If I use ldap for my backend in samba Do I create users?

Just curious cause I used passwd for my old
samba server. Would create the user 1. in Linux useradd username
2. in samba smbpasswd -a username
3. on the xp workstation
If I use ldap as backend
do I have to create the user in linux
or do all valid users in the active directory network
just get assigned permissions.
or is there an ldap add user command?
And I still add the same user in linux?
I believe I need to install samba server, samba client, Openldap and Windbind?
I think I installed windbind before but never used it.
I think I have to use a canonical name?

Well new to the ldap backend thing.
help appreciated.

On Wed January 14 2009 07:46 pm, bperrotta wrote:

>
> Just curious cause I used passwd for my old
> samba server. Would create the user 1. in Linux useradd username
> 2. in samba smbpasswd -a username
> 3. on the xp workstation
> If I use ldap as backend
> do I have to create the user in linux
> or do all valid users in the active directory network
> just get assigned permissions.
> or is there an ldap add user command?
> And I still add the same user in linux?
> I believe I need to install samba server, samba client, Openldap and
> Windbind?
> I think I installed windbind before but never used it.
> I think I have to use a canonical name?
>
> Well new to the ldap backend thing.
> help appreciated.
>
>
bperrotta;
Unless you have a large domain (100+) users LDAP is probably more work than
it’s worth. tdb would be a better option, but if you really want to use LDAP
here is some information.

  1. With LDAP you do not need to add users to Linux, they can live in the LDAP.
  2. Using LDAP does not make a Samba an ADS, Samba4 which is experimental does
    implement most of ADs. (You can get Samba4 here: ftp://ftp.sernet.de/)
  3. This site: http://www.pcc-services.com/sles/samba2.html gives some help
    with setting up LDAP and Samba. It is written for SLES but should be valid
    for OpenSuse with a few minor changes.
  4. Look at the information in “Samba-3 by Exzmple” and “The official Samba-3
    Howto and Reference Guide”. These are available at: http://www.samba.org
    or locally in: /usr/share/doc/packages/samba
  5. Make sure you have your Samba server working well with some other backend
    first before moving to LDAP. You do not want to be debugging both at the
    same time.

    P. V.
    “We’re all in this together, I’m pulling for you.” Red Green

On Wed January 14 2009 08:37 pm, PV wrote:

> On Wed January 14 2009 07:46 pm, bperrotta wrote:
>
<snip>
> bperrotta;
> Unless you have a large domain (100+) users LDAP is probably more work than
> it’s worth. tdb would be a better option, but if you really want to use
> LDAP here is some information.
> 1. With LDAP you do not need to add users to Linux, they can live in the
> LDAP.
> 2. Using LDAP does not make a Samba an ADS, Samba4 which is experimental
> does implement most of ADs. (You can get Samba4 here: ftp://ftp.sernet.de/)
> 3. This site: http://www.pcc-services.com/sles/samba2.html gives some help
> with setting up LDAP and Samba. It is written for SLES but should be valid
> for OpenSuse with a few minor changes.
> 4. Look at the information in “Samba-3 by Exzmple” and “The official
> Samba-3
> Howto and Reference Guide”. These are available at: http://www.samba.org
> or locally in: /usr/share/doc/packages/samba
> 5. Make sure you have your Samba server working well with some other backend
> first before moving to LDAP. You do not want to be debugging both at the
> same time.
One additional thought(reminder). You do NOT need LDAP in order to have a
working PDC. Roaming profiles and other domain functions are available with
all the backends. LDAP is really only useful when there are many users or
when you need to replicate the backend between BDC and PDC.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Does .tbd work the same as passwd cause that’s the only one I’ve tried.

On Thu January 15 2009 01:06 pm, bperrotta wrote:

>
> Does .tbd work the same as passwd cause that’s the only one I’ve tried.
>
>
Yes.
You can move existing user to tdbsam as follows:
1.


su
pdbedit -i smbpasswd -e tdbsam

  1. Replace the smbpasswd with tdbsam in the passdb backend configuration
    in smb.conf. i.e. in the [Global] section of /etc/samba/smb.conf add the
    parameter:

passdb backend = tdbsam

You can specify the name of the tdbsam file as:
tdbsam:<path to tdbfile> for example:
passsdb backend = tdbsam:/etc/samba/myusers.tdb

You still need to add the users to Linux so that they have a UID. There is no
reason all users need to have a home directory and if you are concerned about
space in /home just create users without home directories. Just set the home
directory to something like /var/lib/nobody. See man useradd.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Because we might eventually use this for customers.
I think I might try tdbsam first. see how that goes then try open ldap so I can see how it works also. Don’t care if ADS can replicate, but it may be Advantageous for bigger clients if using Ldap provides a SSO in ADS even though the SMB Server would be a member server. So this link explains how to assign permissions on samba linux shares to AD users?

