samba - Apr 2004 - Samba3, LDAP and FreeBSD 4.8 : need for NSS ?

Hi,
   I found your posting below... I am in a very similar situation and just
want to understand what this means a little better.  I have compiled
openldap and samba on a netbsd box...  Not sure if your aware, but nsswitch
on netbsd is not modular, and ldap is not an option for the name service
backend. (freebsd and linux are not options since its not an x86 box I'm
using) Anyway, my ldap database is populated with sambasamaccount object
classes AND posixAccount object classes (other machines will be using the
ldap server on this box for their name service). You indicated below that I
need to add unix accounts (I am assuming for local name service purposes).
Here are my questions:
	1. Does this mean that the entries in /etc/passwd need to have
passwords?? (i.e., do they have to authenticate properly, or can I just
manually enter in ##### in the password field in /etc/passwd to keep people
from logging in as these accounts)
	2. If so, must the passwords match those in the ldap database?
	3. which accounts must be in /etc/passwd (i.e., I am assuming all
samba users as well as machine accounts, is this accurate?)
	4. Any more advise that you can give me, I'd greatly appreciate.

Cheers,

Ken



Antoine Jacoutot ajacoutot at lphp.org
<mailto:samba%40lists.samba.org?Subject=%5BSamba%5D%20Samba3%2C%20LDAP%20and
%20FreeBSD%204.8%20%3A%20need%20for%20NSS%20%3F&In-Reply-To=FA7959A48B754E45
9E6BFD88B01F46BEAE0DAA%40fr-par-mb01.fra.group.cmg.com> 
Tue Sep 16 20:59:51 GMT 2003 
*	Previous message: [Samba] Samba3, LDAP and FreeBSD 4.8 : need for
NSS ?  <074267.html> 
*	Next message: [Samba] Odd large group behavior in winbind
<074290.html> 
	*	Messages sorted by: [ date ] <date.html>  [ thread ]
<thread.html>  [ subject ] <subject.html>  [ author ]
<author.html>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 16 September 2003 22:35, J?r?me Fenal wrote:
> Hi all,
> another French guy learning, don't bash me too hard... ;-)
T'inqui?tes, ?a fait 2 semaines que je suis dessus :)
> In fact, I'm in need of a confirmation : I'm on the way to create a
> Samba3+LDAP (new schemas) PDC server (no migration from NT4 nor 2K, only
> from an old Samba 2.0 with security=user using /etc/passwd, ie. no encrypt
> password).
> This Samba3 should be hosted on a FreeBSD 4.8 (ie. pam_ldap can work, I
> tested it today, but no NSS available).
> I've read many docs, including the HEAD Samba HOWTO collection, HOWTO
from
> Ignacio Coupeau (worth a read), old one from IdealX (which disapeared last
> week, I still have a hardcopy), and many others.
> The OpenLDAP 2.1 is up, with a few accounts populated (with both
> sambaSamAccount & posixAccount objectclasses). PAM_LDAP auth works.
> Then comes the integration with Samba. I have not yet began the work of
> integrating Samba to LDAP (I'm learning LDAP).
> Here's my question : does Samba3 need a Unix account (in /etc/passwd)
in
> addition to the one in the LDAP directory ?
> I believe the answer is yes (since FreeBSD 4.8 doesn't have NSS, and
PAM
is
> only for authentication), but may someone confirm because I lose the few
> last hair I have ;-? Or, before the server is migrated to FreeBSD 5.1
> (-CURRENT), which should undoubtely lessen the need for a firm answer.
> Best regards, and thanks for the job for so many years (I live happily
with
> Samba since 1996, in production since 1998).
OK, so basically, you do NOT need nss_ldap to use samba-3.0 with LDAP, but
you 
DO need Unix accounts (if not using nss). So, you do not need any 
posixAccount object class entries in your LDAP since this is for 
authenticating Unix users (accept if you need it).
I just built a FreeBSD-5.1 + nss_ldap + pam_ldap and samba-3.0 as a PDC. It 
works great. If you don't want to use 5.1, which I can understand, what I 
recommend you is to use Unix accounts and pdbedit to ass the samba users,
you 
will almost have nothing to populate LDAP with, samba will take care of it. 
Basically, you just need a base.ldif file with your domain/organisation,
some 
groups (users, computers, admins and guest) and some ou to add your 
users/computers into.
If you need help, please do not hesitate, I've spent the last 2 weeks on the

subject :)

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/Z3nHY3Hnhkr+5cQRAga0AJwMXGYMix2nPrrJLA/0ioVFn9lXxQCbB1Li
SsE9un/nLd9ijw/30EgFLWU=i/u3
-----END PGP SIGNATURE-----