[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: samba/ldap/nss



Chris wrote:
> OK - I've decided to look into using a debian box as a PDC using a
> combination of samba and openldap (this is on sid).
> 

<snip>
Yeah, I did this as well, though I stick to testing. Works nicely.

> 1) If users and groups are moved into ldap - what about aptitude
> installation of packages that add either a user or a group - will these
> auto-add into ldap or just into the /etc files?

Nope, the packages only change the /etc files. It's up to you to keep
the ldap in sync. In practice, these rarely change, but still, I'd
prefer if they added users/groups/etc via changeable scripts that could
modify ldap instead....but, well, that itch doesn't warrant a scratch
yet, at least for me. In my personal case I emptied out the system files
to only include root as a backup measure...but on the next upgrade they
all got put back in :) D'oh.

> 2) What about system users - I had thought only to insert real people -
> but - I see that the migration tools convert the whole file, root
> included. What is the recommended way here? I mean - I feel dodgy about
> only having root in ldap - what if slapd breaks - this is running on
> unstable after all.

As I said above, I left root in the local passwd as a backup measure. If
you have the ordering in nsswitch to consult ldap before files, you
could even have different passwords for the local root backups for a
little bit of extra peace of mind (and not needing to keep them in sync
when you change your master root password regularly), but it probably
doesn't warrant the hassle. Perhaps best not to have root in ldap at
all...I only have it there so I can authenticate as root using samba and
short-circuit the file permissions on occasion.

> 3) Groups - should I stick all groups in ldap (same as q 2 really this).
> 
> I know that getent passwd | grep chris now shows 2 entries - so it is
> finding both ldap and /etc/passwd - so that's good :)

Yup, getent will show both. Perhaps a way of configuring things not to
do so, but it doesn't cause any problems that I'm aware of. Software
just uses the first value found, and as the ordering is controllable via
nsswitch, choose whatever you prefer.

> Oh - one other question - I had made a start on the smb stuff. One site
> I found suggested setting the passwd (smbpasswd -w) for the admin user.
> Now sudo requires two passwords to log in - any pointers for a debian
> specific howto for samba pdc would be nice :) I'm working thru the samba
> docs - but it doesn't quite seem to fit.

That's a pam config setup issue I think, you need to look at setting the
plugins to try the previous password before prompting again. My
common-auth pam file has:

auth	sufficient	pam_ldap.so
auth	required	pam_unix.so	use_first_pass nullok_secure

I got all those settings from the idealx docs, so you may just have to
dig around a bit more for the others.

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: