Re: [Samba] understanding the ldap backend

Tue, 19 Feb 2008 23:43:06 -0800 


[EMAIL PROTECTED] wrote:

Hello List,


i am trying to understand the LDAP-backend i just set up. Maybe 
someone can help me a little understanding the whole magic.


In smb.conf i have my smbldap-tools scripts:
 # use the smbldap-tools scripts
 add user script = /usr/sbin//smbldap-useradd -m "%u"
 delete user script = /usr/sbin//smbldap-userdel "%u"
 add machine script = /usr/sbin//smbldap-useradd -w "%u"
 add group script = /usr/sbin//smbldap-groupadd -p "%g"
 delete group script = /usr/sbin//smbldap-groupdel "%g"
 add user to group script = /usr/sbin//smbldap-groupmod -m "%u" "%g"
 delete user from group script = /usr/sbin//smbldap-groupmod -x "%u" "%g"
 set primary group script = /usr/sbin//smbldap-usermod -g "%g" "%u"


and some ldap specific stuff:
 passdb backend = ldapsam:ldap://127.0.0.1/
 ldap admin dn = cn=Manager,dc=example,dc=net
 ldap suffix = dc=example,dc=net
 ldap group suffix = ou=Groups
 ldap user suffix = ou=Users
 ldap machine suffix = ou=Computers
 ldap idmap suffix = ou=Users
 idmap backend = ldap://127.0.0.1
 #ldap ssl = start tls
 ldap delete dn = Yes




1.) Now how does the authentification excatly work? Does samba talk 
directly to the ldap database and verifies user/password?
2.) I guess changing/deleting passwords/users is beeing made by the 
smblda-tools.
3.) How does samba get the user ids? By contacting the ldap database 
directl again?

4.) How does samba get he user/group of files and folders? By nss?
5.) Has samba got anything to do with nss/libnss-ldap?


Thanks, Mario


1) yes

2) you can use smbldap-passwd to change a user's password if you want to 
set the passwd chat, unix password sync, etc.  or you can just set ldap 
passwd sync = yes and let samba handle the password changing directly

3)yes
4) yes

5) i think so, i have nss_ldap working because my users need shell 
access for database/html work.  i've never tried getting samba going 
without using nss_ldap for user auth.  i don't know if samba can look up 
the users directly or if it gets their user, group, machine accounts via 
nss_ldap.  but nss_ldap is trivial to get working.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to