Re: [Samba] SAMBA+LDAP in a Workgroup
HiHo Tom! Tom Haerens wrote: Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I've such a setup running here and I'm quite satisfied. We once migrated from NIS to LDAP and later added the Samba scheme to our LDAP server. We are just using simple file- and print services with Samba. We don't use the PDC functionality as, up to now, I don't see an advantage for us - just more administration effort. Roughly said, the LDAP is just used for user accounts and groups, i.e. passwords and userid/group matching. There are enough websites that describe such a setup, by the way. Start with these here: http://www.ofb.net/~jheiss/samba/ldap.shtml http://www.coe.tamu.edu/cs/Manuals/Samba/Samba-LDAP-HOWTO.html Markus -- Senior Executive - Systemadministration Direct Phone: + 49 / 234 9787-57 Direct Fax: +49 / 234 9787-77 Viisage Technology AG Universitaetsstrasse 160 44801 Bochum Germany http://www.viisage.com -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA+LDAP in a Workgroup
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]On Behalf Of Markus Korth Sent: 17 March 2006 08:28 To: samba@lists.samba.org Subject: Re: [Samba] SAMBA+LDAP in a Workgroup HiHo Tom! Tom Haerens wrote: Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. LDAP is a heavyweight store for massive amounts of passwords and extended data needed to run 100s or 1000s of PCs. In a workgroup there is no central password store. In a workgroup each windows client has local users and would never consult a central authentication database so the LDAP would only hold accounts for the local Linux machine/samba users. This is a Sledgehammer + nut situation Look at the normal samba database Regards Rob I've such a setup running here and I'm quite satisfied. We once migrated from NIS to LDAP and later added the Samba scheme to our LDAP server. We are just using simple file- and print services with Samba. We don't use the PDC functionality as, up to now, I don't see an advantage for us - just more administration effort. Roughly said, the LDAP is just used for user accounts and groups, i.e. passwords and userid/group matching. There are enough websites that describe such a setup, by the way. Start with these here: http://www.ofb.net/~jheiss/samba/ldap.shtml http://www.coe.tamu.edu/cs/Manuals/Samba/Samba-LDAP-HOWTO.html Markus -- Senior Executive - Systemadministration Direct Phone: + 49 / 234 9787-57 Direct Fax: +49 / 234 9787-77 Viisage Technology AG Universitaetsstrasse 160 44801 Bochum Germany http://www.viisage.com -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA+LDAP in a Workgroup
Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I have to set up a new Samba server and checkout LDAP but I'm not allowed to change the Workgroup settings... Now we use smbpasswd... Is LDAP worth the effort and time? Kind Regards, ToHa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA+LDAP in a Workgroup
Tom, Personally I believe LDAP is an excellent backend database for Samba, especially if you are looking for Single-Sign-On capabilities. PC's do not have to join the Samba Domain in order to still gain domain access, however users will be prompted for username and password when accessing a share for your Samba Domain. One way around this is to use the same username and password for your LDAP database as you do currently for their machine logon accounts. Also, in order to find samba shares on Samba/LDAP servers with a different domain your current WINS servers should be able to find the new domain and list it within your Network List so you should be able to browse to them. Otherwise you can use DNS. Good Luck! James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Haerens Sent: Thursday, March 16, 2006 1:00 AM To: samba@lists.samba.org Subject: [Samba] SAMBA+LDAP in a Workgroup Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I have to set up a new Samba server and checkout LDAP but I'm not allowed to change the Workgroup settings... Now we use smbpasswd... Is LDAP worth the effort and time? Kind Regards, ToHa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA+LDAP in a Workgroup
On Thu, 2006-03-16 at 10:00 +0100, Tom Haerens wrote: Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I have to set up a new Samba server and checkout LDAP but I'm not allowed to change the Workgroup settings... Now we use smbpasswd... Is LDAP worth the effort and time? for maintaining user accounts on one UNIX/Linux system to interface with Samba? Doubtful for maintaining user accounts on more than one UNIX/Linux system so there is across the board continuity of uid's, gid's passwords, integration with Samba and other services such as mail...Yes. The reason that the documentation always uses the Windows Domain model when talking about LDAP is because the Windows Domain model is a basic logical and security structure in any group of Windows computers. That doesn't mean you have to use Samba LDAP in a Windows Domain model...it means that almost all Administrators and Users would prefer to have it integrate into a Windows Domain model because there is less password management, access management, security management in a predictable way and it would only be the rare case for someone to set up LDAP and not integrate it. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP - PDC (i.e. workgroup)
There's lots of howtos and mailling list posts about creating a PDC with samba and LDAP. What I want to do is to continue with workgroup operation (at least until all our clients are NT). A domain is really only of relevance to machines that have joined the domain. For machines that aren't domain members, it looks like a workgroup with passwords sync'ed between servers that are domain members. So even though I'm achieving the password sync with an LDAP directory, and all clients are workgroup mode - a domain would still be suitable and could be properly utilised as a domain in the future... All I essentially want to do is to move the smbpasswd file on our 30 or so servers to LDAP (after sorting out nss and PAM). Can I do this? Yes. But best by turning some of your servers into domain controllers, but this largely has no effect on clients (unless you join them to the domain). Does utilising up a PDC and BDC's cause network traffic? e.g. when a user logs on to their local server (which I assume would be a member server) does the member server need to check with the PDC for authentication? (Or would all remote offices need a BDC)? Also we have a replicated LDAP directory provided by our openldap servers - one master updating 29 slaves. The slaves (running samba) our not allowed to update the master server. Is this is a problem for samba/LDAP operation? Not necessarily. I asked this because I thought samba in some modes needed to update the LDAP directory upon