Differences between version 9 and previous revision of Samba3LDAP.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 9 | Last edited on Sunday, October 31, 2004 5:18:09 pm | by DanielLawson | Revert |
| Older page: | version 8 | Last edited on Sunday, October 31, 2004 5:04:25 pm | by DanielLawson | Revert |
@@ -2,8 +2,16 @@
Samba 3 allows samba accounts to not have corresponding unix accounts. This is the first time a Samba has allowed this. However, I've not set it up so I won't go into that.
So this will - discuss setting up Samba 3 + LDAP in an environment where you already have LDAP handling your unix accounts. See [LDAPNotes] for information on that.
+
+! LDAP Schema
+
+Get the samba.schema file from your samba distribution, and put this in /etc/ldap/schema, or wherever your distribution puts the LDAP schema files. Edit /etc/ldap/slapd.conf and add in a schema line pointing at this file.
+
+Note: The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. ungzip this and put it in /etc/ldap/schema.
+
+You'll also want to check that you have the newest schema every time you upgrade samba. The schema can change quite a bit, and some features won't work if you don't have the right schema installed.
! smb.conf modifications
There are a few ldap-specific smb.conf options you can set. I'd recommend reading the smb.conf manpage for the details on the options. As a quick start, here are the options I have set:
@@ -31,8 +39,18 @@
! LDAP Password Sync
The default setting for this is 'no', which means 'Update the NT and LM passwords in LDAP, and update the last set time'. This *will* cause a lot of grief if you are trying to use another mechanism to set the password, such as a custom script. It can also be set to 'only' which means it will only update the LDAP password (which is the userPassword field, ie the password that unix services will use via pam_ldap). Setting it to 'yes' means it will attempt to update all three passwords and update the last set time. This is almost definitely what you want.
+
+!IdealX Samba Administration Scripts
+
+The smbldap-tools available at http://samba.idealx.org/ are, in my opinion, essential for running an LDAP-aware Samba server.
+
+The smbldap-populate script will add in the "basic" builtin users and groups you need for decent windows interop.
+
+The other scripts can be specified in smb.conf for things like adding users, adding machines (essential for joining a Windows client to a Samba domain run from LDAP), and so on.
+
+There is a migrate script as well, which will take an existing smbpasswd file and move the accounts into LDAP for you.
! Notes
[Debian] users: Samba.org has [Woody] packages for Samba 3; you can get it out of testing/unstable otherwise.
