[Samba] Simple LDAP backend question - Samba

This is a discussion on [Samba] Simple LDAP backend question - Samba ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is it required to use LDAP for both POSIX/UNIX accounts and for Samba, or can one move only the smbpasswd file to LDAP without impacting the standard UNIX passwd file at all? - -- ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: [Samba] Simple LDAP backend question

  1. [Samba] Simple LDAP backend question

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    or can one move only the smbpasswd file to LDAP without impacting the
    standard UNIX passwd file at all?
    - --
    ---- _ _ _ _ ___ _ _ _
    |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
    |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
    \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHfSwomb+gadEcsb4RAvXNAJ9k0Uw2fVYRspDO+rTRFx BYfefw3wCgyvSJ
    npPNBznEw287gOv1SH3zN88=
    =eAkV
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Simple LDAP backend question

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    John Drescher wrote:
    >> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    >> or can one move only the smbpasswd file to LDAP without impacting the
    >> standard UNIX passwd file at all?
    >> - --

    > With ldap you have both the users that are in the ldap server + the
    > /etc/passwd file.


    So then, do you get POSIX and Samba accounts in the LDAP, and then the
    /etc/passwd is also used?

    What I really want is to move smbpasswd users to LDAP, but we have
    process that interact with /etc/passwd, but I would like LDAP to be only
    used by Samba. I suppose if nsswitch did not say to use LDAP, ssh/etc.
    would not check LDAP for user logins?

    - --
    ---- _ _ _ _ ___ _ _ _
    |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
    |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
    \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHfS9Nmb+gadEcsb4RApoyAJ0bzAtFlSkoZaccE4oZW/nwyJ1OkwCgivoo
    OuNhdmPGlaBokt5Uh3BoKvo=
    =pVMJ
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Simple LDAP backend question

    > John Drescher wrote:
    > >> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    > >> or can one move only the smbpasswd file to LDAP without impacting the
    > >> standard UNIX passwd file at all?
    > >> - --

    > > With ldap you have both the users that are in the ldap server + the
    > > /etc/passwd file.

    >
    > So then, do you get POSIX and Samba accounts in the LDAP, and then the
    > /etc/passwd is also used?
    >

    Yes. Both are specified in the nsswitch and both are used.

    >
    > What I really want is to move smbpasswd users to LDAP, but we have
    > process that interact with /etc/passwd, but I would like LDAP to be only
    > used by Samba. I suppose if nsswitch did not say to use LDAP, ssh/etc.
    > would not check LDAP for user logins?
    >

    I have never tried that so I am not sure.

    John
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Simple LDAP backend question

    > Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    > or can one move only the smbpasswd file to LDAP without impacting the
    > standard UNIX passwd file at all?
    > - --

    With ldap you have both the users that are in the ldap server + the
    /etc/passwd file.

    John
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. [Samba] Re: Simple LDAP backend question

    "Ryan Novosielski" wrote in message
    news:477D2C28.7070705@umdnj.edu...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    > or can one move only the smbpasswd file to LDAP without impacting the
    > standard UNIX passwd file at all?


    Interesting question. Just a little background info. so we are all on the
    same page.

    Each Samba user must have a Linux (POSIX) account in order to access the
    Linux machine. It must also have some Samba (Windows) information for it to
    work as a Windows domain controller.

    If you use the smbldap tools to manage the addition and deletion of users,
    they will add the POSIX and the Samba user info to the LDAP directory. This
    will happen because your add user script in the smb.conf file will point to
    the relevant smbldap add user script.

    You would typically configure the /etc/nsswitch.conf file to tell the Linux
    machine to look for user names and passwords in the LDAP directory. That
    way the user does not need to exist in the /etc/passwd file.

    So far so good.

    I understand from what you are saying that you want to
    separate the POSIX (Linux) information from the Samba information. You want
    to keep the POSIX information in the /etc/passwd file and the Samba
    information in the LDAP directory. Each user's authentication information
    will be stored in both locations.

    To do this you should not use the add user script from the smbldap tools.
    Instead use the standard Linux "add user" command in a script to add the
    user. I have done this in the past. It adds Samba info. to LDAP and
    creates the user account in the /etc/passwd file.

    Your smb.conf file should look something like

    add user script = /usr/sbin/useradd -m '%u'

    add machine script = /usr/sbin/useradd -M '%u'

    add group script = /usr/sbin/groupadd '%g'

    Typically I use the User Manager for Domains to add and delete users. Not
    sure how things will work with other tools.

    I guess you can use the smbldap tools to populate the LDAP database with the
    standard Windows users and groups but use the Linux commands in the add user
    script.

    I haven't tried this since the early versions of Samba 3.x. Let me know how
    it works out.



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Re: Simple LDAP backend question

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Jamrock wrote:
    > "Ryan Novosielski" wrote in message
    > news:477D2C28.7070705@umdnj.edu...
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    >> or can one move only the smbpasswd file to LDAP without impacting the
    >> standard UNIX passwd file at all?

