Re: samba/ldap/nss

To: debian-user@lists.debian.org
Subject: Re: samba/ldap/nss
From: debian@chrissearle.org
Date: Sat, 25 Feb 2006 19:40:16 +0100
Message-id: <[🔎] 4400A490.1010805@chrissearle.org>
In-reply-to: <[🔎] 4400A18D.3040307@jamie-thompson.co.uk>
References: <[🔎] 4400834B.2000206@chrissearle.org> <[🔎] 4400A18D.3040307@jamie-thompson.co.uk>

Jamie Thompson wrote:

> Nope, the packages only change the /etc files. It's up to you to keep
> the ldap in sync. In practice, these rarely change, but still, I'd
> prefer if they added users/groups/etc via changeable scripts that could
> modify ldap instead....but, well, that itch doesn't warrant a scratch
> yet, at least for me. In my personal case I emptied out the system files
> to only include root as a backup measure...but on the next upgrade they
> all got put back in :) D'oh.

Fair enough. I just wondered if the useradd etc scripts paid attention
to the nsswitch config. I may not need to worry (see below about which
users to add)

> As I said above, I left root in the local passwd as a backup measure. If
> you have the ordering in nsswitch to consult ldap before files, you
> could even have different passwords for the local root backups for a
> little bit of extra peace of mind (and not needing to keep them in sync
> when you change your master root password regularly), but it probably
> doesn't warrant the hassle. Perhaps best not to have root in ldap at
> all...I only have it there so I can authenticate as root using samba and
> short-circuit the file permissions on occasion.

Well. This machine will end up being a PDC for 2 windows XP boxes, and
should also be the main place for (real) user/pass config for 2 OpenBSD
boxes and a Mac OSX box (guessing these 3 via some kind of NIS config).

So - I get the feeling that system users (which may well be different
across OS'es) should be left in the /etc config, and only real users
added to ldap.

I need to get deeper into the smb config part - where is it defined who
is a domain admin, who is an administrator and who is a guest user (for
the XP boxes) etc. It may be that I don't need the /etc/group stuff in
at all.

The migration scripts seemed able to put _loads_ of stuff in there,
hosts, protocols, services etc. I don't think I need any of that for my
purposes - so - I'm just going to leave that for the time being.

I was following

http://glasnost.beeznest.org/articles/180

but that was last updated in april last year and still says "to be
continued".

So - I reckon that I have the ldap server running - with the correct
user config - but - now I need to figure the groups, and samba stuff
(hosts, printers etc) :)

-- 
Chris

Reply to:

References:
- samba/ldap/nss
  - From: Chris <debian@chrissearle.org>
- Re: samba/ldap/nss
  - From: Jamie Thompson <debian-user@jamie-thompson.co.uk>

Prev by Date: Re: samba/ldap/nss
Next by Date: Re: Getting Ensoniq 5880 soundcard to work again after 2.4 to 2.6 kernel upgrade.
Previous by thread: Re: samba/ldap/nss
Next by thread: Re: samba/ldap/nss
Index(es):
- Date
- Thread