Bluehost.com Web Hosting $6.95

[Samba] Re: Windows->LDAP->Samba

This is a discussion on [Samba] Re: Windows->LDAP->Samba within the Samba forums, part of the Networking and Network Related category; Mont Rothstein wrote: > I am hoping someone can tell me if I am trying something that can't be ...


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page [Samba] Re: Windows->LDAP->Samba

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 11-16-2005
paul kölle
 
Posts: n/a
Default [Samba] Re: Windows->LDAP->Samba
Mont Rothstein wrote:
> I am hoping someone can tell me if I am trying something that can't be done.
Well, if I understood you corretly I'll say yes ;)

Don't make it harder than it is, there are only three parties involved

1) Windows (the client)
2) Samba ("app server")
3) LDAP (authentication backend)

Windows never talks directly to LDAP (at least not in this scenario), it
always contacts samba, PDC or not. So the windows box asks samba "hey, I
want to write to your disk..." and samba, being a sensitive piece of
software insists: "Wait a minute, tell me who you are and prove this
somehow, then I'll ask my backend if it knows you and if your proof
holds true,...".

The stupid windows client, not knowing that he speaks to the glory UNIX
world sends its usual credentials, a string like MYWORSTATION\joe and a
"secret" hash.

Now samba looks for a UNIX user joe via the normal system calls used on
unix and in its configured backend for the hash and all the other pieces
needed in the windows world and not present on a normal unix system
account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid)
come from. They need to be known to the system where samba is installed,
period.

Fortunately, linux/unix has quite a few sources where names may come
from. This is abstracted through the NSS interface and implemented by
shared libraries whose names happen to be libnss_<servicename>.so. If
you have a line like:

passwd: files ldap

in your /etc/nsswitch.conf, the system will ask libnss_files.so and
libnss_ldap.so for the names and numbers commonly known as "accounts".

In your case, you want to enable/disable/setup users in LDAP only. All
you have to do is:

1. Instruct your system to fetch unix NAMES from ldap (nss_ldap).
2. Instruct samba to fetch the windows bits from ldap (passdb backend).

couldn't stress this point of common misconception less, sorry.
Paul

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 08:10 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0