    >
    > Interesting question. Just a little background info. so we are all on the
    > same page.
    >
    > Each Samba user must have a Linux (POSIX) account in order to access the
    > Linux machine. It must also have some Samba (Windows) information for it to
    > work as a Windows domain controller.
    >
    > If you use the smbldap tools to manage the addition and deletion of users,
    > they will add the POSIX and the Samba user info to the LDAP directory. This
    > will happen because your add user script in the smb.conf file will point to
    > the relevant smbldap add user script.
    >
    > You would typically configure the /etc/nsswitch.conf file to tell the Linux
    > machine to look for user names and passwords in the LDAP directory. That
    > way the user does not need to exist in the /etc/passwd file.
    >
    > So far so good.
    >
    > I understand from what you are saying that you want to
    > separate the POSIX (Linux) information from the Samba information. You want
    > to keep the POSIX information in the /etc/passwd file and the Samba
    > information in the LDAP directory. Each user's authentication information
    > will be stored in both locations.
    >
    > To do this you should not use the add user script from the smbldap tools.
    > Instead use the standard Linux "add user" command in a script to add the
    > user. I have done this in the past. It adds Samba info. to LDAP and
    > creates the user account in the /etc/passwd file.
    >
    > Your smb.conf file should look something like
    >
    > add user script = /usr/sbin/useradd -m '%u'
    >
    > add machine script = /usr/sbin/useradd -M '%u'
    >
    > add group script = /usr/sbin/groupadd '%g'
    >
    > Typically I use the User Manager for Domains to add and delete users. Not
    > sure how things will work with other tools.
    >
    > I guess you can use the smbldap tools to populate the LDAP database with the
    > standard Windows users and groups but use the Linux commands in the add user
    > script.
    >
    > I haven't tried this since the early versions of Samba 3.x. Let me know how
    > it works out.


    Sounds rather much like what I'm looking for. I really don't use the add
    user/group script right now anyway, just add machine.

    What is seems like you're saying is that I can migrate all of the stuff
    from /etc/passwd to LDAP and then just never change nsswitch for UNIX
    and only make Samba use the ldap, and setting the parameters as above.

    - --
    ---- _ _ _ _ ___ _ _ _
    |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
    |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
    \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHfcD1mb+gadEcsb4RAoU/AKCuF+4gO9FQMxQ8a3SyKv8giqLe6QCg4SYJ
    vimuQInaWkyU5fv9L2/ZSic=
    =rrvN
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. [Samba] Re: Re: Simple LDAP backend question


    "Ryan Novosielski" wrote in message
    news:477DC0F5.2020103@umdnj.edu...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Jamrock wrote:
    > > "Ryan Novosielski" wrote in message
    > > news:477D2C28.7070705@umdnj.edu...
    > >> -----BEGIN PGP SIGNED MESSAGE-----
    > >> Hash: SHA1
    > >>
    > >> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    > >> or can one move only the smbpasswd file to LDAP without impacting the
    > >> standard UNIX passwd file at all?

    > >
    > > Interesting question. Just a little background info. so we are all on

    the
    > > same page.
    > >
    > > Each Samba user must have a Linux (POSIX) account in order to access the
    > > Linux machine. It must also have some Samba (Windows) information for

    it to
    > > work as a Windows domain controller.
    > >
    > > If you use the smbldap tools to manage the addition and deletion of

    users,
    > > they will add the POSIX and the Samba user info to the LDAP directory.

    This
    > > will happen because your add user script in the smb.conf file will point

    to
    > > the relevant smbldap add user script.
    > >
    > > You would typically configure the /etc/nsswitch.conf file to tell the

    Linux
    > > machine to look for user names and passwords in the LDAP directory.

    That
    > > way the user does not need to exist in the /etc/passwd file.
    > >
    > > So far so good.
    > >
    > > I understand from what you are saying that you want to
    > > separate the POSIX (Linux) information from the Samba information. You

    want
    > > to keep the POSIX information in the /etc/passwd file and the Samba
    > > information in the LDAP directory. Each user's authentication

    information
    > > will be stored in both locations.
    > >
    > > To do this you should not use the add user script from the smbldap

    tools.
    > > Instead use the standard Linux "add user" command in a script to add the
    > > user. I have done this in the past. It adds Samba info. to LDAP and
    > > creates the user account in the /etc/passwd file.
    > >
    > > Your smb.conf file should look something like
    > >
    > > add user script = /usr/sbin/useradd -m '%u'
    > >
    > > add machine script = /usr/sbin/useradd -M '%u'
    > >
    > > add group script = /usr/sbin/groupadd '%g'
    > >
    > > Typically I use the User Manager for Domains to add and delete users.

    Not
    > > sure how things will work with other tools.
    > >
    > > I guess you can use the smbldap tools to populate the LDAP database with

    the
    > > standard Windows users and groups but use the Linux commands in the add

    user
    > > script.
    > >
    > > I haven't tried this since the early versions of Samba 3.x. Let me know

    how
    > > it works out.

    >
    > Sounds rather much like what I'm looking for. I really don't use the add
    > user/group script right now anyway, just add machine.
    >
    > What is seems like you're saying is that I can migrate all of the stuff
    > from /etc/passwd to LDAP and then just never change nsswitch for UNIX
    > and only make Samba use the ldap, and setting the parameters as above.


    Yes. In the early days I didn't understand how to use the smbldap scripts.
    So I ended up with that mixed configuration.

    I would not recommend it for a typical install of Samba though. Keeping
    everyting in LDAP makes it easy to backup user information. It also makes
    it easier to transfer user information to another server.

    However, it sounds as if it is a requirement in your environment.




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. Re: [Samba] Re: Re: Simple LDAP backend question

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Jamrock wrote:
    > "Ryan Novosielski" wrote in message
    > news:477DC0F5.2020103@umdnj.edu...
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> Jamrock wrote:
    >>> "Ryan Novosielski" wrote in message
    >>> news:477D2C28.7070705@umdnj.edu...
    >>>> -----BEGIN PGP SIGNED MESSAGE-----
    >>>> Hash: SHA1
    >>>>
    >>>> Is it required to use LDAP for both POSIX/UNIX accounts and for Samba,
    >>>> or can one move only the smbpasswd file to LDAP without impacting the
    >>>> standard UNIX passwd file at all?
    >>> Interesting question. Just a little background info. so we are all on

    > the
    >>> same page.
    >>>
    >>> Each Samba user must have a Linux (POSIX) account in order to access the
    >>> Linux machine. It must also have some Samba (Windows) information for

    > it to
    >>> work as a Windows domain controller.
    >>>
    >>> If you use the smbldap tools to manage the addition and deletion of

    > users,
    >>> they will add the POSIX and the Samba user info to the LDAP directory.

    > This
    >>> will happen because your add user script in the smb.conf file will point

    > to
    >>> the relevant smbldap add user script.
    >>>
    >>> You would typically configure the /etc/nsswitch.conf file to tell the

    > Linux
    >>> machine to look for user names and passwords in the LDAP directory.

    > That
    >>> way the user does not need to exist in the /etc/passwd file.
    >>>
    >>> So far so good.
    >>>
    >>> I understand from what you are saying that you want to
    >>> separate the POSIX (Linux) information from the Samba information. You

    > want
    >>> to keep the POSIX information in the /etc/passwd file and the Samba
    >>> information in the LDAP directory. Each user's authentication

    > information
    >>> will be stored in both locations.
    >>>
    >>> To do this you should not use the add user script from the smbldap

    > tools.
    >>> Instead use the standard Linux "add user" command in a script to add the
    >>> user. I have done this in the past. It adds Samba info. to LDAP and
    >>> creates the user account in the /etc/passwd file.
    >>>
    >>> Your smb.conf file should look something like
    >>>
    >>> add user script = /usr/sbin/useradd -m '%u'
    >>>
    >>> add machine script = /usr/sbin/useradd -M '%u'
    >>>
    >>> add group script = /usr/sbin/groupadd '%g'
    >>>
    >>> Typically I use the User Manager for Domains to add and delete users.

    > Not
    >>> sure how things will work with other tools.
    >>>
    >>> I guess you can use the smbldap tools to populate the LDAP database with

    > the
    >>> standard Windows users and groups but use the Linux commands in the add

    > user
    >>> script.
    >>>
    >>> I haven't tried this since the early versions of Samba 3.x. Let me know

    > how
    >>> it works out.

    >> Sounds rather much like what I'm looking for. I really don't use the add
    >> user/group script right now anyway, just add machine.
    >>
    >> What is seems like you're saying is that I can migrate all of the stuff
    >> from /etc/passwd to LDAP and then just never change nsswitch for UNIX
    >> and only make Samba use the ldap, and setting the parameters as above.

    >
    > Yes. In the early days I didn't understand how to use the smbldap scripts.
    > So I ended up with that mixed configuration.
    >
    > I would not recommend it for a typical install of Samba though. Keeping
    > everyting in LDAP makes it easy to backup user information. It also makes
    > it easier to transfer user information to another server.
    >
    > However, it sounds as if it is a requirement in your environment.


    It may or may not end up that way. At present, those files are widely
    used. However, the processes that use them may not be necessary at all.
    That would require some sort of review, etc., etc. The real need at this
    point is to solve a problem where the smbpasswd is too large and as a
    result is open nearly all the time. I should have switched to LDAP long ago.

    - --
    ---- _ _ _ _ ___ _ _ _
    |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
    |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
    \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHfkB2mb+gadEcsb4RAugDAJ9HMnQs3qk1u0qjpLJZ79 yrKkv6wwCgr9XZ
    O3jVloUuQ8/1yaAMal8V/c0=
    =GH8M
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread