Re: [Samba] Re: Windows->LDAP->Samba
This is a discussion on Re: [Samba] Re: Windows->LDAP->Samba within the Samba forums, part of the Networking and Network Related category; Thank you for that description, that helps a lot. I just recently stumbled across authconfig which I think edits nsswitch....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-16-2005
|
|||
|
|||
Re: [Samba] Re: Windows->LDAP->Samba
Thank you for that description, that helps a lot.
I just recently stumbled across authconfig which I think edits nsswitch.con= f .. >From your description it sounds like I probably don't need pGina ( http://pgina.xpasystems.com/). I came across some references that lead me t= o believe that it would be necessary on the Windows client for this to work. Do you agree that pGina should not be necessary? Thanks again, -Mont On 11/16/05, paul k=F6lle <paul@subsignal.org> wrote: > > Mont Rothstein wrote: > > I am hoping someone can tell me if I am trying something that can't be > done. > Well, if I understood you corretly I'll say yes ;) > > Don't make it harder than it is, there are only three parties involved > > 1) Windows (the client) > 2) Samba ("app server") > 3) LDAP (authentication backend) > > Windows never talks directly to LDAP (at least not in this scenario), it > always contacts samba, PDC or not. So the windows box asks samba "hey, I > want to write to your disk..." and samba, being a sensitive piece of > software insists: "Wait a minute, tell me who you are and prove this > somehow, then I'll ask my backend if it knows you and if your proof > holds true,...". > > The stupid windows client, not knowing that he speaks to the glory UNIX > world sends its usual credentials, a string like MYWORSTATION\joe and a > "secret" hash. > > Now samba looks for a UNIX user joe via the normal system calls used on > unix and in its configured backend for the hash and all the other pieces > needed in the windows world and not present on a normal unix system > account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid) > come from. They need to be known to the system where samba is installed, > period. > > Fortunately, linux/unix has quite a few sources where names may come > from. This is abstracted through the NSS interface and implemented by > shared libraries whose names happen to be libnss_<servicename>.so. If > you have a line like: > > passwd: files ldap > > in your /etc/nsswitch.conf, the system will ask libnss_files.so and > libnss_ldap.so for the names and numbers commonly known as "accounts". > > In your case, you want to enable/disable/setup users in LDAP only. All > you have to do is: > > 1. Instruct your system to fetch unix NAMES from ldap (nss_ldap). > 2. Instruct samba to fetch the windows bits from ldap (passdb backend). > > couldn't stress this point of common misconception less, sorry. > Paul > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