user login (last login attributes etc). Obviously account and password changes need to be done on the master server but this is desirable for us. I think the PDC + LDAP solution means that the LDAP directory is written to by samba upon each user login I don't think this is true, why would this be necessary? See above. I plan to use a custom cgi script to perform samba user additions and password changes. Presumably if this was implemented samba wouldn't ever need to write to the directory - and would only need an LDAP acl to view the appropriate password attributes. - this wouldn't be desirable for us as 30 servers on slow WAN links would be updated every user login. The local smbpasswd file doesn't seem to be updated at the moment when someone logs in - so I'm assuming a workgroup + LDAP solution wouldn't be a problem for us in this regard. Neither would an LDAP+domain. IF there's no extra traffic generated as a result of PDC's/BDC's/member servers over standalone workgroup servers (for lack of a better term) using LDAP then we would be able to do this. Also - is there any way to use a custom schema or perform schema mapping? Could you be more specific? We already have an LDAP directory which uses custom schema (i.e. no posixaccount etc). I'd like the option to make samba uses different attributes and objects (I'm assuming this would be a source code change - and I think I've found the two files). I'm using samba 2.2.8a on the 29 slave servers - I prefer not to update to samba 3 if it's not required. It may be better to migrate to samba3. With samba-2.2.8a you need to install a different binary for LDAP support, whereas samba3 can be configured at run-time. Plus, when you do evetually join machines to the domain, you will have domain groups available. Migrating from samba-2.2.x+ldap to samba3+ldap is probably more challenging than migrating from samba-2.2.x to samba3+ldap, and migrating from samba-2.2.x to samba-2.2.x+ldap is probably about the same, so overall you win by going straight to samba3 (if you do your homework). You can see what it would take to go from samba-2.2.x to samba-2.2.x+ldap at http://mandrakesecure.net Fair enough. I've built the samba 3 binary with --ldapsam (Which I think means use the old schema). Some initial testing seems OK in this area (with the workgroup model). One quick question - I've deja'd (I still call it that) for a solution to specifiy more than one LDAP server for fault tolerance. There were some patches for older samba's - not sure if this has now been resolved? Cheers for the help Buchan Pete. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP - PDC (i.e. workgroup)
There's lots of howtos and mailling list posts about creating a PDC with samba and LDAP. What I want to do is to continue with workgroup operation (at least until all our clients are NT). All I essentially want to do is to move the smbpasswd file on our 30 or so servers to LDAP (after sorting out nss and PAM). Can I do this? Also we have a replicated LDAP directory provided by our openldap servers - one master updating 29 slaves. The slaves (running samba) our not allowed to update the master server. Is this is a problem for samba/LDAP operation? Obviously account and password changes need to be done on the master server but this is desirable for us. I think the PDC + LDAP solution means that the LDAP directory is written to by samba upon each user login - this wouldn't be desirable for us as 30 servers on slow WAN links would be updated every user login. The local smbpasswd file doesn't seem to be updated at the moment when someone logs in - so I'm assuming a workgroup + LDAP solution wouldn't be a problem for us in this regard. Also - is there any way to use a custom schema or perform schema mapping? I'm using samba 2.2.8a on the 29 slave servers - I prefer not to update to samba 3 if it's not required. Any help appreciated. Pete. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP - PDC (i.e. workgroup)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message: 9 Date: Wed, 5 Nov 2003 00:58:21 -0800 (PST) From: peter pan [EMAIL PROTECTED] Subject: [Samba] Samba + LDAP - PDC (i.e. workgroup) To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii There's lots of howtos and mailling list posts about creating a PDC with samba and LDAP. What I want to do is to continue with workgroup operation (at least until all our clients are NT). A domain is really only of relevance to machines that have joined the domain. For machines that aren't domain members, it looks like a workgroup with passwords sync'ed between servers that are domain members. All I essentially want to do is to move the smbpasswd file on our 30 or so servers to LDAP (after sorting out nss and PAM). Can I do this? Yes. But best by turning some of your servers into domain controllers, but this largely has no effect on clients (unless you join them to the domain). Also we have a replicated LDAP directory provided by our openldap servers - one master updating 29 slaves. The slaves (running samba) our not allowed to update the master server. Is this is a problem for samba/LDAP operation? Not necessarily. Obviously account and password changes need to be done on the master server but this is desirable for us. I think the PDC + LDAP solution means that the LDAP directory is written to by samba upon each user login I don't think this is true, why would this be necessary? - this wouldn't be desirable for us as 30 servers on slow WAN links would be updated every user login. The local smbpasswd file doesn't seem to be updated at the moment when someone logs in - so I'm assuming a workgroup + LDAP solution wouldn't be a problem for us in this regard. Neither would an LDAP+domain. Also - is there any way to use a custom schema or perform schema mapping? Could you be more specific? I'm using samba 2.2.8a on the 29 slave servers - I prefer not to update to samba 3 if it's not required. It may be better to migrate to samba3. With samba-2.2.8a you need to install a different binary for LDAP support, whereas samba3 can be configured at run-time. Plus, when you do evetually join machines to the domain, you will have domain groups available. Migrating from samba-2.2.x+ldap to samba3+ldap is probably more challenging than migrating from samba-2.2.x to samba3+ldap, and migrating from samba-2.2.x to samba-2.2.x+ldap is probably about the same, so overall you win by going straight to samba3 (if you do your homework). You can see what it would take to go from samba-2.2.x to samba-2.2.x+ldap at http://mandrakesecure.net Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/qRuGrJK6UGDSBKcRAkIzAJ4xNt1j2t6Qq+DLvO7xV6P9b3hETACglukN sRrtTEJNrQnPqjb3U3P4lw8= =AykG -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. * -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba