-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Message: 15 > Date: Wed, 8 Oct 2003 10:15:51 -0400 > From: "Jake Dalton" <[EMAIL PROTECTED]> > Subject: [Samba] Samba3 PDC + LDAP + winbindd? > To: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > Hi, > > I'm trying to set up a single sign-on system across both linux and windows > with a Samba3 PDC and OpenLDAP backend. I've been trying to follow the > documentation included with Samba3 but I don't seem to be having much > success.
The basic idea is to use nss_ldap/pam_ldap/NFS on the linux clients, and authenticate the Windows machines to samba. There is no reason your linux clients need to know anything about samba (unless they are service files to windows clients, but then all you need to do is join them to the domain). > So I have few questions. > > #1: What services are necessary for this to work? I know smbd, nmbd and > slapd are for sure required. But I can't figure out whether winbindd should > be running with this system or not. As far as I understand, it is. It will > provide the ability for domain users to log into linux systems with their > domain credentials. Winbind is there to map identities present on Windows Domain Controllers to Unix uids and gids. Since samba already does this (well, ther reverse), you don't need winbind. Winbind is primarily useful when you *aren't* using samba as a domain controller, and would be run on the client systems. > #2: How do the idmap mappings get created? I have the ldap idmap suffix > option set to a valid location but I've never seen any entries get put in > there. > You don't need this. > #3: What constitutes a domain group in ldapsam? From what I can tell, the > sambaGroupMapping object class indicates a domain group. But every domain > group needs to map to a posixGroup objectclass entry. So if every domain > group has a one-to-one mapping to a group gid, why is there a need for > winbindd to generate mappings for domain groups? There isn't. nss_ldap will give you the groups as they are in LDAP. > #4: Is there an easy way to test the smbd+slapd configuration? I want to > make sure that those two are configured and working correctly before I start > expanding the configuration to adding other machines to the domain. Join one machine to the domain, and test things like ACLs on the client. > #5: When I run wbinfo -u or wbinfo -g both return with "Error looking up > domain [users|groups]" but if I tried wbinfo -n <testuser> I actually get a > SID back. What could cause this? But you don't need this to work. > Any help would be appreciated. If someone has samba3 PDC + OpenLDAP system > set up, a dump in ldif format (with sensitive info removed) of the ldap > directory would be a great help, as well as sample smb.conf's or any other > suggestions. I think you're probably more in need on docs on the nss_ldap/pam_ldap side, please see the documents at http://mandrakesecure.net which cover a few issues which may be of interest (but don't cover samba3 yet ...) Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hUGirJK6UGDSBKcRAlTfAJ95WPICQVSJ64maD8Eg3g6wNZdvegCeNx+W WybrP8jRaQyJ2oLryz3eEm8= =cPTQ -----END PGP SIGNATURE----- ***************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ***************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba