Hi,
Can someone confirm if it's necessary to have nss? I don't have nss in
my configuration (I'm running OpenBSD, so it's a little different) and
it's not working, I've also tried adding LDAP users to my /etc/passwd
for my samba users as an experiment, but I couldn't get them to authenticate
with LDAP through a shell, nor did it help Samba in any way so I removed them
again. According to the logs, login_ldap (the bsd_auth module for ldap
authentication) is attempting to communicate with openldap with ldapv2, which
openldap doesn't support, so it appears this technique is impossible as far
as I could figure out. However, it is strange that login_ldap and openldap ship
together in the same version of the bsd packages collection, yet they
communicate with different versions. Anyways, I need LDAP authentication for
users with shell access, but luckily not on this server, they will only need to
authenticate against this server, not login to the server itself via
SSH or shell, only log in onto the shell on Linux workstations (which can
easily be configured to authenticate with my OpenBSD openldap server using
ldapv3). Anyways, this is a bit off-topic I think, but does this in any way
relate to Samba? If I don't have users in my /etc/passwd file can't they
log in to Samba?
Btw I don't think that should break my configuration, considering that I
should still be able to log in as root since root has account in both LDAP and
/etc/passwd, though the problem I'm experiencing with my configuration is
that I don't even get an opportunity to log in, it just bluntly throws at me
"The specified network name is no longer available" (in most cases,
though during this stage I cannot see anything being logged in Samba - maybe
Windows caches the first attempt and then doesn't give "Access is
denied" until you reboot? As usually when I reboot I get "Access is
denied" again), though the first time it shows "Access is
denied", the same happens with NET VIEW, yet, I'm not given a single
opportunity to log in, on joining a domain (attempting to) it throws the same
messages at me, dcdiag.txt also isn't much help. I have also tried setting
my Windows username and password to match a Samba username and password
(although I don't think this
should be required).
Another thing, is it possible to hide a certain folder in every user's home
directory from them when viewing with Samba? I've got a Maildir in each
user's home directory to keep mail, but it's owned by vmail anyway (I
know I should probably use virtual aliases and domains for this, but this seems
to fit my scenario better), so the user can't access it, would just like
them to not see it, if it's in any way possible. (Though this is not
serious, since currently, my users can't even connect!)
Regards
Lionel
----- Original Message ----
From: Adam Williams <awilliam@mdah.state.ms.us>
To: "ml@bortal.de" <ml@bortal.de>
Cc: samba@lists.samba.org
Sent: Wednesday, 20 February 2008 9:33:53
Subject: Re: [Samba] understanding the ldap backend
ml@bortal.de wrote:> Hello List,
>
> i am trying to understand the LDAP-backend i just set up. Maybe
> someone can help me a little understanding the whole magic.
>
> In smb.conf i have my smbldap-tools scripts:
> # use the smbldap-tools scripts
> add user script = /usr/sbin//smbldap-useradd -m "%u"
> delete user script = /usr/sbin//smbldap-userdel "%u"
> add machine script = /usr/sbin//smbldap-useradd -w "%u"
> add group script = /usr/sbin//smbldap-groupadd -p "%g"
> delete group script = /usr/sbin//smbldap-groupdel "%g"
> add user to group script = /usr/sbin//smbldap-groupmod -m "%u"
"%g"
> delete user from group script = /usr/sbin//smbldap-groupmod -x
"%u" "%g"
> set primary group script = /usr/sbin//smbldap-usermod -g "%g"
"%u"
>
>
> and some ldap specific stuff:
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=Manager,dc=example,dc=net
> ldap suffix = dc=example,dc=net
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> idmap backend = ldap://127.0.0.1
> #ldap ssl = start tls
> ldap delete dn = Yes
>
>
>
> 1.) Now how does the authentification excatly work? Does samba talk
> directly to the ldap database and verifies user/password?
> 2.) I guess changing/deleting passwords/users is beeing made by the
> smblda-tools.
> 3.) How does samba get the user ids? By contacting the ldap database
> directl again?
> 4.) How does samba get he user/group of files and folders? By nss?
> 5.) Has samba got anything to do with nss/libnss-ldap?
>
>
> Thanks, Mario
1) yes
2) you can use smbldap-passwd to change a user's password if you want to
set the passwd chat, unix password sync, etc. or you can just set ldap
passwd sync = yes and let samba handle the password changing directly
3)yes
4) yes
5) i think so, i have nss_ldap working because my users need shell
access for database/html work. i've never tried getting samba going
without using nss_ldap for user auth. i don't know if samba can look up
the users directly or if it gets their user, group, machine accounts via
nss_ldap. but nss_ldap is trivial to get working.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
__________________________________________________________________
Yahoo! Singapore Answers
Real people. Real questions. Real answers. Share what you know at
http://answers.yahoo.com.sg