie. pam_ldap can work, I
> tested it today, but no NSS available).
> I've read many docs, including the HEAD Samba HOWTO collection, HOWTO
from
> Ignacio Coupeau (worth a read), old one from IdealX (which disapeared last
> week, I still have a hardcopy), and many others.
> The OpenLDAP 2.1 is up, with a few accounts populated (with both
> sambaSamAccount & posixAccount objectclasses). PAM_LDAP auth works.
> Then comes the integration with Samba. I have not yet began the work of
> integrating Samba to LDAP (I'm learning LDAP).
> Here's my question : does Samba3 need a Unix account (in /etc/passwd)
in
> addition to the one in the LDAP directory ?
> I believe the answer is yes (since FreeBSD 4.8 doesn't have NSS, and
PAM is
> only for authentication), but may someone confirm because I lose the few
> last hair I have ;-? Or, before the server is migrated to FreeBSD 5.1
> (-CURRENT), which should undoubtely lessen the need for a firm answer.
> Best regards, and thanks for the job for so many years (I live happily with
> Samba since 1996, in production since 1998).
OK, so basically, you do NOT need nss_ldap to use samba-3.0 with LDAP, but you 
DO need Unix accounts (if not using nss). So, you do not need any 
posixAccount object class entries in your LDAP since this is for 
authenticating Unix users (accept if you need it).
I just built a FreeBSD-5.1 + nss_ldap + pam_ldap and samba-3.0 as a PDC. It 
works great. If you don't want to use 5.1, which I can understand, what I 
recommend you is to use Unix accounts and pdbedit to ass the samba users, you 
will almost have nothing to populate LDAP with, samba will take care of it. 
Basically, you just need a base.ldif file with your domain/organisation, some 
groups (users, computers, admins and guest) and some ou to add your 
users/computers into.
If you need help, please do not hesitate, I've spent the last 2 weeks on the
subject :)

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/Z3nHY3Hnhkr+5cQRAga0AJwMXGYMix2nPrrJLA/0ioVFn9lXxQCbB1Li
SsE9un/nLd9ijw/30EgFLWU=i/u3
-----END PGP SIGNATURE-----