On Fri January 16 2009 08:06 am, bperrotta wrote:

>
> Because we might eventually use this for customers.
> I think I might try tdbsam first. see how that goes then try open ldap
> so I can see how it works also. Don’t care if ADS can replicate, but it
> may be Advantageous for bigger clients if using Ldap provides a SSO in
> ADS even though the SMB Server would be a member server. So this link
> explains how to assign permissions on samba linux shares to AD users?
>
>
bperrotta;

Permissions for Samba, depend a lot on what you are trying to accomplish. I’m
not aware of anything that speaks to that directly. The Samba3-HowTo and
Samba3 by Example are your best sources. They are available in printed form
and contain many examples of various uses. You might want to look at some of
the articles here:
http://en.opensuse.org/HOWTOs
under the Servers & Databases section. Some of these are fairly dated, but
for the most part still apply.

This statement:

“Because we might eventually use this for customers.”

makes me wonder if Samba is really the way you should be thinking. I don’t
know your needs, but wonder if ftp or Apache2 might be a better choice.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

my needs are making the linux fileserver function like a windows fileserver i don’t think i want end users connecting via ftp. not sure what you mean by apache?

On Fri January 16 2009 01:06 pm, bperrotta wrote:

>
> my needs are making the linux fileserver function like a windows
> fileserver i don’t think i want end users connecting via ftp. not sure
> what you mean by apache?
>
>
Apache2 is a web server.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

The goal here is to save money on licenses by using linux.
To add this fileserver to a network that already has AD DCS.
I am not trying to make a web server. And I might try all 3 backends to get better at using samba. what really are the advantages of tdbsam over passwd. I asled if the command you posted moves all the users. To the best of my knowledge samba 4 is experimental. When will it be complete? Might play around with ldap in case I have to scale 100+ users ever. trying to understand if it can be a member server can i set rights on samba shares for ad users?

On Sat January 17 2009 03:36 pm, bperrotta wrote:

>
> The goal here is to save money on licenses by using linux.
> To add this fileserver to a network that already has AD DCS.
> I am not trying to make a web server. And I might try all 3 backends to
> get better at using samba. what really are the advantages of tdbsam over
> passwd. I asled if the command you posted moves all the users. To the
> best of my knowledge samba 4 is experimental. When will it be complete?
> Might play around with ldap in case I have to scale 100+ users ever.
> trying to understand if it can be a member server can i set rights on
> samba shares for ad users?
>
>
bperrotta;

Let me begin by telling you that this is reaching the limits of my
knowledge/experience. I’ve set up a number of Samba domains but never tried
to integrate with ADs. ( ADs integration is done all the time, just not by
me.) But what follows may be useful to you.

Section 7.3 of “Samba-3 By Example” and section 6.4 of the “Official Samba-3
Howto” cover ADS member servers. To the best of my knowledge, you only need
to be sure that Kerberos is configured. That way you will allow the Window’s
server to carry out authentication. You specify your “realm” and password
server in the [global] section of smb.conf and set “security = ADS”. You can
then join the ADS domain with “net ads join” command. Check the references
above for the details.

I believe permissions are set in a similar way as they are on a Samba domain.
You probably need to read up on the various options. Also see:


man smb.conf
man net

for details on parameters and commands. Let me point out one of these “net
groupmap add”, which allows you to identify Windows groups with linux groups.
Even if you only set up a Samba domain, you should map the windows groups to
linux groups.

As for Samba-4, it is my understanding it will never be released per se, as
different pieces are perfected they are added to Samba-3. At some point, if
things develop as planned, Samba 3.X will support being an ADs server.

Try this Samba.org site for more information:
http://wiki.samba.org/index.php/Main_Page

P. V.
“We’re all in this together, I’m pulling for you.” Red Green