-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Message: 15
> Date: Wed, 8 Oct 2003 10:15:51 -0400
> From: "Jake Dalton" <jakedalt@hotmail.com>
> Subject: [Samba] Samba3 PDC + LDAP + winbindd?
> To: <samba@lists.samba.org>
> Message-ID: <000201c38da6$adfa1080$0301a8c0@sion>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> I'm trying to set up a single sign-on system across both linux and
windows
> with a Samba3 PDC and OpenLDAP backend. I've been trying to follow the
> documentation included with Samba3 but I don't seem to be having much
> success.
The basic idea is to use nss_ldap/pam_ldap/NFS on the linux clients, and
authenticate the Windows machines to samba. There is no reason your
linux clients need to know anything about samba (unless they are service
files to windows clients, but then all you need to do is join them to
the domain).
> So I have few questions.
>
> #1: What services are necessary for this to work? I know smbd, nmbd and
> slapd are for sure required. But I can't figure out whether winbindd
should> be running with this system or not. As far as I understand, it is.
It will> provide the ability for domain users to log into linux systems with their
> domain credentials.
Winbind is there to map identities present on Windows Domain Controllers
to Unix uids and gids. Since samba already does this (well, ther
reverse), you don't need winbind. Winbind is primarily useful when you
*aren't* using samba as a domain controller, and would be run on the
client systems.
> #2: How do the idmap mappings get created? I have the ldap idmap suffix
> option set to a valid location but I've never seen any entries get put
in
> there.
>
You don't need this.
> #3: What constitutes a domain group in ldapsam? From what I can
tell, the> sambaGroupMapping object class indicates a domain group. But every domain
> group needs to map to a posixGroup objectclass entry. So if every domain
> group has a one-to-one mapping to a group gid, why is there a need for
> winbindd to generate mappings for domain groups?
There isn't. nss_ldap will give you the groups as they are in LDAP.
> #4: Is there an easy way to test the smbd+slapd configuration? I want to
> make sure that those two are configured and working correctly before I
start> expanding the configuration to adding other machines to the domain.
Join one machine to the domain, and test things like ACLs on the client.
> #5: When I run wbinfo -u or wbinfo -g both return with "Error looking
up
> domain [users|groups]" but if I tried wbinfo -n <testuser> I
actually
get a> SID back. What could cause this?
But you don't need this to work.
> Any help would be appreciated. If someone has samba3 PDC + OpenLDAP
system> set up, a dump in ldif format (with sensitive info removed) of the ldap
> directory would be a great help, as well as sample smb.conf's or any
other
> suggestions.
I think you're probably more in need on docs on the nss_ldap/pam_ldap
side, please see the documents at http://mandrakesecure.net which cover
a few issues which may be of interest (but don't cover samba3 yet ...)
Regards,
Buchan
- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/hUGirJK6UGDSBKcRAlTfAJ95WPICQVSJ64maD8Eg3g6wNZdvegCeNx+W
WybrP8jRaQyJ2oLryz3eEm8=cPTQ
-----END PGP SIGNATURE-----
*****************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to info@cae.co.za for a copy.
*****************************************************************