Hi all: I am currently using Active Directories (via openldap client) to authenicate my linux clients and would like to have samba use AD (ldap - not winbind) as well. I really haven't seen any documentation on how to implement, however. Does anyone have any information regarding ldap and samba (redhat rpm)? Thanks! Kind Regards, Jennifer Fountain Systems Administrator/Security R&B Distribution 3400 E Walnut Street Colmar, PA 18915
On Tuesday 10 May 2005 08:18, Jennifer Fountain wrote:> Hi all: > > I am currently using Active Directories (via openldap client) to > authenicate my linux clients and would like to have samba use AD (ldap - > not winbind) as well. I really haven't seen any documentation on how to > implement, however. Does anyone have any information regarding ldap and > samba (redhat rpm)?It is possible to use the Microsoft Windows Services for UNIX (SFU) to extend the ADS schema with UNIX UID/GID information so that nss_ldap can be used to provide that directly your UNIX client. To get this functionality nss_ldap need to be built with support for ADS features - something I do not know whether or not your Red Hat package has. Suggest you obtain the latest nss_ldap from the PADL web site and read the lastest info in it. You can obtain this from http://www.padl.com. - John T.
Carlos Rodrigues
2005-May-10 18:48 UTC
[Samba] Re: Using ldap for permissions/authenication
Jennifer Fountain wrote:> Hi all: > > I am currently using Active Directories (via openldap client) to > authenicate my linux clients and would like to have samba use AD (ldap - > not winbind) as well. I really haven't seen any documentation on how to > implement, however. Does anyone have any information regarding ldap and > samba (redhat rpm)?If you are already using LDAP to authenticate against Active Directory (/etc/ldap.conf or /etc/libnss-ldap.conf already configured), then there isn't much to do on the Samba side. Samba will see the users as if they were local. You will have to install kerberos (either MIT or Heimdal - configuring /etc/krb5.conf not needed) and use an smb.conf with a global section somewhat like this: [global] workgroup = EXAMPLE realm = EXAMPLE.REALM.COM server string = My Server security = ADS password server = * local master = No invalid users = root read only = No Then do an "net ads join -U Administrator" to join the box to the domain. There is no need to have winbind running (and it shouldn't). The only snag with this setup is that permissions (on the file/folder "security" tab) will show as "YOURSAMBASERVER\user" instead of "DOMAIN\user", but that's only cosmetic as it works just fine (I guess it behaves somewhat like if a trust was in place with the samba server). Carlos Rodrigues