Chris wrote: > OK - I've decided to look into using a debian box as a PDC using a > combination of samba and openldap (this is on sid). > <snip> Yeah, I did this as well, though I stick to testing. Works nicely. > 1) If users and groups are moved into ldap - what about aptitude > installation of packages that add either a user or a group - will these > auto-add into ldap or just into the /etc files? Nope, the packages only change the /etc files. It's up to you to keep the ldap in sync. In practice, these rarely change, but still, I'd prefer if they added users/groups/etc via changeable scripts that could modify ldap instead....but, well, that itch doesn't warrant a scratch yet, at least for me. In my personal case I emptied out the system files to only include root as a backup measure...but on the next upgrade they all got put back in :) D'oh. > 2) What about system users - I had thought only to insert real people - > but - I see that the migration tools convert the whole file, root > included. What is the recommended way here? I mean - I feel dodgy about > only having root in ldap - what if slapd breaks - this is running on > unstable after all. As I said above, I left root in the local passwd as a backup measure. If you have the ordering in nsswitch to consult ldap before files, you could even have different passwords for the local root backups for a little bit of extra peace of mind (and not needing to keep them in sync when you change your master root password regularly), but it probably doesn't warrant the hassle. Perhaps best not to have root in ldap at all...I only have it there so I can authenticate as root using samba and short-circuit the file permissions on occasion. > 3) Groups - should I stick all groups in ldap (same as q 2 really this). > > I know that getent passwd | grep chris now shows 2 entries - so it is > finding both ldap and /etc/passwd - so that's good :) Yup, getent will show both. Perhaps a way of configuring things not to do so, but it doesn't cause any problems that I'm aware of. Software just uses the first value found, and as the ordering is controllable via nsswitch, choose whatever you prefer. > Oh - one other question - I had made a start on the smb stuff. One site > I found suggested setting the passwd (smbpasswd -w) for the admin user. > Now sudo requires two passwords to log in - any pointers for a debian > specific howto for samba pdc would be nice :) I'm working thru the samba > docs - but it doesn't quite seem to fit. That's a pam config setup issue I think, you need to look at setting the plugins to try the previous password before prompting again. My common-auth pam file has: auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass nullok_secure I got all those settings from the idealx docs, so you may just have to dig around a bit more for the others.
Attachment:
signature.asc
Description: OpenPGP digital signature