Jon Detert
2010-Dec-29 15:29 UTC
[Samba] confusion about using samba as NT4 PDC with ldapsam backend
Hello,
I want to use samba v3.3.x to implement an NT4/Win2k style domain:
a samba PDC and a samba BDC, using ldapsam for the 'passdb backend'. I
plan
to use RedHat Directory Server v8.2 as the ldap server.
I'm trying to sort out how user/group management and nss will work.
I'm confused about how/when the samba-supplied ldap schema is used (I mean
the schema that's in the samba distribution, that contains the
'sambaSamAccount' objectClass).
I understand that I have to add/activate the schema within my ldap server
(and that in its distributed form, it's for openLDAP, and so I have to
convert it to a syntax suitable for RedHat DirServer).
However, I don't understand how to make samba use it.
Does the simple fact of specifying 'passdb backend' = ldapsam imply that
this schema is used?
How do the samba ObjectClasses and their attributes get set for new users?
E.g. will they be set automagically if I specify the 'add
{user|group|machine} script' settings in the smb.conf? If not, how then?
The ldap server is already populated with inetOrgPerson information for my
user population. I've just added the samba schema and the posixAccount
schema. How should I populate the samba and posixAccount ObjectClasses and
attributes for the existing users? I.e. run a one-time script to populate
them, or is there a more clever way? If the former, are there ready-made
scripts to do this, or do I need to write my own?
Once the samba schema objects and attributes are populated, how does smbd
know about them? Will I need to run winbind in order for samba to map posix
UIDs and GIDs to SIDs and RIDs, or will that be done automagically by virtue
of specifying that the 'passdb backend' is ldapsam, and populating the
samba
schema?
Even if I don't need to run winbind, should I? I'll need to use nss in
any
case, but if I use nss_ldap, I think that the o.s. won't grok nested
groups. If I use nss_winbind, I think it will.
AtDhVaAnNkCsE,
Jon
TAKAHASHI Motonobu
2010-Dec-29 17:05 UTC
[Samba] confusion about using samba as NT4 PDC with ldapsam backend
2010/12/30 Jon Detert <jdetert at infinityhealthcare.com>:> How do the samba ObjectClasses and their attributes get set for new users? > E.g. will they be set automagically if I specify the 'add > {user|group|machine} script' settings in the smb.conf? If not, how then?Use smbldap-tools or ldapsam:editposix parameter. If you have already migrated LDAP users, smbldap-tools will be easy to use, although mbldap-tools are not maintenanced. There is a webpage that mentions about ldapsam:editposix: http://wiki.samba.org/index.php/Ldapsam_Editposix Or make scripts like smbldap-tools by yourself.> I'm confused about how/when the samba-supplied ldap schema is used (I mean > the schema that's in the samba distribution, that contains the > 'sambaSamAccount' objectClass).(snip)> Does the simple fact of specifying 'passdb backend' = ldapsam imply that > this schema is used?Yes, Samba assumes proper schema is defined in the LDAP directory. --- TAKAHASHI Motonobu <monyo at samba.gr.jp> 2010/12/30 Jon Detert <jdetert at infinityhealthcare.com>:> Hello, > > I want to use samba v3.3.x to implement an NT4/Win2k style domain: > a samba PDC and a samba BDC, using ldapsam for the 'passdb backend'. ?I plan > to use RedHat Directory Server v8.2 as the ldap server. > > I'm trying to sort out how user/group management and nss will work. > > I'm confused about how/when the samba-supplied ldap schema is used (I mean > the schema that's in the samba distribution, that contains the > 'sambaSamAccount' objectClass). > > I understand that I have to add/activate the schema within my ldap server > (and that in its distributed form, it's for openLDAP, and so I have to > convert it to a syntax suitable for RedHat DirServer). > > However, I don't understand how to make samba use it. > > Does the simple fact of specifying 'passdb backend' = ldapsam imply that > this schema is used? > > How do the samba ObjectClasses and their attributes get set for new users? > E.g. will they be set automagically if I specify the 'add > {user|group|machine} script' settings in the smb.conf? ?If not, how then? > > The ldap server is already populated with inetOrgPerson information for my > user population. ?I've just added the samba schema and the posixAccount > schema. ?How should I populate the samba and posixAccount ObjectClasses and > attributes for the existing users? ?I.e. run a one-time script to populate > them, or is there a more clever way? ?If the former, are there ready-made > scripts to do this, or do I need to write my own? > > Once the samba schema objects and attributes are populated, how does smbd > know about them? ?Will I need to run winbind in order for samba to map posix > UIDs and GIDs to SIDs and RIDs, or will that be done automagically by virtue > of specifying that the 'passdb backend' is ldapsam, and populating the samba > schema? > > Even if I don't need to run winbind, should I? ?I'll need to use nss in any > case, but if I use nss_ldap, I think that the o.s. won't grok nested > groups. ?If I use nss_winbind, I think it will. > > AtDhVaAnNkCsE, > > Jon
Apparently Analagous Threads
- replication problems in samba4 ad domain
- how best to rollback from a yum update?
- problem joining WinXP machine to samba PDC+LDAP environment
- confusion and problem with Samba v3.3.8 as PDC with ldapsam backend
- How to grant access to file shares by AD groups that have spaces in their name?