Mont Rothstein wrote: > I am hoping someone can tell me if I am trying something that can't be done. Well, if I understood you corretly I'll say yes ;)
Don't make it harder than it is, there are only three parties involved 1) Windows (the client) 2) Samba ("app server") 3) LDAP (authentication backend) Windows never talks directly to LDAP (at least not in this scenario), it always contacts samba, PDC or not. So the windows box asks samba "hey, I want to write to your disk..." and samba, being a sensitive piece of software insists: "Wait a minute, tell me who you are and prove this somehow, then I'll ask my backend if it knows you and if your proof holds true,...". The stupid windows client, not knowing that he speaks to the glory UNIX world sends its usual credentials, a string like MYWORSTATION\joe and a "secret" hash. Now samba looks for a UNIX user joe via the normal system calls used on unix and in its configured backend for the hash and all the other pieces needed in the windows world and not present on a normal unix system account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid) come from. They need to be known to the system where samba is installed, period. Fortunately, linux/unix has quite a few sources where names may come from. This is abstracted through the NSS interface and implemented by shared libraries whose names happen to be libnss_<servicename>.so. If you have a line like: passwd: files ldap in your /etc/nsswitch.conf, the system will ask libnss_files.so and libnss_ldap.so for the names and numbers commonly known as "accounts". In your case, you want to enable/disable/setup users in LDAP only. All you have to do is: 1. Instruct your system to fetch unix NAMES from ldap (nss_ldap). 2. Instruct samba to fetch the windows bits from ldap (passdb backend). couldn't stress this point of common misconception less, sorry. Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba